Software developers and project managers can use infrastructure as code (IaC) software to automate the management and provisioning of infrastructure. By bypassing manual configuration, software development teams can enjoy lower costs, faster speed, and fewer errors. This guide will discuss the following infrastructure as code tools in terms of their features, pros, cons and pricing so you can pick the ideal solution for your needs:

• Puppet: A great option for teams seeking IaC software that can handle large-scale infrastructure and also has an established and supportive community.
• Chef: An excellent pick for developers seeking a flexible and advanced configuration management tool that relies on infrastructure as code to automate complex tasks.
• Terraform: An ideal solution for development teams seeking an open-source IaC tool for cloud-based environments.

Jump to:

Puppet

Puppet is an IaC tool that uses its own declarative language to define desired infrastructure states. It has a solid interface and reporting capabilities and is ideal for teams and organizations in charge of managing large-scale infrastructures.

Features of Puppet

Some of Puppet’s features that have made it a popular DevOps tool include:

• Multi-platform support.
• Real-time monitoring.
• Policy-as-code.
• Third-party integrations.

Puppet supports multiple platforms, including Windows, Linux, Microsoft Azure, AWS, GCP and more. The IaC software has real-time monitoring and reporting to help developers spot drift and compliance errors. It also leverages policy-as-code for streamlining and enforcing compliance. You can also extend Puppet’s functionality by integrating it with third-party cloud, infrastructure, secret management, policy-as-code and other services.

SEE: What is DevOps?

Pros of Puppet

Puppet’s pros include:

• Well-established community.
• Fast error fixes.
• Learnable language.
• Intuitive interface.

Since Puppet has been around since 2005, it has a large, well-established community that can offer support and resources for new users and those who stumble upon obstacles. Puppet highlights lines containing coding errors so they can be fixed quickly.

While Puppet’s use of its own declarative scripting language (DSL) can be a con for some newer users, the language is at least easy to learn and eventually write. Puppet’s user interface is also clean and easy to follow.

Cons of Puppet

Puppet’s cons include:

• Can be complicated to configure.
• Complexity – known for its steep learning curve.
• Requires some programming knowledge.
• Pricing.

Setting up Puppet can take some time and patience and requires users to be more hands-on than some simpler competing tools since it was designed more for system administrators than less technical users.

Puppet has a steep learning curve, and unless you have a programming background and knowledge of the Puppet DSL, you may have a hard time adapting to it. Additionally, since Puppet only has two versions, some teams may find the custom Enterprise pricing prohibitive if they want more advanced features.

Puppet Pricing

Project managers and developers can choose between Open-Source Puppet and Puppet Enterprise. The open-source version is free.

Puppet offers the Enterprise version via custom-priced plans. It comes with automation features, extensions and more. Get a custom Puppet Enterprise pricing quote.

Progress Chef

Progress Chef (formerly Chef) is a flexible configuration management tool with a large following that uses infrastructure as code. It is used by software developers, DevOps teams, system administrators and more to automate their infrastructure and applications’ configuration management.

Features of Chef

Chef has several features that make it a popular DevOps tool, including:

• Platform-agnostic.
• IaC features and adherence.
• Recipes and cookbooks.
• Chef Supermarket.
• Integrations with third-party DevOps tools.

Chef is a platform-agnostic programmer tool due to its system resource abstraction, allowing it to support different cloud platforms and operating systems. Due to its reliance on infrastructure as code, Chef keeps configuration consistent and repeatable and promotes version control via a host of version control tools.

Staying in line with the “Chef” name, the IaC tool relies on recipes and cookbooks. Recipes are specific actions/configurations, while cookbooks are recipe collections. Chef’s recipes and cookbooks keep configuration management simple for developers by letting them reuse code and embrace the power of modularity.

The Chef Supermarket is loaded with pre-built cookbooks to speed up configuration management. There is also a large community ecosystem that supplies users with best practices, cookbooks, modules and more. Chef is highly extensible, too, thanks to third-party integrations with Jenkins, CircleCI and other popular tools.

Pros of Chef

Some of Chef’s biggest advantages as an IaC tool include:

• Advanced configuration management capabilities.
• Extensibility.
• Community support.
• Versatile, offering greater control of configurations.

