Create immutable infrastructure

Immutable infrastructure is infrastructure that is not updated in place but instead rebuilt and redeployed when changes need to be made. Operators maintaining immutable infrastructure will not connect to a server and manually make changes to the system. They will instead make the change to the code repository from which the immutable infrastructure is created and use infrastructure as code (IaC) to facilitate this process.

IaC allows teams to modify, track, and version their infrastructure like they do with their application code. IaC is both a practice and a policy that requires discipline throughout the planning and implementation stages. Policies restrict read and write access to the infrastructure code and the running infrastructure, which enable teams to develop best practices.

When you implement infrastructure as code, you gain the following benefits in addition to the benefits of a GitOps workflow:

• Consistency and reliability: A known working infrastructure artifact can be deployed reliably anywhere.
• Enhanced security: No one has changed the artifact since it’s been built and no one has made changes in place.
• Easier rollbacks: Previous versions known to be working can be deployed since no changes have been made to them.
• Simplified debugging: Issues are limited to the environment and not the application.
• Scalability and performance: Infrastructure can be added or removed much quicker than doing so manually.

Types of immutable infrastructure

Immutable infrastructure components for running applications include virtual machines (VMs) and containers. They are built from IaC through a continuous integration and continuous deployment (CI/CD) process and the resulting artifacts are stored in a centralized package manager. These artifacts contain the application, any required dependency software, and depending on the type of infrastructure, a full operating system (OS). Importantly they do not contain secrets like application credentials. Secrets are placed at runtime with a secrets management tool like Vault, which can inject dynamic secrets at runtime.

Virtual machines offer the highest level of customization but they are heavier as they include a full OS. Virtual machines also generally cost more than running an equivalent workload with containers and a container orchestrator like Kubernetes or Nomad.

Containers are customizable, lighter weight as they don’t require a full OS, and portable between on-premises and cloud vendors with the required underlying orchestrator infrastructure. The downside to containers is that they require an orchestrator like Kubernetes, Nomad, or Docker Engine to run. These orchestrators require configuration and management of their own and add to the complexity and effort of running an application.

HashiCorp resources:

• Benefits of a GitOps workflow
• Implement CI/CD to automate your workflows
• Centralize packages and dependencies
• Use dynamic credentials with Vault
• Learn how to configure and deploy your container orchestration system
• Learn how to Build a GitOps pipeline to deploy a three-tier application using Terraform, Packer, Nomad, and Consul

Next steps

In this section of Define your processes, you learned about immutable infrastructure, the benefits of using immutable infrastructure and infrastructure as code, and the types of immutable infrastructure for running applications. Create immutable infrastructure is part of the Define and automate processes pillar.

Refer to the following documents to learn more about creating immutable infrastructure:

• Create immutable virtual machines
• Create immutable containers