Configuration management is an important part of DevOps methodology, and tools like Ansible and Terraform form the backbone of modern software development systems. Both tools are great examples of a next-generation system for building, managing and configuring a cloud infrastructure.

Terraform is an open-source Infrastructure as code (IaC) software. The software enables administrators to describe and deploy data center infrastructures in cloud services using the high-level Hashicorp Configuration Language (HCL). Ansible is a modern configuration management tool that makes it easy to set up and maintain remote servers.

With the help of these tools, you can easily create cloud infrastructure as code, manage it, and improve it in the future. Terraform focuses on building servers from scratch, leaving the work of hosting containers with software to platforms like Docker or Packer. When the entire infrastructure of your cloud ecosystem is running as code and all parameters are written into declarative configuration files, your team can work with and modify these files just like any other code.

This is how AWS uses Terraform:

Terraform benefits include the following:

Immutable Infrastructure

When using Chef, Salt, Puppet, or Ansible, any software update must be done where it is installed. Thus, over time, each server acquires its own unique configuration and software update history. This leads to the so-called “configuration drift” when minor differences in the software used in the cloud ecosystem lead to the emergence of potential access points for hackers and system vulnerabilities. Terraform works on the concept of immutable infrastructure, where every change to a component (software update, removal or addition of components, etc.) leads to the creation of a separate state of the infrastructure, that is, to building a new system and removing the previous configuration.

This means that the software update process is quick and easy throughout the entire system simultaneously and is protected from possible errors. At the same time, returning to any previous system configuration is as simple as selecting the required configuration from the list and creating a new environment according to the required parameters.

Declarative Code

When using Chef or Ansible, you are forced to write step-by-step procedural instructions to achieve the desired system state. In contrast, Terraform prefers to write out the final states of the system, leaving the configuration to the utility.

Why is this so cool? Because a fairly limited library of code templates can satisfy any infrastructure configuration requests, and built-in primitives allow you to write modular code that is quite complex in terms of the level of impact, but very easy to read. When using procedural code, you need to remember all current processes in the system and recent events in order to create a simple and unambiguous statement. When using Terraform, you simply tell the utility what changes to make to the current system state, allowing you to get by with a fairly compact and very simple code template library.

Client-side Architecture

Terraform uses APIs provided by a cloud hosting provider. With their help, the utility builds the infrastructure, which means avoiding unnecessary security checks, no need for a separate server for configuration management, or the allocation of resources for the operation of numerous agent programs. Ansible achieves a similar result by working over SSH, but the possibilities of this method are rather limited. Due to the fact that Terraform works through the API, this tool provides literally unlimited freedom of action and possible configuration options. This approach is much better in terms of security, reliability, and overall ease of use of the system.

Ansible is a software management system for remote servers. There are a number of similar systems (Chef, Puppet) with different principles of operation, requiring the installation of a client, etc. Ansible’s job is to perform a series of operations on a remote virtual machine.

Ansible Playbooks

All operations that you write into an Ansible script are performed sequentially. The logic of work is similar to a regular bash script, only in its own commands. This allows you to decouple the distribution by describing tasks in an intermediate language. This Ansible script is called a playbook.

Both Terraform and Ansible are infrastructure-building tools. Benefits inherent in IaC are also inherent in both of them. They include the following:

1. A full match between test and production environments is guaranteed, down to the level of firewall rules and network topology. This is where most test environments differ from production environments. When an infrastructure-as-code approach is implemented consistently and steadily, such differences can be avoided and the predictive value of tests can be improved. Consequently, fewer errors will be revealed during the operational phase.
2. If during testing there are problems with the environment, or when the environment is changed inadvertently, you can only fix or restore the environment manually. With an infrastructure-as-code approach, the environment can simply be deleted and replaced with a new one. Alternatively, you can implement automatic correction of the environment.
3. The process of changing the infrastructure can be clearly defined: this will allow you to see and evaluate all changes in the infrastructure. The mechanism also ensures that all changes are documented and traceable.
4. To truly benefit from these perks, changes to the infrastructure should only be introduced through a change in the code that defines the infrastructure. The path to this goal can be difficult and arduous. Therefore, it makes sense to try to reduce the complexity of the environment.

Let’s take a look at some great examples of how Terraform and Ansible can be used in large projects for infrastructure optimization.

