Ansible vs. Terraform, clarified

Red Hat® Ansible® Automation Platform and HashiCorp Terraform are both automation products with open source roots that embrace an Infrastructure as Code (IaC) approach for automating IT environments. 

Evaluating these solutions for your organization isn’t a simple comparison, since there’s no one "right" way to automate or one automation tool to use—just as there is not only one way to solve a problem. What your business needs is completely different from the requirements of another organization in your same industry.

As you’re researching automation solutions, you’ve undoubtedly seen many terms used to describe the key differences and functionality of the products. Let’s define some of the most common ones and explore how they relate to each other—and to Ansible and Terraform.

Orchestration is the coordinated execution of multiple workflows. Each workflow executes one or more tasks. Orchestrated together, these workflows automate the configuration and management of complex systems, applications, and services. This coordination usually follows pre-established rules defined in a policy. Orchestration can also coordinate multiple automation solutions. Those, in turn, execute the automation workflows. 

Both Ansible and Terraform can act as orchestrators as they can invoke multiple automation workflows in sequence following specific policies. Ansible has built-in modules to connect to and manage other automation tools (including Terraform). As a result, you can standardize your approach to automation across your entire IT estate, using Ansible as the top-level, common language for all teams. 

Provisioning is the process of creating and deploying IT infrastructure for applications and services. 

Both Ansible and Terraform can provision (and deprovision) IT infrastructure. Ansible can also provision apps and services.

Configuration management is the process of defining and maintaining the configuration of infrastructure, applications, and services.

Like many other automation solutions, Ansible and Terraform can both define configurations and apply them to various infrastructure targets. However, their approach to configuration management differs. Terraform uses an approach called declarative programming, which tries to preserve the configuration of an IT infrastructure by defining a desired state. Ansible uses a procedural (or imperative) programming approach, which tries to preserve the configuration of an IT infrastructure by defining the steps to reach a desired state. Each process is detailed below. 

An Infrastructure as Code (IaC) approach defines and provisions infrastructure through code that will be executed automatically, instead of through manual processes. By treating an IT infrastructure as code, organizations can automate management tasks, benefitting from best practices of software development and reducing human error. 

Both Ansible and Terraform are IaC tools, though, as mentioned, the programming used by each solution differs.

Declarative programming is a method of writing code to describe the desired outcome of the program, rather than detailing how to do it. It is focused on the end state, instead of the specific commands and steps needed to get there. 

Terraform uses the Hashicorp Configuration Language (HCL) as its automation language and a declarative programming approach. This means that the sequence of commands that Terraform has to perform to achieve the required configuration changes are not visible or known to the end user. 

Procedural, or imperative, programming is a method of writing code to provide the computer with a list of instructions—a step-by-step guide—to completing a task. It is focused on the process, instead of the end state. For its automation language, Ansible uses YAML, a human-readable data-serialization language. The YAML syntax is interpreted and executed in a procedural manner, meaning that the automation workflow is executed in the sequence in which it was written. 

Ansible can be both declarative and procedural—many modules work declaratively, while other modules prefer a procedural programming approach. Additionally, some constructs in the Ansible language, such as conditionals and loops, allow the users to define a procedural logic. This mix offers you the flexibility to focus on what you need to do, rather than strictly adhere to one paradigm. 

Configuration immutability means that the configuration (of an infrastructure or an application) can’t be changed. For example, provisioning the newer version of an app requires the previous version to be eliminated and replaced—rather than modified and updated. Resources are destroyed and recreated automatically. 

Terraform uses an immutable infrastructure approach, which can help users get started quickly as they can easily spin up resources, test something, then tear it down. However, depending on the size of the infrastructure, it can become complex and hard to manage. Although Ansible is designed assuming configuration mutability, some automation workflows can be designed to embrace the immutability approach.

Configuration mutability means that the configuration (of an infrastructure or an application) can be changed. For example, newer versions of applications can be provisioned by updating or modifying the existing resource instead of eliminating or replacing it. 