Some of Chef’s competition is best served for handling basic tasks. Chef, on the other hand, has advanced configuration management features to handle complex tasks, such as test driven development infrastructure deployment on-demand. Progress Chef also excels in extensibility as the programmer tool integrates with top DevOps tools like CircleCI, Jenkins, Bitbucket, GitHub and more.

If you are looking for an infrastructure as code tool with a large community that offers added support and resources, you will find just that with Chef. And if you are looking for an IaC tool that is flexible so you have more configuration control, Chef offers that, too, since it follows a code-driven approach.

Cons of Chef

Chef could Strengthen in some areas as a developer tool, such as:

• Required experience level.
• Time investment.
• Expensive for small teams.

Yes, Chef was built to handle even the most complex tasks. But to unlock that functionality, you will face a steep learning curve. Remember that Chef was created with experienced programmers in mind, so it will take some time to learn. One thing that could help is taking a Ruby course prior to tackling Chef. Beyond the complexity obstacle, you may find Chef pricey, especially if you are part of a smaller development team with a limited budget.

Pricing of Chef

Developers can buy Chef directly through Progress or via a marketplace. Buy the IaC tool from Progress, and you can get a custom quote for the SaaS or on-premise option. Buy Chef from the Azure Marketplace, and you get three options:

• Two-Hour Test Drive: Try Chef for two hours for free.
• BYOL: Pay for Azure compute time and bring your own license.
• Custom Private Offer: Get a custom quote on Chef from Azure.

Buy Chef from the AWS Marketplace, and you have two options:

• BYOL: Pay for AWS compute time and bring your own license.
• Chef on AWS Marketplace: Get a Chef subscription on your AWS account. Software and usage fees start at $0.20 per hour or $189 yearly.

You can learn more about Chef in our Chef Configuration Management Tool Review.

Terraform

HashiCorp Terraform is an open-source IaC tool ideal for developers and teams comfortable working with the Go language who need strong infrastructure management for cloud-based environments.

Features of Terraform

Some of Terraform’s top features as a DevOps tool include:

• Support for multiple operating systems.
• Multi-cloud deployment.
• Network infrastructure management tools.
• Plenty of integrations for developer tools.

Terraform supports multiple operating systems, including Windows, macOS, Linus, FreeBSD, OpenBSD and more. You can use Terraform for multi-cloud deployment, and it also has features for managing network infrastructure, such as firewall policies and load balancer member pools. Terraform offers extensibility, too, through integrations with CI/CD pipelines, version control systems and other programmer tools.

Pros of Terraform

Terraform’s strengths include:

• Easy setup.
• Flexibile hosting and platform support.
• Repeatability and built-in modularity.
• Highly performant.

Terraform is easy to set up and is flexible, with support for Azure, AWS and other cloud providers. The infrastructure as code software’s use of modules promotes repeatability, and its use of the Go language makes it fast and efficient.

Cons of Terraform

Terraform’s weaknesses include:

• Onboarding can be difficult.
• Documentation could use improvement.
• On-premises performance not as good as cloud.
• State management is not optimal.

Terraform is ideal for developers familiar with the Go or Golang language. If you are not, you may find the language unusual and difficult to learn at the start, which can slow onboarding.

Some users have found Terraform’s documentation complex and hard to understand. And while it works well with clouds, Terraform may suffer some issues when working with on-premises services. Managing the state file in Terraform to avoid conflicts can also be tricky and result in unexpected behaviors.

Terraform pricing

Terraform has a self-managed open-source option that is always free. It also has paid cloud and self-managed plans:

• Free (cloud): Up to 500 resources per month. Has the essential features for getting started with IaC provisioning.
• Standard (cloud): Starts at $0.00014 per hour per resource. For developers or teams adopting IaC provisioning.
• Plus (cloud): Custom pricing. For enterprises needing scalability.
• Enterprise (self-managed): Custom pricing. For enterprises with added compliance and security needs.

SEE: Building your Platform Engineering practice on AWS with Terraform

What to look for in infrastructure as code software

With various IaC tools on the market, choosing the right one for your software development team may seem like a daunting task. How can you ensure you pick the proper infrastructure as code software? First, if your budget is limited, consider the cost as the pricing of IaC tools can vary greatly. Luckily, many have free trials you can sign up for to deliver the features a test drive, while others may have free plans with limited features.