Fuel Cycle is a comprehensive market research ecosystem. Initially, Fuel Cycle did not have a ready-made infrastructure supported by OpsWorks. So our team was tasked with creating an infrastructure that would meet all future needs from scratch. This process was time-consuming, but once the scalable and compliant system was ready, our efforts quickly paid off.

Fuel Cycle needed an infrastructure created for their product development that would easily manage the product environment. The infrastructure itself, virtual networks, and virtual machines – all parts of the system based in the cloud, were developed with the help of Terraform. The parts aimed at virtual machine configuration and setting up necessary parameters were created with Ansible.

Although Ansible provides the possibility of infrastructure creation in the cloud, core infrastructure is better off being created in Terraform. It is much more convenient to work with as it always remembers what your infrastructure was like prior to the most recent changes. Ansible doesn’t “remember” the previous infrastructure state, it only performs commands assigned to it.

Our team divided all tasks into two parts: the creation of infrastructure, and virtual machines/networks via Terraform. Once virtual machines were ready, we discussed the software that would operate on this infrastructure. Only then were we ready to develop Ansible playbooks that configured the necessary amount of virtual machines and golden images that we later used in Terraform for infrastructure deployment.

The benefits that Fuel Cycle has gained from the implemented system are as follows:

• visibility: all changes made within the system are immediately tracked and discovered. If the system configuration has changed, it’s easy to know who made the change and when;
• linting: IaC-based platforms can utilize automated linting. Tools that analyze infrastructure code and can point out emerging problems in a timely manner are of great importance to any project.
• expandability: with IaC on board, adding new features takes only a matter of minutes.

A major business benefit that IaC provides for Fuel Cycle is the reduction of maintenance costs. Infrastructure can be versioned and changed in sync with software changes. This ensures consistency between infrastructure and software. When a particular software requires changes to the infrastructure, such a mechanism will ensure that those changes are made.

Doxy is a free and safe telemedicine platform that provides a connection between doctors and patients. It allows you to use telemedicine services privately and securely. For a long-term and reliable operation, the company chose to move to the Terraform and Ansible IaC-based system.

It was a logical solution that OpsWorks Co was able to implement. Aside from the production environment, the company maintains ten identical infrastructures (created with the same code) that are used by different development teams for testing new features. With the help of automation ensured by IaC, the company can create a user-friendly interface even at the beta stage. It will also accelerate the feedback cycle as with CI on board, debugging and fixing errors is quick and smooth.

Usually, the number of available environments is limited. In addition, the environments need to be managed: installing new software or deploying newly received test data. Automation will allow you to set up the environment effortlessly. And when the servers can be flexibly configured thanks to virtualization, it becomes possible to generate an unlimited (in principle) number of environments. This is especially convenient for testing, as it allows you to test several versions and problems in parallel. Ideally, the environment should be selected through the portal and provided automatically. Similarly, additional environments can be run during peak hours. For example, by installing additional server farms at the end of the reporting year and removing them later.

OTP bank came to us with the task of creating Kubernetes and migrating both internal and new applications. One of the requirements was the creation of IaC so that the Kubernetes cluster could be used for their future projects. We built their infrastructure using Terraform with Ansible so that the company can easily and automatically deploy all new applications and products.

In addition, infrastructure as code helps you keep track of the software you install. Each program, each component can be found in the installation rules. This simplifies inventory — the installation requirement for each individual component can be found in the configuration. Consequently, this approach can solve problems that usually require the use of a configuration management system (Configuration Management System, CMS). You can also centrally respond to the need to install updates, for example, due to detected security problems.

UPM offers a wide range of environmentally friendly and safe products for everyday use. The products are made from renewable and biodegradable materials and are recyclable. The company required a Terraform-built infrastructure that would allow them to deploy their Kubernetes orchestration tool in the future.

It is vital to know that IaC is exceptionally efficient because errors that can occur during the creation of environments are practically eliminated. Each environment results from the same software. Accordingly, all environments should look the same. This provides additional guarantees of security and reliability when deploying a production environment.

Stellar requested an infrastructure for their current CRM system and future projects. We used Terraform for the creation of the infrastructure itself and also utilized Ansible for application deployment within Kubernetes. This allowed for the implementation of software into the production environment and deployment of the app into a local development environment with the same code.

We at OpsWorks Co. believe that Ansible and Terraform are some of the best tools for managing cloud infrastructure configurations at the moment. Since Terraform is an open-source solution, its development is supported by a large and growing community of developers. This means it will only get better over time. Ansible has already taken its well-deserved place in the toolkit of every developer.