Ansible vs. Terraform: Cloud Infrastructure Management

In the evolving landscape of DevOps and Infrastructure as Code (IaC), two significant tools have emerged as front-runners for managing large-scale IT infrastructure: Ansible and Terraform. Both tools aim to automate and simplify infrastructure management, but they do so in distinct ways that cater to different aspects of IT operations. This comprehensive guide will explore Ansible and Terraform, their similarities, differences, and how to choose the right tool based on your operational needs.

What is Ansible?

Ansible, managed by Red Hat, is an open-source automation tool or platform used for IT tasks such as configuration management, application deployment, intra-service orchestration, and provisioning. Interestingly, Ansible operates on an agentless architecture, relying on SSH and Python to manage nodes, which makes it simple and easy to set up and use.

What is Terraform?

Terraform, on the other hand, is an open-source IaC tool created by HashiCorp that allows users to define and provision data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL). Unlike Ansible, Terraform is designed to handle the service life cycle from the ground up, specializing in infrastructure management.

Similarities between Ansible and Terraform

Despite their different approaches, Ansible and Terraform share a few similarities:

Open-Source: Both Ansible and Terraform are open-source tools, making them accessible to a large community of developers and system admins.
Automation and IaC: They promote automation and IaC, allowing teams to automate the deployment and manage infrastructure through code which increases efficiency and reduces human error.
Idempotency: Both tools are idempotent, meaning they can be run multiple times on the same system and will produce the same result without unintended side effects.
Modularity: Both support modular designs. In Ansuse you can write roles and modules, while Terraform allows the use of modules to group resources together.
Community and Ecosystem: Each tool boasts a vibrant community and a rich ecosystem of plugins, modules, and additional tools to extend their functionality.

Key Differences between Ansible and Terraform

The primary differences between Ansible and Terraform lie in their design philosophy and operational focus:

Configuration Management vs. Infrastructure Provisioning:
Ansible is primarily a configuration management tool designed to install and manage software on existing servers.
Terraform is primarily an infrastructure provisioning tool that is used to create, modify, and destroy infrastructure.
Mutable vs. Immutable Infrastructure:
Ansible supports mutable infrastructure paradigms, where changes are applied over the same infrastructure over time.
Terraform encourages an immutable infrastructure approach where changes often result in new sets of infrastructure components replacing the old ones.
Procedural vs. Declarative Code:
Ansible uses a procedural style where you write tasks that define how to reach the desired state of the system.
Terraform uses a declarative approach where you declare what the desired state of the system should be, and Terraform figures out how to achieve that state.
State Management:
Ansible does not maintain a state file and operates dynamically based on current system state.
Terraform maintains a state file that tracks the state of managed infrastructure, allowing it to record and track each change.
Agent vs. Agentless:
Ansible is agentless, leveraging SSH for communication, which can simplify setup.
Terraform requires a daemon process or “agent” to run on servers where operations are performed.

Choosing Between Ansible and Terraform

The choice between Ansible and Terraform can be dictated by specific project requirements:

For Configuration Management: Choose Ansible if the primary need is configuration management and software deployment on existing servers.
For Provisioning Infrastructure: Opt for Terraform if you need robust solutions for creating and managing immutable, versioned infrastructure across a variety of providers.

Ansible: Pros and Cons

Pros:

Simplicity and Ease of Use: Ansible’s simple, readable YAML syntax makes it easy for new users to understand and write playbooks. Its agentless nature means there’s no need to manage additional software on the client systems.
Flexibility: With modules for a wide array of tasks, Ansible can be used for configuration management, application deployment, and even for orchestrating complex multi-tier workflows.
Efficient Scalability: Leveraging SSH and being agentless, it can easily scale up to handle a large number of nodes, as long as the central managing station can handle the SSH sessions.
Powerful Integration: Integrates seamlessly with other Red Hat products and a wide variety of third-party services and applications.
Community Support: As part of the broader open-source community, Ansible has widespread community support, numerous plugins, and robust documentation.

Cons:

Performance: As it operates over SSH and is agentless, performance might degrade with a very large infrastructure or over slow network connections.
Limited Scope: Primarily focused on configuration management and software deployment, it’s not as robust for creating underlying infrastructure from scratch compared to tools like Terraform.
Error Handling: Error reporting and diagnostics in Ansible can sometimes be less helpful than desired, particularly when dealing with complex playbooks.
State Management: Lacks native capability to manage previous states of the system or infrastructure, which can be a hurdle in managing dependencies and requirements over time.

Terraform: Pros and Cons

Pros:

Infrastructure as Code: Provides a clear, declarative syntax for defining infrastructure, making it easy to audit, replicate, and modify infrastructure safely and efficiently.
Immutable Infrastructure Support: Emphasizes immutable infrastructure, where changes are made by replacing the old infrastructure with new, which can lead to more predictable, and thus more robust, systems.
Provider Agnosticism: Works with a multitude of providers (not just cloud platforms but also SaaS and PaaS providers), making it a very versatile tool for diverse environments.
State Management: Maintains state files that help in tracking each deployment and managing infrastructure with precise control.
Concurrency: Efficiently handles concurrent operations, which speeds up the process of infrastructure deployment across different providers.

