What is Infrastructure as Code?
Infrastructure as Code (IaC) is the practice of managing and provisioning computing infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. For the Google Cloud Associate Cloud Engineer, IaC represents the shift from manual “Click-ops” in the Console to automated, version-controlled deployments.
The Analogy: The Architect’s Blueprint vs. Manual Construction
Imagine you want to build a house. Manual Configuration is like telling a builder where to put every brick as they go; if you want a second house exactly like it, you have to remember every single instruction perfectly. IaC is like having a digital blueprint and an automated 3D house printer. You write the specs once, and the printer (GCP) produces the exact same house every time you run the file. If you need 10 houses, you just hit “print” 10 times.
Core Concepts & GCP Best Practices
- Reliability: Eliminate human error. If the code works in Dev, it will work exactly the same way in Prod.
- Scalability: Use loops and variables in your code to deploy 1 or 100 Compute Engine instances with the same effort.
- Security: Treat infrastructure files like application code. Review changes via Pull Requests and scan files for security vulnerabilities before deployment.
- Operational Excellence: Implement GitOps. Your Git repository becomes the “Single Source of Truth” for what is running in your GCP project.
Comparison of GCP IaC Options
| Feature | Terraform (Recommended) | Deployment Manager | Config Connector |
|---|---|---|---|
| Language | HCL (HashiCorp Configuration Language) | YAML, Python, or Jinja2 | Kubernetes YAML (Custom Resources) |
| Scope | Multi-cloud & GCP | GCP Native Only | Kubernetes-native GCP management |
| State Management | Local or Remote .tfstate file | Managed by Google Cloud | Etcd (inside GKE) |
| Best Use Case | Standardizing across multiple clouds/teams. | Legacy GCP-only environments. | Teams already heavily using GKE/Kubernetes. |
Scenario-Based Decision Matrix
If the requirement is…
- …to manage resources across GCP and AWS: Use Terraform.
- …to manage GCP resources using K8s manifests: Use Config Connector.
- …to ensure no manual changes occur (Drift Detection): Use Terraform with a CI/CD pipeline.
- …to quickly deploy a pre-defined Google Cloud Solution: Use Cloud Foundation Toolkit (Terraform-based).
ACE Exam Tips: Golden Nuggets
- The State File: Terraform uses a
.tfstatefile to map real-world resources to your configuration. In a team environment, always store this in a Cloud Storage Bucket with Object Versioning enabled. - Declarative vs. Imperative: IaC is Declarative (you define the end state).
gcloudcommands are Imperative (you define the steps). The exam often tests your ability to choose the repeatable (declarative) path. - Immutable Infrastructure: Instead of updating a VM, IaC best practice is to delete the old one and provision a new one from the updated template.
- Avoid Distractors: If a question asks for a multi-cloud IaC tool, “Deployment Manager” is always the wrong answer (it is GCP only).
IaC Workflow & Architecture
The Standard GitOps Flow: Version Control → Automation → Cloud API
- Terraform: The industry lead for IaC.
- Cloud Build: To automate the
terraform apply. - Cloud Storage: To host the state file securely.
- Configuration Drift: Making manual changes in the console that aren’t in code.
- Secrets in Code: Committing API keys to Git (Use Secret Manager instead!).
- Modular Design: Create reusable blocks for VPCs and Clusters.
- Environment Isolation: Separate folders/state files for Dev, Staging, and Prod.