Role of Configuration Management in your Immutable Infrastructure


Days are gone when you used spin up the Virtual Machines to last to atleast few years and often for ever, you would only consider to touch them when you need to have a MUST have security patches. Enterprises are notorious slow in upgrading their infrastructure.

Boom, here comes the era of immutable infrastructure, which does not believe in having the Virtual machine for ever, rather keep it only for single release. On next release you simply create a new one rather than fixing the existing one.

There is an argument that configuration management is on its way out now—that we’re ready to usher in an era of “immutable” infrastructure. You don’t push out new configs, you build new images with the new configs baked in and replace the existing nodes. How do we define configuration and what do we mean by immutability? According to Greg Baker, “we lean on the 12-factor app!” An apps configuration is everything that is likely to vary between deploys. Configuration should be stored outside of image artifacts and pulled in at deployment time.

Traditionally teams build servers and then deploy their apps to them. When the app changes, updates are sent to the server. With immutable infrastructure, servers never change. They are destroyed and new servers are created. Update and rollbacks are standard infrastructure rollouts. Immutable requires a mature CI/CD and automation pipeline.

Another topic of interest was understanding the best approaches for maintaining container security. Ryan Bezdicek says we are seeing more teams move to immutable infrastructure and work their security into their development pipelines a la DevSecOps. Immutability is read-only data in container, because of this, an attacker has reduced access from within the container to deploy tools and attack further. As this happens, people are questioning whether they need full-blown configuration management or whether bash and PowerShell are sufficient.

Configuration management has come a long way and there are several mature solutions available.

Everyone who chooses a configuration management tool needs to decide, early on, whether they want to use an agent and agentless approach. Both have their pros and cons.