If the cost of certain IaC software acts as a deterrent, remember that these developer tools can save your team plenty of money by eliminating the need for manual infrastructure setup and maintenance.

After considering cost, look for an infrastructure as code tool that is user-friendly with an intuitive interface. And lastly, look at its features. Standard features that the ideal IaC tool should have include automation that saves time and money while minimizing human error, built-in security (encryption, identity access management, data loss prevention, etc.), solid customer service and support and scalability (autoscaling, dynamic orchestration, rolling updates, etc.). The ideal IaC software should also have plenty of integrations with third-party developer tools and services, plus a library of plugins for added extensibility.

Final thoughts on the best infrastructure as code tools

The IaC tools listed above can help your software development team cut costs, increase speed and eliminate errors linked to manual configuration. Before picking an IaC tool from our list, review its features, pros, cons and pricing to ensure it is the right pick for you.

SEE: Top DevOps career paths

Our Corporate client is actively sourcing for a a skilled Microsoft Engineer Resource to join their team. As a Microsoft Engineer Resource, you will play a crucial role in maintaining, optimizing, and enhancing the Microsoft technology stack to support the organization’s IT infrastructure and operations.

The ideal candidate for this position will have a strong background in Microsoft technologies, including Windows Server, Active Directory, Exchange, SharePoint, and Azure. You should have a deep understanding of system administration, configuration, and troubleshooting within the Microsoft ecosystem.

Desired Skills:

• Microsoft Power Platform
• Power Platforms Admin
• Power App
• Design
• Develop
• Power Automate Desktop flows
• Power Automate Cloud Flows
• Power BI report
• Microsoft Prem Connectors
• Microsoft Pre Databases
• CICD
• DevOps
• Agile

Learn more/Apply for this position

The goal of any cloud migration is to make it seamless, without disrupting operations or incurring prohibitive costs. A paramount consideration is the strategic movement of workloads to the cloud at a pace that aligns with organizational timelines. The challenge lies in the quest for agility without compromising stability.

Enter the Microsoft Azure VMware Solution (AVS), an offering designed to ease the pain of cloud migration. AVS provides a familiar infrastructure stack, integrating compute, memory, network, and vSAN storage. By preserving application architecture and adopting a consumption-based pricing model, Microsoft AVS stands out for its ability to ensure smooth workload migration while minimizing business disruptions.

Crucially, AVS empowers businesses to harness cloud-native services in the future without requiring complex application refactoring, especially for VMware workloads. This orchestration is underpinned by operational consistency across existing and new applications, creating a balance between legacy systems and innovative approaches.

In a nice move, Pure Storage announced today that it is bringing its Pure Cloud Block Store offering to Microsoft AVS. The offering is in public preview now.

Bringing Enterprise Block Storage to the Cloud

Replicating a consistent external block storage architecture in the cloud is a challenge, one that makes cloud migrations needlessly complex. Pure Storage addresses this complexity with its Pure Cloud Block Store (CBS) solution, which offers a scalable storage solution for cloud deployments without a corresponding scale-out of compute resources. It’s a streamlined approach that accelerates the return on investment when transitioning on-premises workloads to the cloud.

CBS brings Pure’s Purity Operating System, the same software that runs its on-prem storage arrays, to the cloud. This allows cloud users to reap the same benefits found in traditional on-prem SANs in their cloud environment. Pure Storage’s Cloud Block Store is available today on Microsoft Azure and Amazon's AWS.

A critical element of Pure’s Cloud Block Storage is its approach to data reduction. CBS uses the same thin-provisioning, compression, and deduplication technologies present in Pure’s on-prem offerings to reduce the amount of data stored on flash in the cloud. This is a huge benefit in a cloud environment where users are charged by the byte to store and transfer data. Pure Storage's compression technology reduces cloud costs, including helping organizations reduce often-expensive ingress and egress fees.

Beyond the data reduction efficiencies, Pure CBS for Azure delivers the features typically associated with an enterprise block storage solution. This includes thin provisioning, instantaneous snapshots and clones, always-on data-at-rest encryption, snapshot scheduling, continuous replication, active/active replication, QoS, Pure’s SafeMode technology, and offload to Azure blob storage.

Introducing Pure Cloud Block Store for Microsoft AVS

Pure Storage is bringing CBS to Microsoft AVS, allowing users to provision storage as needed to fully use an Azure AVS deployment without having to scale out compute resources. Microsoft and Pure Storage collaborated to bring the solution to market, making some changes to Pure’s existing CBS for Azure offering along the way.