Cons:

Complexity in State Management: State files can become a point of complexity and potential failure, especially in large-scale deployments or when state files get out of sync.
Learning Curve: While powerful, Terraform’s configuration language (HCL) and concepts (like state and graph theory) have a steeper learning curve compared to more straightforward scripting or configuration tools.
Limited Configuration Management: Not inherently designed for configuration management or software provisioning, which might require using additional tools like Ansible for these tasks.
Error Diagnostic: Errors, especially those arising from state discrepancy or misconfigurations, can sometimes be cryptic and hard to debug.
Cost of Changes: Given its focus on immutable infrastructure, making frequent changes can sometimes lead to higher computational costs because of resources being destroyed and recreated, rather than modified in place.

Both Ansible and Terraform excel in their respective domains. Choosing between them—or deciding to use them together—depends on the specific needs of the project or organization, such as the scale of operations, type of infrastructure involved, and the desired workflows for deploying and maintaining that infrastructure. It’s often beneficial to leverage their strengths in tandem to cover all aspects of infrastructure and application management lifecycle efficiently.

Let’s consider a common task: creating an AWS EC2 instance, which is a quintessential piece of infrastructure used in many projects. Below, I provide sample code for achieving this in both Ansible and Terraform. This example will help illustrate how each tool manages this task.

Terraform Code

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  tags = {
    Name = "ExampleInstance"
  }
}

Explanation

Provider Block: This part declares the provider (in this case, AWS) and specifies the region where the resources will be created. Terraform uses plugins as providers to interact with different cloud services.
Resource Block: This block defines the resource (an AWS EC2 instance) you want to manage. The type of resource (aws_instance) and a local name for it (example) are specified.
ami: The Amazon Machine Image ID that you want the instance to be based on.
instance_type: Specifies the type of instance (t2.micro).
tags: A map that assigns metadata to the instance, which helps with naming and managing resources.

In this Terraform script, when executed, Terraform will ensure that an AWS EC2 instance exactly matching this description exists. If it doesn’t, Terraform will create it. If the script is updated, Terraform will apply the changes accordingly.

Ansible Code

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Create a new EC2 instance
      amazon.aws.ec2_instance:
        name: ExampleInstance
        region: us-east-1
        image_id: ami-0c55b159cbfafe1f0
        instance_type: t2.micro
        wait: yes
        wait_timeout: 600
        tags:
          Name: ExampleInstance
      register: ec2

Explanation

Playbook Structure: Begins with setting localhost as the target. gather_facts: no stops Ansible from gathering system facts which can save time if they are not needed.
Tasks: This section lists one or more tasks, each of which is an action intended to manipulate resources.
name: Human-readable name of the task.
amazon.aws.ec2_instance: This Ansible module is used for creating EC2 instances.
name, region, image_id, instance_type: These fields mirror the declarative parameters in the Terraform script.
wait and wait_timeout: These optional parameters tell Ansible to wait for a maximum of 600 seconds to ensure the instance is running.
tags: Metadata for the instance similar to Terraform.
register: This is used to store the output of this task to the variable ec2 which can be used later in other tasks if needed.

In this Ansible playbook, executing it will create an EC2 instance with the specified parameters. Unlike Terraform, Ansible does not track the state of the system. Each run of the playbook will attempt to ensure the desired state declared in the tasks but without the awareness of the actual current state unless explicitly checked. Based on this example Terraform is ideal for provisioning and managing the lifecycle of concrete infrastructure components using a declarative approach. Ansible, being more oriented towards configuration management and application deployment, excels in mutable environments where you need to enforce a certain state without necessarily rebuilding infrastructure from scratch. In practice, these tools can often complement each other in a DevOps environment—Terraform to set up and manage the infrastructure, and Ansible for the configuration and application layers.

Let’s look at another common scenario in infrastructure management: creating a secure Virtual Private Cloud (VPC) on AWS. This example will showcase how both Ansible and Terraform can be used to establish this key piece of network infrastructure.

Terraform Code

provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "example_vpc" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
  tags = {
    Name = "ExampleVPC"
  }
}

resource "aws_internet_gateway" "example_gateway" {
  vpc_id = aws_vpc.example_vpc.id
  tags = {
    Name = "ExampleGateway"
  }
}

Explanation

Provider Block: Specifies AWS as the provider and sets the desired region.
Resource Block (aws_vpc): Creates a new VPC with a specified CIDR block. DNS support and hostnames are enabled for better integration with other AWS services.
Resource Block (aws_internet_gateway): Attaches an internet gateway to the VPC, allowing communication between the internet and the VPC.

This script, when applied, will ensure the creation of a VPC with an internet gateway configured as specified. The use of Terraform’s state allows for tracking these resources over time.

