<<< Player Piano 

Reusing infrastructure-as-code?2026-03-05

I teach in a cryptography course at AIT Budapest 🎓, where I have a set of lab demos on PKI and TLS. I wrote some terraform code to spin up a couple of websites on Google Cloud with various states of TLS (no TLS, cert for a different domain, incorrectly set up TLS, good TLS, etc) and demonstrating certain attacks. The code is very simple and basic: create VM ➡️ register DNS name ➡️ obtain cert using certbot ➡️ install demo PHP app and configure the TLS site the way I need it. Terraform is handy as it allows me to do & undo all these quickly as bulk and only pay Google for a few days of use.

I have been using this for many years (started pre-covid), I mostly run it once each semester and sometimes a few extra times when I am experimenting.

In theory, infrastructure-as-code (IaC) allows you to write code once, and use it infinitely for recreating the same environment later. In theory, theory and practice are the same. In practice they are not. Sometimes:

  • 👉 CSP settings change, and e.g. the Google VM I had been going for is no longer 'free tier' and starts charging money.

  • 👉 Software/packages come and go, and e.g. the Debian version I used to install a few years ago is no longer available, so you need to adjust your IaC to use different software.

  • 👉 Libraries/languages may change their syntax (e.g. PHP😡), so the same code you had years ago no longer runs on a new PHP version.

  • 👉 Sometimes default configuration settings change. For example, when certbot made the Strict-Transport-Security mainstream (webserver tells browser never to allow plain http for the site), it was a great security improvement, so this is good... unless it is a vulnerability you want to demonstrate.

  • 👉 Sometimes browsers start behaving differently (and e.g. refuse to connect to the sites where you would demo broken TLS).

IaC is great, terraform is fun, this all works and saves a lot of time. I just want to highlight that it is not 'write once, infinitely reuse', but you need to maintain it.

TL;DR: Infrastructure-as-code still requires you to spend time maintaining your infra; you no longer need to maintain your legacy tech stack you know, but you maintain a complex system of ever changing dynamic tech stacks. 😆

Our course at AIT Budapest.

 

 

 
This is my personal website, opinions expressed here are strictly my own, and do not reflect the opinion of my employer. My English blog is experimental and only a small portion of my Hungarian blog is available in English. Contents of my blog may be freely used according to Creative Commons license CC BY.