We're on a journey to adopt Infrastructure as Code (IaC) using Terraform in our company, aiming to limit the reliance on manual cloud portal management. Our infrastructure teams don't have a DevOps background, and many of the concepts surrounding IaC are new to them. I'm curious how other organizations manage resource access for developers while implementing IaC. Initially, we thought the infrastructure team would handle all cloud resource deployments through Terraform, while developers would connect their applications to these resources. However, several questions arise: How do we manage secrets, like those in a key vault? Who is authorized to make changes to the Terraform code that deploys resources? What's the right separation between the infrastructure teams and the developers? I'd love to hear how others tackle these challenges to avoid making poor decisions early on. Thanks!
6 Answers
I believe in having dev teams manage the infrastructure that supports their applications. IT can focus on non-app related infrastructure, like networking and policy. It promotes agility and ownership within the development teams, though you still need some structure for the traditional IT responsibilities.
In my experience, a 'controlled delegation' model works well. Each team manages their own code on GitHub. The DevOps team maintains the Terraform modules, and the devs use those modules to deploy resources. If teams need changes, they have to submit a pull request, which helps maintain control and organization.
Terraform should primarily be managed by DevOps. Secrets should be handled by either DevOps or your IAM administrator. From my experience, close collaboration between DevOps and developers creates a better workflow. I also recommend using Terraform for provisioning and Ansible for configuration, if you're looking to streamline processes.
From my own experience, sticking exclusively to Terraform for everything isn't the best approach; diversifying tools can enhance efficiency.
It's important to remember that infrastructure teams are just one part of the DevOps picture. You might want to involve your developers in the decision-making. Their input could be really valuable!
From my experience in a payment processing firm, forcing IaC on a team unfamiliar with it can backfire. If your team isn't skilled in IaC, consider bringing in a third-party DevOps service provider to help train and guide your team without delaying progress. Also, having a clear delineation of access between environments (dev/QA/prod) is crucial to prevent issues and ensure security.
That sounds like a smart approach! It's great to integrate best practices while bringing the team up to speed.
Absolutely! Creating a secure environment with structured access is essential for avoiding past mistakes.
My previous role involved a shared management model where a small Cloud team managed infrastructure via IaC. We created base modules for frequently used services, allowing developers to use our modules while still following security protocols and RBAC. This led to better independence for developers with clear communication during the development of new services.
Absolutely! We also use Terraform for provisioning and Ansible for configurations. It's a great combo.