Infrastructure as Code

AWS has become something of a standard choice in my corner of the industry. More than a default, we are routinely asked to use it without considering other choices. This has a lot of upsides for customers looking to maintain a set of applications which they can integrate their own tooling with in a consistent fashion. But, for better or worse, it doesn’t mean we’re stuck with one choice for deploying coce.

The frameworks

Indeed, there’s quite the choice of frameworks available for deploying code to AWS. I approach this subject as a developer entirely disinterested in IaC but who sees it as a necessary evil. I look forward to the day that code just deploys itself.

Despite that, I’ve managed to acquire varying levels of experience in all of the following.

  • CloudFormation
  • Amplify
  • SAM
  • CDK
  • Terraform
  • Serverless

The first thing a list that size tells you is that the first five tools didn’t work the way I wanted and truth by the time you reach the sixth tool, having started with the first one Google turned up, you can safely put a few quid on number six not holding all the answers either.

CloudFormation

CloudFormation is probably the standard go to tool. It’s from AWS and has wide support for AWS functionality. It’s horrible to use. You will have to battle with VPCs and subnet masks even if you don’t care about them, somehow it seems to prefer configuration over convention. None of the examples Google can find ever work first time, they’re always out of date somehow. And it’s slower than slow. And when it finally reaches the error you’ve spent forever waiting for, it’s even slower to tear down the stack and let you take another run at it.

Terraform

I ordered the list above starting with the tools from AWS but I’m going to immediately jump down the list at this point and deal with Terraform from Hashicorp. It’s syntax is slightly different, being custom rather than the YAML, or JSON if you’re unusually masachistic, offered by CloudFormation. I was initially put off it has I’d heard its main advantage was support for other cloud providers, which I didn’t need and its main drawback was problems dealing with state files which CloudFormation manages invisibly. Experience though left me feeling like Terraform was something I’d have detested if I hadn’t suffered a thousand papercuts from CloudFormation first.

Amplify

Amplify is a weird mix of deployment tools, libraries and UI that fall under one branding, from AWS. The UI offers some advantages in getting started with Cognito authentication but beyond that I’d stay well away.

Serverless

The Serverless framework is a tool with a much narrower focus. It’s really about deploying Lambdas and little else, maybe an API gateway here, a database there. There’s support for a few cloud providers but its real strength is in its simplicity and limited scope. Of course, this means it cannot do everything and you will quickly find its limits.

SAM

Serverless Application Model. This is a CloudFormation wrapper from AWS that seems to try and mimic the bits that the Serverless framework gets right. It tries, but it falls short. I’m not sure why anyone would use it.

CDK

Yep, it’s AWS back again folks. This time with their Cloud Development Kit. Just kill me now.

What to do with all this

If I find myself trying to deploy a simple javascript or python function as a service needing to configure a Virtual Private Cloud or even know that a Subnet Mask is a thing, you’ve stuffed it. Convention over configuration is a beautiful thing. Yes, it completely leaves you in the dark when the documentation is inadequate because you want to do something off the beaten track, but the fix for that isn’t to expose all your dirty underwear to everyone.

Speed is so important. The faster you can deploy, find an error and redeploy, the quicker that development cycle runs. Watching CloudFormation take half an hour to deploy, moan that you didn’t give it a required permisson and then take an eternity to back out its deployment just isn’t a good place to be.

I want a tool that does everything. But I can let that slide a little if it operates beautifully simply in its own niche. And despite by initial prejudices I don’t actually mind if a tool is third party or even takes a little longer to give me the latest and greatest features if it means when I come to start using those features the experience is intuitive and elegant.

Ultimately I think I’ve settled on serverless for the, well, serverless parts of the infrastructures I build and for everything else there’s MasterHHHHHHTerraform.

The future

Maybe one day we’ll have a tool that can offer the following:

  • Up front indication of the permissions you’ll require
  • And other failure scenarios before they happen
  • Genuinely faster deployments even to CDNs
  • Real cross-provider standardisation so your FaaS doesn’t need to know about a specific AWS VPC endpoint

Until then, I’ll be a somewhat frustrated developer spending inadequate time writing the code that runs on the infrastructure because I’m writing code to spin up the infrastructure.