Think before using Configuration Management Tools for Infrastructure Provisioning

These days, almost every Software development organization is trying to implement DevOps in their Software Development Lifecycle.

DevOps is getting accepted worldwide for its Software Delivery speed and reliability.

Infrastructure provisioning or orchestration and Configuration Management both are like heart and soul of DevOps toolchain.

Tools like Terraform & Cloud Formation are used for Infrastructure Provisioning (IP). Same time Configuration Management (CM) already has the long list of tools such as Ansible, salt, puppet etc.

Configuration Management tools also have the ability to spin up infrastructure, however there are some cons, which needs to face.

In real world due to lack of awareness or due to time pressure, organizations use CM tools to launch infra.

In this small note, I will try to explain why CM tools are not recommended for launching infrastructure in cloud.

Advantages of using CM tools for Provisioning Infrastructure:

  • Less learning curve: No need to learn different technology and its syntax. One can write Infra code using same CM syntax.
  • Fast integration with Config Management tool: Instances launched by CM tool, easily gets added to host database of CM tool. No need to have any third party application  or script to connect. For eg. if we spin up an instance with Salt-Cloud then target instance will get added to Salt-master automatically.

Due to these advantages organization gets attracted towards Config Management tool for provisioning as well. However along with these advantages, one should think about below points before using these config tools for provisioning infrastructure.

Maintaining State:

Whenever we launch or modify any infrastructure, it creates a state. For eg. if we launch 1 VPC, 2 Subnets, 4 EC2 instances initially, then it will be a first state aka Baseline of your infrastructure. Any modification to any of these components will lead to generating new state of infra similar to versioning of source code.

  • Easy to rollback: As our previous states are maintained or versioned we can easily rollback to previous states.
  • Easy to track changes: We can see differences between 2 states any time to track changes between old and new infra
  • Compliance requirement: Version of Infrastructure is required by FedRAMP like Compliances, which can be fullfilled by maintaining states in code.
  • Easy to apply changes to any specific components in infrastructure

As per my previous experiences, if infrastructure is provisioned using config management tool like Ansible, Salt-Cloud, it is not possible or difficult to manage state of Infrastructure. In reply to this one  can say that they do not need currently, but are you sure that you will never need it in future? For eg. if you plan for FedRAMP or any other compliance, which requires Versioning of Infrastructure.

Integration of Infrastructure provisioning and Configuration Management tools:

Some times people avoid to use Infrastructure provisioning tool because they think that Integration of provisioned infrastructure and configuration management tool will be difficult or troublesome. In reality it is very easy to integrate both the tools. We can utilize features like “User Data” in case of AWS to achieve this. We can write some commands or script in bootstraping to configure CM client on target machine and get it connected with our CM Master. It is just matter of 10-15 lines of Shell Script.

Infrastructure inventory management:

If infrastructure is spawned by Provisioning tool like CloudFormation or Terraform, then it is easy to keep track of all inventory.

We can easily generate CSV report from Terraform state files as well. As Configuration Management tools do not maintain state of provisioned infra, we can not manage inventory of infrastructure.

Importing current infrastructure:

We can import current running infrastructure in form of Code using Provisioning tools, but it is not possible using Configuration Management tools.

Limitation for launching various components:

Terraform or Cloudformation can provision various AWS services like S3 bucket, IAM Role, VPC, Security Groups, etc. very easily. However these components cannot be launched easily using Configuration Management tools. For eg. Salt-Cloud can not provision VPC, S3 bucket, Security Groups etc. One need to develop module for this.


Configuration Management tools are best when it comes to apply desired configurations to target machines or group of machines.

But when you think about provisioning, there are powerful tools available in market. Using them you will not only get granular control on your infrastructure but you can audit, track and do much more with it.

Also currently there is a basic  requirement of tracking changes in infrastructure, which can be easily achieved with these provisioning tools such as Terraform and CloudFormation. CloudFormation is also comming up with Drift Detection.

Please do think about compliance, which may require in future and try to be ready for that from beginning.

I hope this article will help you in deciding tool for provisioning infrastructure.
Please do let me know your suggestions on ngurjar[at]neeleshgurjar[dot]co[dot]in

#CloudFormation #Terraform #ConfigurationManagement_vs_InfrastructureProvisioning #Terraform_vs_Ansible

Neelesh Gurjar has written 122 articles

2 thoughts on “Think before using Configuration Management Tools for Infrastructure Provisioning

  1. aratik711 says:

    do you think provisioning container based infrastructure will also be benefial with Infra Provisioning i.e provisioning on ECS, docker or first provisioning the host and then provisioning containers on it with docker?

    1. Neelesh Gurjar says:

      Provisioning tool needs to be used for provisioning underlying infra such as VPC, SG, IAM Role, EC2, etc. Containers can be managed using configuration management tool. Treat containers as services, which is part of configuration.

Leave a Reply