Pure’s existing CBS for Azure uses Azure’s “Ultra Disk Storage” instances. Ultra Disk Storage instances are Azure’s top-tier block storage offering, designed to provide storage for I/O intensive workloads (such as SAP HANA). It’s high-performance but also the highest-priced block storage offering on the platform.

Pure and Microsoft worked together to allow CBS to utilize a lower-cost storage tier, Azure’s Premium SSD v2 storage type. On paper, this should deliver half the performance of the Ultra Disk Storage tier, but Pure has managed to enable the lower-cost option without sacrificing the performance. Pure claims that the new solution improves cost-efficiency by 200%-300%. Making it more compelling are enhancements to the underlying compute instances that result in up to a 30% improvement in throughput and IOPs.

Analyst’s Take

Pure Storage’s Cloud Block Store is a compelling solution for nearly any cloud migration effort. Its new offering for AVS makes cloud migration even easier for IT administrators, who can now use VMware's suite of migration tools to move workloads to AVS. Pure Storage arrays already allow replication to CBS, so Pure’s on-prem customers can easily migrate their data.

The ability to right-size storage, leverage familiar migration tools, and tap into robust data protection features makes the journey to Azure VMware Solution more streamlined than ever before. Pure’s comprehensive approach, along with its data reduction capabilities, accelerates the migration's ROI, bringing enterprise storage capabilities to the public cloud. That's a compelling story as organizations increasingly embrace the cloud.

Disclosure: Steve McDowell is an industry analyst, and NAND Research an industry analyst firm, that engages in, or has engaged in, research, analysis, and advisory services with many technology companies, which may include those mentioned in this article. Mr. McDowell does not hold any equity positions with any company mentioned in this article.

Microsoft is rounding out the cloud security posture management (CSPM) capability it recently added to Microsoft Defender for Cloud with support for Google Cloud Platform (GCP). For some in the industry, Microsoft's move feels overdue.

While new to Microsoft Defender for Cloud, CSPM has become integral to cloud-native application protection platforms (CNAPPs). CSPM provides automated monitoring to offer near real-time visibility into hybrid and multicloud infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments to ensure their configurations map with their organizations' risk and compliance requirements.

Defender CSPM, which applies agentless scanning and contextual attack path analysis of hybrid cloud environments, including AWS and Azure, will include GCP starting Aug. 15, Microsoft said on Wednesday.

The updated release will deliver Microsoft Defender for Cloud administrators views of misconfigurations and other risks to their entire AWS, Azure, and GCP environments and their on-premises compute resources. Microsoft introduced CSPM as a Defender for Cloud feature, with AWS support, in 2021 and released the first iteration in April.

Microsoft is entering a crowded field of security vendors that offer multicloud CSPM capabilities, including Check Point, Cisco, CrowdStrike, IBM, Orca, Palo Alto Networks, Qualys, Skyhawk, Sysdig, Trellix, Trend Micro, VMware, Wiz, and Zscaler. Despite operating one of the three largest public clouds, Microsoft is touting its multicloud approach to CSPM.

But Mike DeNapoli, director and cybersecurity architect at Cymulate, questions why a GCP shop would turn to Microsoft for cloud security.

"Whether you decide to use it only for Azure or use it for all of your cloud infrastructure as they support additional cloud platforms, it's still just CSPM," he says. "And alone it's still not giving you the full picture of resiliency."

Normalizing Risk From Multiple Clouds

Microsoft acknowledges that 90% of enterprises now have multicloud environments, citing a survey from IT tools management provider Flexera. Because each cloud has unique architectures, there isn't a common approach to monitoring workloads across environments, says Enterprise Strategy Group senior analyst Melinda Marks.

"A key part of CSPM capabilities is to collect the data from the CSPs, normalize, and then compare it," Marks says, adding that organizations have relied on third-party security providers in multicloud environments. "Microsoft Defender is from Microsoft, but they have designed it to support multiple cloud environments, and this could help their customers not be as dependent in needing a CSPM from a security vendor. So for CSPM providers, Microsoft Defender could be seen as a competitor."

Chen Burshan, CEO of Skyhawk Security, says, "I think that the platforms should have this functionality since they have the infrastructure." He doesn't see the new move from Microsoft as competitive because CSPM is now simply expected.

