---
title: "What is Infrastructure-as-Code (IaC)?"
page_name: "Infrastructure-as-code"
type: "glossary"
slug: "infrastructure-as-code"
published_at: "2025-02-18"
modified_at: "2026-02-12"
url: "https://www.sumologic.com/glossary/infrastructure-as-code"
canonical: "https://www.sumologic.com/glossary/infrastructure-as-code"
markdown_url: "https://www.sumologic.com/glossary/infrastructure-as-code.md"
lang: "en"
excerpt: "Explore what is infrastructure-as-code (IaC), IaC tools, use cases for DevOps and how IaC enhances the software deployment cycle. Learn about Sumo Logic’s automation and security integration tools that enable DevSecOps."
---

[Glossary](/glossary)# Infrastructure-as-code

 [A](/glossary#A)

 [B](/glossary#B)

 [C](/glossary#C)

 [D](/glossary#D)

 [E](/glossary#E)

 [F](/glossary#F)

 [G](/glossary#G)

 [H](/glossary#H)

 [I](/glossary#I)

 [J](/glossary#J)

 [K](/glossary#K)

 [L](/glossary#L)

 [M](/glossary#M)

 [N](/glossary#N)

 [O](/glossary#O)

 [P](/glossary#P)

 [Q](/glossary#Q)

 [R](/glossary#R)

 [S](/glossary#S)

 [T](/glossary#T)

 [U](/glossary#U)

 [V](/glossary#V)

 [W](/glossary#W)

 [X](/glossary#X)

 [Y](/glossary#Y)

 [Z](/glossary#Z)

##### Table of contents

 

 

 

## What is Infrastructure-as-Code?

Infrastructure-as-Code (IaC) is the practice of provisioning, configuring, and managing cloud infrastructure using code instead of manual configuration. Rather than setting up servers, networks, and other infrastructure components through a manual process, engineers use configuration files and IaC scripts to automate infrastructure deployment.

Infrastructure-as-Code enables infrastructure provisioning, infrastructure management, and infrastructure automation at scale across modern cloud computing environments.

IaC relies on three foundational elements:

- Resource pooling
- Software-defined intelligence
- A unified API

By leveraging [APIs](http://www.sumologic.com/glossary/api) from a cloud provider, [DevOps](https://www.sumologic.com/glossary/devops) teams can manage infrastructure resources programmatically—improving consistency, scalability, and speed.

Key takeaways

- The implementation of code as the control mechanism for IT infrastructure includes the use of software development techniques, such as continuous integration, continuous delivery, and version control.
- Infrastructure of code takes advantage of the API-driven model that underlies cloud services.
- With IaC, engineers can provision and manage IT infrastructure at scale using a code-based approach, rather than manually configuring each virtualization instance.
- IaC requires three elements to function: resource pooling, software defined intelligence, and a unified API.

### What is infrastructure-as-code in DevOps

IaC takes advantage of the [API](http://www.sumologic.com/glossary/api)-driven model that underlies cloud services. Engineers can write software applications that directly interact with cloud-based infrastructures such as DNS servers, file servers, networks, and even virtual machines and containers. The ability to pass instructions to these infrastructure elements using APIs means that engineers can provision and manage IT infrastructure at scale using a code-based approach rather than manually configuring each virtualization instance. It is also an important feature of [DevOps](http://www.sumologic.com/glossary/devops), as it provides additional automation that streamlines the code development and deployment process, drives [continuous integration](http://www.sumologic.com/glossary/continuous-integration) and reduces manual labor, enabling developers to focus more on their responsibilities in security and operations management.

IaC developed out of a need to standardize deployment environments for software development teams pursuing a continuous integration or [continuous delivery](http://www.sumologic.com/glossary/continuous-deployment) model and following the DevOps paradigm. The practice evolved as a response to a repeatedly observed issue in the software release/deployment pipeline known as *environmental drift*.

Sometimes, the deployment environment is simply the developer’s workstation. Other environments can include:

- **Production** – the environment where end users can access the application. Deployment to the production environment means that customers can interact with the updates. Production is also sometimes called the “live” environment.
- **Staging** – acts as a mirror of the production environment. Its purpose is to mimic the conditions of the production environment without actually being accessible to end-users. Staging environments enable developers to test the functioning of an application in a context similar to the production environment while still preventing users from interacting with any bugs. The staging environment may also be called the model or pre-production environment, or demo environment.
- **Testing** – where interface testing is typically performed, and where a team of quality controllers determines whether the updates to the code should be accepted into the core application or further revised.
- **Integration** – teams that are attempting to execute on continuous integration deploy new commits to the integration environment daily. Here, integration testing occurs to verify whether new commits can be integrated into the existing code base without causing errors.
- **Development** – where individual developers can perform basic unit testing of small pieces of code, before its integration with the core application.

