• Matt's Memos
  • Posts
  • Don’t use IaC To deploy your application code

Don’t use IaC To deploy your application code

But it seemed like such a good idea at the time...

Hey folks,

An Infrastructure as Code (IaC) best practice that I’ve learned through observation:

Don't have your IaC do deployments for your application code.

It's pretty common to have this line of thinking:

"I have my terraform or tofu project spinning up the infra for my cluster and deploying the initial version of my application team's software. So why don't we just apply this every time we need to update the software as well".

That sounds logical, but in practice, IaC is not meant to be a software delivery tool.

It can quickly become unwieldy if you combine the infra and application management streams.

Here are a couple ways we, at Masterpoint, have seen this approach be suboptimal.

Lack Of Feedback

IaC is meant to report on the status of creating, updating, and destroying infrastructure.

It's not meant to report on how many instances of your application are being rolled out and how the deployment lifecycle is progressing.

Therefore when you apply a deployment, you don't get all the good info that you would get from a tool intended deploy software.

Examples include:

  • the state of new instances spinning up

  • the number and progress of old instances draining

  • the load balancer is directing traffic at the new instances

  • and so on

This leaves application engineers who are doing a deployment in the dark when watching a tf apply.

Not great.

Different Deployment Cadences

Infrastructure and application changes have different cadences. Combining them can lead to frustrating conflicts.

You may deploy your application multiple times a day, but your infrastructure doesn't typically change all that often.

In most cases, this is no big deal.

But if your platform team has infra changes that are being tested in dev and the application team is trying to elevate their changes to production ASAP, it can be a problem.

Sometimes it's not easy to separate changes if they're all being deployed through the same mechanism.

How about you?

Do you use TF or other IaC tools to deploy your application code?

Have you seen other problems when that approach is tried?

Would love to hear from you.

Matt @ Masterpoint

PS I recently had the pleasure of joining Travis McPeak on the Great Infrastructure-as-Code Debate: Terraform vs OpenTofu. Hope you enjoy.