Skyhawk, a security company spun out of Radware last year, detects exploitations as they occur in near real time, and CSPM is a component of that, Burshan says. "We deliver our CSPM for free," he says. "We think it's a commodity today."

Cymulate's DeNapoli anticipated Microsoft's move into CSPM. "It's encouraging to see that they are doing it," he says. Cymulate expanded its Exposure Management and Security Platform for AWS, Azure, and GCP on Tuesday.

Microsoft Cloud Security Graph

Vasu Jakkal, Microsoft's corporate VP for security, compliance, identity, and management, stated in a blog post announcing the forthcoming GCP support that "Defender CSPM provides advanced posture management capabilities with full visibility across cloud and hybrid resources from agentless scanning, integrated contextual insights from code, identities, data, internet exposure, compliance, attack path analysis, and more, to prioritize your most critical risks."

Defender CSPM uses Microsoft's cloud security graph to provide attack path analyses, he added, allowing security professionals to prioritize potential risks. Raviv Tamir, Microsoft's chief of security product strategy, says Microsoft has populated the graph database across all three clouds.

"Essentially, it's a really nice graph database that understands relationships that enables you to ask risk-related questions," Tamir says. "If I am looking at one asset, I can ask what it means to the other assets that I have."

Tamir explains that the first layer provides a way for administrators to query the graph through Microsoft's interface or via APIs. "So you can formulate any kind of query that you want to understand the relationship between the different assets that you have," he says.

Microsoft is enhancing the graph database to accept data from its new Microsoft Vulnerability Management (MVM) offering, enabling CSPM to mark external assets, he adds. "If you have assets that are externally facing the Internet, then that data also is accrued to the graph," Tamir says. "Things that come in from the other defenders also get through to the graph."

Besides scanning compute instances, Microsoft has expanded Defender CSPM's data discovery capabilities with GCP Cloud Storage. Jakkal's blog noted that this will enable security administrators to identify over 100 types of sensitive information via the cloud security graph to analyze attack paths.

Microsoft is adding multicloud policy monitoring for free via its Microsoft cloud security benchmark (MCSP). Microsoft describes MCSP as a cloud-based control framework mapped to compliance standards, such as CIS, PCI, and NIST. MCSP support is generally available in AWS and Azure and in preview in GCP via the regulatory compliance dashboard in Microsoft Defender for Cloud.

Last month, Microsoft announced that it would expand free access to cloud logs using Microsoft Purview Audit, in response to complaints that its fee structure for logging hindered organizations' investigations into an ongoing attack from a Chinese APT group. According to Microsoft, Purview Audit records and retains thousands of user and administrator operations across various Microsoft 365 offerings.

The China-linked attack on Microsoft email services will get a full review by the U.S. government’s special board for examining major cybersecurity incidents, the Department of Homeland Security said Friday.

The Cyber Safety Review Board will focus its attention on “the malicious targeting of cloud computing environments,” according to DHS, including the recent intrusion into Microsoft Exchange Online by China-based hackers.

The effort will include “a broader review of issues relating to cloud-based identity and authentication infrastructure,” DHS said.

“We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” said the CSRB’s chair, DHS Undersecretary for Policy Rob Silvers.

Reported targets of the Microsoft incident included senior U.S. officials like Commerce Secretary Gina Raimondo and the ambassador to China.

Read more: NSA chief: Chinese cyber spies continue to Strengthen — but haven't surpassed US

The CSRB already made news this week with a report about lessons learned from the fight against the Lapsus$ cybercrime gang. Its inaugural report covered the Log4j bug.

The Microsoft incident stirred up an aggressive response from policymakers and cybersecurity experts. Lawmakers have called for the Department of Justice to investigate the case, and analysts noted the highly skilled nature of the operation. The attackers infiltrated accounts through forged authentication tokens, which are used to validate the identity of entities requesting access to cloud resources.

Afterward the company and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said they were working together to expand access to cloud logging tools that could help organizations spot those kinds of attacks. Microsoft also said it made changes to the token validation system.

The review board is a public-private collaboration and has no regulatory powers, but so far its reports have received broad attention across government and industry.

“The Board’s findings and recommendations from this assessment will advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems,” CISA Director Jen Easterly said.