Developer teams must maintain the settings of individual deployment environments and ensure that a specific type of environment is configured in the same way each time it is used. Each deployment environment takes on a unique configuration that may be difficult to reproduce, and errors in setting up test environments can lead to inconsistent testing results.

IaC enables software developers working in DevOps to set up virtual deployment environments using scripts, removing the manual process of configuring environments and eliminating a significant potential source of error.

### IaC use cases and tools

IaC has several use cases, including:

- Deploying and automating resource and application configurations
- Synchronize versions and update applications across a multi-cloud system
- Deploy security policies
- Deploy virtual networks

There are many IaC tools available to use. Some examples of infrastructure-as-code tools are:

- Ansible
- [Terraform](http://www.sumologic.com/blog/terraform-provider-hosted)
- [Google Cloud Deployment Manager](https://www.sumologic.com/applications/google/)
- [Azure Resource Manager](https://www.sumologic.com/resources/azure/)
- [Vagrant](http://www.sumologic.com/blog/vagrant-vs-docker)

### How does IaC enhance the software deployment cycle?

Before the introduction of [DevOps](http://www.sumologic.com/glossary/devops) and the enhanced focus on automation technologies like IaC as a part of the software deployment cycle, software delivery was a tedious and wasteful process that required support from a variety of roles. A single deployment might require support from:

- A system administrator, who would configure a physical server to mirror the production environment
- A database administrator, who would set up a database to support the application testing process
- A developer to build and deliver the code
- A test team to manually conduct software testing on the delivered code

Only after going through all of these steps would a new piece of code be integrated into the live application and deployed into the production environment. This process requires several man-hours, a lot of human resources, and a significant level of expense. Automation is minimal and the application may still require additional rework if errors are discovered. Using infrastructure-as-code, developers can now complete all of the key tasks associated with software deployment independently.

The developer writes a special piece of code that will provide instructions to a virtualized machine, databases, testing and delivery tools and other infrastructure. This code will tell the virtual machine how to configure the environment according to exact specifications. When a new update is ready, the developer can run the code to automatically create a virtual test environment according to exact specifications.

IaC can be used to launch a new instance of a virtualized environment and configure it to perfectly mirror the production environment, even considering versioning and service packs. Automated testing tools can be implemented in place of a team of manual testers to conduct unit and integration tests on new code commits. Streamlining the process of releasing new code through automation is part of what makes it possible for [DevOps](http://www.sumologic.com/glossary/devops) teams to achieve [continuous integration](http://www.sumologic.com/glossary/continuous-integration) or continuous delivery.

### Automation and security integration for DevSecOps with Sumo Logic

DevOps is rapidly becoming the most important set of principles that governs how organizations choose to build, run and secure their applications.

Sumo Logic’s[ analytics platform](http://www.sumologic.com/solutions/cloud-infrastructure-security) was purpose-built as an enabler for DevSecOps. Developers can use the platform to analyze user interaction [with applications](http://www.sumologic.com/solutions/application-monitoring) and make better decisions about what upcoming features and capabilities should be prioritized for development. From a security standpoint, Sumo Logic provides [an integrated view](http://www.sumologic.com/solutions/log-management) of system and application logs from throughout the cloud environment, making it easier to correlate network events and investigate security threats in real-time.

Sumo Logic’s operational analytics can be used to monitor the security and stability of the IT environment and to troubleshoot performance issues, ensuring the maximum availability of applications and services for the business. [Learn how.](https://www.sumologic.com/solutions/modernize-security-operations/)

### FAQs

 How does DevSecOps help an organization meet regulatory requirements?+By incorporating security practices into every stage of development, organizations can proactively enforce compliance standards and build secure systems from the ground up. [DevSecOps](https://www.sumologic.com/blog/devsecops-ai-disruptive-log-economics) helps identify and remediate security vulnerabilities [early on](https://www.sumologic.com/blog/dont-just-shift-left-level-up-building-a-modern-cyber-defense-program) by, for example, using interactive application security testing (IAST) tools to evaluate an application’s potential vulnerabilities in a production environment. These risk management procedures are essential for meeting regulatory requirements and avoiding potential penalties for non-compliance. Maintaining [compliance](https://www.sumologic.com/blog/what-to-expect-when-youre-expecting-a-cybersecurity-audit-for-compliance) becomes a natural byproduct of a well-implemented [DevSecOps approach](https://www.sumologic.com/blog/devsecops-log-analysis-app-security).

 What are best practices for implementing a unified DevSecOps approach within an organization?+Encourage a culture of collaboration built on shared data. If everyone can agree on the truth, they’re more likely to work together. Integrate security practices early, and automate as much as possible so that DevSecOps doesn’t just feel like additional workload.

[AI Instructions](https://www.sumologic.com/ai-instructions.md)