Ansible Code

- hosts: localhost
  gather_facts: no
  tasks:
  - name: Create a VPC
    amazon.aws.ec2_vpc_net:
      name: ExampleVPC
      cidr_block: 10.0.0.0/16
      region: us-east-1
      dns_support: true
      dns_hostnames: true
      state: present
    register: vpc

  - name: Create an Internet Gateway
    amazon.aws.ec2_vpc_igw:
      vpc_id: "{{ vpc.vpc.id }}"
      region: us-east-1
      state: present
      tags:
        Name: ExampleGateway

Explanation Playbook Setup: Declares localhost and disables fact gathering. Tasks: Create a VPC: Uses ec2_vpc_net to define a VPC with similar parameters to the Terraform example. The state is set to ‘present,’ which ensures the VPC exists as defined. Create an Internet Gateway: Utilizes ec2_vpc_igw to attach an internet gateway to the VPC. The VPC ID is dynamically pulled from the previous task using Ansible’s registering mechanism to hold state across tasks within the playbook. Here, executing this playbook will create the specified VPC and internet gateway on AWS. Ansible’s approach involves imperative tasks that adjust the infrastructure to match the desired state without an ongoing tracking mechanism. Each task must be idempotent to avoid creating duplicate resources on repeat runs. Terraform is very effective when you need to ensure entire environments are managed with clear, trackable configurations, all defined upfront. It shines in scenarios where infrastructure setup and lifecycle management are complex and tightly controlled. Ansible is great for operations or environments where configurations might change dynamically and frequently, and where the management includes not just the deployment but also the ongoing operation and orchestration of various components. Using the example of setting up a VPC, both tools once again demonstrate strengths in their respective areas of provisioning and configuration, guiding decisions based on project specifics, infrastructure requirements, and team capabilities.

Let’s demonstrate how both Ansible and Terraform can be used to manage resources on Google Cloud Platform (GCP). In this scenario, we’ll create a Google Cloud Storage bucket, which is a fundamental and widely used service for storing any amount of data.

Terraform Code Below is a Terraform script to create a Google Cloud Storage bucket.

provider "google" {
  credentials = file("<CREDENTIALS_JSON_FILE>")
  project     = "<YOUR_PROJECT_ID>"
  region      = "us-central1"
}

resource "google_storage_bucket" "example_bucket" {
  name     = "my-unique-bucket-name"
  location = "US"
  
  storage_class = "STANDARD"

  lifecycle_rule {
    condition {
      age = 10
    }
    action {
      type = "Delete"
    }
  }

  versioning {
    enabled = true
  }
}

Explanation

Provider Block: Configures the Google provider with necessary credentials, the project ID, and region.
Resource Block (google_storage_bucket):
name: The name of the bucket. This needs to be globally unique.
location: Specifies where the bucket data is stored.
storage_class: Set to STANDARD (typical access).
lifecycle_rule: A rule to automatically delete items in the bucket that are older than 10 days.
versioning: Enables versioning on the bucket, allowing for the restoration of object versions.

With this Terraform script, when executed, Terraform will ensure the existence of a Google Cloud Storage bucket with these exact specifications, managing it throughout its lifecycle.

Ansible Code

Here is an Ansible playbook to achieve the same objective.

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Create GCP Storage Bucket
      google.cloud.gcp_storage_bucket:
        name: "my-unique-bucket-name"
        project: "<YOUR_PROJECT_ID>"
        auth_kind: serviceaccount
        service_account_file: "<CREDENTIALS_JSON_FILE>"
        location: "US"
        storage_class: "STANDARD"
        state: present
        versioning:
          enabled: true
      register: gcp_bucket

Explanation

Playbook Setup: Ansible is configured to run locally and doesn’t gather facts about the machine it’s running on.
Tasks:
Create GCP Storage Bucket: Utilizes the gcp_storage_bucket module to manage a Google Cloud Storage bucket.
name, project, location, and storage_class: Directly correlate to their Terraform counterparts.
auth_kind and service_account_file: Methods for authenticating against GCP.
state: Ensures that the bucket exists as specified; ‘present’ means that if the bucket doesn’t exist, it will be created.
versioning: Enables object versioning within the bucket.

Executing this playbook will ensure the creation or configuration of the specified Google Cloud Storage bucket as per the parameters. Unlike Terraform, Ansible does not keep a state of the infrastructure but ensures the desired state during each execution.

Both Terraform and Ansible demonstrate robust capabilities in managing cloud resources like storage buckets in GCP, albeit from slightly different operational paradigms:

Terraform’s declarative approach is often seen as advantageous for managing the full lifecycle of cloud resources with clear state management and planning features.
Ansible’s imperative style can be more straightforward for those already familiar with its ecosystem, providing powerful, flexible tools for configuring not only infrastructure but also software and dependencies.

Choosing between them (or deciding to use them in conjunction) depends on factors like existing workflows, team familiarity with the tools, and specific project requirements.