Ansible is designed assuming configuration mutability. The advantage of this approach is that the automation workflows are simple to understand and easy to troubleshoot. However, in certain scenarios, it can be challenging to deprovision resources without knowing the correct order of operations. 

Configuration drift occurs when an infrastructure changes due to manual, unapproved, or unmonitored changes over time—and those changes are not recorded or tracked systematically. Often, these changes are due to emergencies or excessive complexity, factors that can discourage employees from following the established process. As a result, configuration drift is frequent in large organizations. 

An IaC approach helps with drift, but additional drift management is critical. Ansible helps you combat drift with Ansible Playbooks (automation workflows) that can be set up to detect drift. When drift is detected, it sends a notification to the appropriate person who can make the required modification and return the system to its baseline. 

Because Ansible uses a procedural programming approach, developers can more easily understand when and where their automation configuration is changing, making it faster to isolate a specific portion of the configuration and remediate the drift. Depending on the complexity of the IT infrastructure, performing configuration changes on automation solutions that use a declarative programming approach (such as Terraform) can be much more challenging. As a result, sometimes IT organizations prefer to use Ansible to perform simple configuration changes rather than holistically reconfigure an entire IT system with a solution like Terraform.

The better question may be, "What does your business need for your particular use case?" You must evaluate your specific business challenges and requirements and choose the solution (or solutions) that work best. Some problems are better suited for one approach, while others can be better solved with another. And sometimes, a combination of solutions is the key to success.

While both Terraform and Ansible Automation Platform are popular automation offerings—and favorite DevOps tools—the solutions have very different capabilities. Terraform specializes in public cloud infrastructure provisioning, which is one of many use cases in the world of IT automation, and Ansible Automation Platform addresses a wide range of automation use cases. Instead of a single approach to automation, Ansible Automation Platform offers a variety of approaches to tackle a variety of problems. And if our customers encounter a particular problem that is best solved with the combination of two automation solutions, Ansible Automation Platform can integrate with other products from leading cloud providers, including Amazon Web Services (AWS) CloudFormation, Microsoft Azure Resource Manager, and Google Cloud Platform (GCP) Cloud Deployment Manager—as well as Helm and Terraform.

Many of our customers use multiple automation solutions at the same time. When they deploy applications in the cloud, for example, they often start provisioning the cloud infrastructure with CloudFormation or Terraform and then perform the ongoing configuration of applications and processes with Ansible Automation Platform. To make this process more efficient, we recently launched a Red Hat Ansible Certified Content Collection for Terraform. This Red Hat-supported collection automates the management and provisioning of IaC using Terraform in an Ansible Automation Platform execution enviornment.

Other customers invest exclusively in Ansible Automation Platform because they want to automate more than just the cloud deployment use case. For example, they may want to automate security processes, like threat investigation or incident response, alongside network processes, like routers and switches reconfiguration.

These customers want to standardize their approach to automation across all use cases to maximize their return on the investment.

With the variety of enterprise automation offerings available, it’s crucial to understand features, capabilities, and most importantly—what works best for your organization’s specific needs. 
 
With open source at its core, Red Hat Ansible Automation Platform is a hardened, tested subscription product that offers full life cycle support for organizations. It’s built upon the foundation of community Ansible, which benefits from the experience and intelligence of its thousands of global contributors. Ansible Automation Platform is engineered to help organizations create, manage, and scale their automation workloads. It offers a flexible, stable, and security-focused foundation for deploying end-to-end automation solutions—including automation for hybrid cloud, edge locations, networks, security, infrastructure, and many other use cases. 

Terraform excels as a cloud infrastructure provisioning and deprovisioning tool with an IaC approach. It’s a specific tool with a specific purpose. Ansible offers an all-purpose, cross-domain automation solution. Both have active open source communities and well-supported downstream commercial products. Both solutions have their individual strengths—and when combined, they work well together and create efficiencies for many businesses. Simply put, choosing an automation solution is not always an "either / or" choice— often it’s an "and."