Overview of IaC Service
IaC Service is a fully managed Infrastructure as Code (IaC) service from Alibaba Cloud. It is based on Terraform and enables you to automate the orchestration of cloud resources, manage existing resources, and perform continuous O&M online. You do not need to set up or maintain a local environment.
Core capabilities
Fully managed resource orchestration
IaC Service executes Terraform templates in a serverless manner. This process does not consume any compute resources. You can submit templates through the console or OpenAPI to create, change, and destroy resources.
The platform automatically manages the Terraform state file (terraform.tfstate), preventing file loss and conflicts. Execution policies support both manual and automatic modes. You can trigger jobs manually, automatically, upon a version release, or when a parameter set changes. This meets the needs of different security levels and degrees of automation.
Resource orchestration workflow
Submit template → Create task → Start job → Plan changes → Apply changes → Resource readyAutomated export of existing resources
The native Terraform import command can only import one resource at a time. After importing, you must manually write the template code. If you have many existing resources, importing them one by one is costly.
IaC Service provides a batch export feature. You can select resource types and regions, and set filter conditions to batch export existing resources into Terraform templates and state files for ongoing management.
Automated generation of RAM policies
Executing Terraform templates requires specific RAM permissions. Because the underlying APIs called by the template are not visible to users, manually determining the required access policy is difficult and error-prone. Excessive permissions create security risks, while insufficient permissions cause template execution to fail.
IaC Service can parse templates online and automatically generate a RAM policy. You can provide a template from GitHub, GitLab, or OSS to automatically generate the least privilege policy required for that template. This helps you implement the principle of least privilege and quickly complete RAM authorization.
Proactive compliance audit
IaC Service integrates with Alibaba Cloud Config to perform compliance pre-checks before executing a Terraform template. After you enable proactive blocking for a rule in the Cloud Config console, the system automatically calls Cloud Config to assess the compliance of new or modified resources before each template execution. Non-compliant additions or changes are blocked, preventing compliance risks before they occur.
Drift detection
Modifying resources managed by Terraform directly through the console or an API can cause the actual state to deviate from the template definition. This is known as configuration drift. The drift detection feature continuously monitors for differences between the template (desired state), the state file (recorded state), and the actual state of cloud resources. This allows for prompt detection of configuration drift and ensures that the infrastructure state matches the template definition.
Scenario-based testing
Scenario-based testing periodically simulates the execution of Terraform templates to continuously validate their availability. This feature supports capabilities such as assertion checks, scheduled triggers, and automatic triggers upon the release of a Terraform Provider. This helps you find and fix issues before they affect your business and provides quality assurance for Terraform Provider regression testing and delivery validation.
Scenarios
Landing Zone: Quickly set up an initial cloud environment
When you first use Alibaba Cloud or a new account, you typically need to perform setup tasks. These tasks include enabling cloud products, building a RAM permission system, and configuring the network environment. As the number of accounts grows, the cost of these repetitive tasks also increases.
Using the online execution capabilities of IaC Service and predefined landing zone templates, you can quickly complete the initial configuration and build a standardized cloud environment.
Target users: Users who are new to Alibaba Cloud or have new accounts, and enterprise IT administrators who manage multiple accounts.
GitOps automation pipeline: Drive infrastructure updates with code changes
You can host your infrastructure code on GitHub or GitLab and configure it in IaC Service. When the code changes, the system automatically triggers the plan, apply, and execution flow to achieve continuous delivery of infrastructure changes.
Target users: DevOps teams with experience in CI/CD practices.
Environment cloning: Copy a staging environment from a production environment
Inconsistencies between the staging and production environments can lead to unreliable test results. A permanent staging environment also incurs extra resource costs. You can use the export feature for existing resources to export your production environment as a template. You can then use this template to quickly clone a consistent staging environment. After testing is complete, the resources can be automatically released.
Target users: Development and testing teams that need to manage multiple environments.
Account migration: Automate resource migration across accounts
When migrating business and resources from one account to another, the main challenges are how to quickly create resources in the new account and securely clean up resources in the old one. With IaC Service, you can export resources from the source account as a template and share it with the destination account. The destination account uses the template to automatically create resources, and the source account can use the destroy feature to automatically clean up its resources.
Target users: Suitable for cross-account migration scenarios such as corporate mergers and account consolidation.
Terms
The core concepts of the Automated Service Desk and their hierarchical relationships are as follows:
Template
└── Template Version
└── Parameter Set ← Can also be attached to a template or task
└── Task
└── JobConcept | Definition | Analogy |
Template | A logical unit for managing Terraform code. It uses a versioning mechanism to manage one or more Terraform template files. | Code repository |
Template Version | A code snapshot of a template at a specific point in time. A new template version is automatically created when the template's source address or version changes. | Git commit |
Parameter Set | A reusable collection of input parameters for a template. It can be associated with a template, template version, or task. | Environment variable configuration file |
Task | An execution unit that associates configurations such as a template version and a parameter set. Each task is bound to a specific template version. | CI/CD pipeline |
Job | A specific execution instance of a task. A job is responsible for actually calling Terraform commands, such as Plan, Apply, and Destroy. | A run of a pipeline |
You can create multiple tasks from each template. Different tasks from the same template are completely isolated from each other. Their corresponding state files are also independent.
Security
IaC Service uses container-level isolation to ensure the security of the execution environment. Each execution of a Terraform template runs in a separate, isolated container. The execution environments for different users and tasks do not affect each other.
The main security measures are as follows:
Execution environment isolation: Each job runs in a separate container. The container is automatically destroyed after execution, leaving no residual data.
Credential security: Sensitive credentials, such as AccessKey pairs, are encrypted during transmission and storage. They are injected through a secure channel during execution and are not written to disk.
Network isolation: Network access for the execution container is strictly controlled. It is only allowed to access necessary Alibaba Cloud API endpoints.