Ansible vs Terraform — Configuration vs Infrastructure, Pick Your Poison
Ansible configures servers, Terraform builds clouds. If you're managing infrastructure as code, one tool actually delivers on the promise.
Terraform
Terraform's declarative state management means you can't accidentally destroy production. Ansible's procedural scripts are a ticking time bomb for complex infrastructure.
These Tools Aren't Even in the Same Ring
Ansible is a configuration management tool — it's for installing packages, setting up users, and running commands on existing servers. Terraform is an infrastructure as code (IaC) tool — it provisions cloud resources like VMs, networks, and databases from scratch. Comparing them is like asking whether a screwdriver or a hammer is better for building a house: you need both, but Terraform lays the foundation while Ansible decorates the rooms. Most teams screw this up by using Ansible to provision infrastructure, which is like using a butter knife to cut steel — it works until it catastrophically doesn't.
Where Terraform Wins
Terraform's declarative state file is its killer feature. You define what you want (e.g., '3 AWS EC2 instances'), and Terraform figures out how to get there, tracking every resource in a state file. If you change something, it calculates a plan and shows you exactly what will be created, updated, or destroyed. Ansible is procedural — it runs tasks in order, and if you mess up a playbook, you might delete a database because a task said 'rm -rf'. For infrastructure, that's unacceptable. Terraform also supports 300+ providers (AWS, Azure, Google Cloud, even GitHub repos), while Ansible's cloud modules feel like afterthoughts. Try managing an AWS VPC with Ansible — I'll wait.
Where Ansible Holds Its Own
Ansible dominates post-provisioning configuration. Once Terraform spins up a server, Ansible can swoop in to install Docker, set up Nginx, or deploy your app. It's agentless (uses SSH), so no daemons to install, and its YAML playbooks are dead simple for sysadmins to write. Need to patch 100 servers? Ansible's ad-hoc commands like ansible all -m apt -a 'update_cache=yes' are faster than brewing coffee. For on-premises environments where you're not using cloud APIs, Ansible is often the only tool that makes sense. Terraform can't configure your dusty old CentOS box in the basement — Ansible can.
The Gotcha: State Drift Will Bite You
Terraform's state file is both a blessing and a curse. If someone manually changes a resource in the cloud console, Terraform sees it as drift and will try to revert it on the next run — potentially breaking things. You must lock state files in remote backends (like S3) to avoid team collisions. Ansible has no state: it just runs tasks, so drift is inevitable. Forget to run a playbook for months? Your servers become snowflakes. Switching costs are brutal: migrating from Ansible to Terraform means rewriting everything as HCL code, and good luck if you've been using Ansible's messy dynamic inventories. Most companies end up with a hybrid mess that nobody understands.
If You're Starting Today...
Use Terraform for all cloud infrastructure — define your VPCs, VMs, and load balancers in HCL. Then, use Ansible only for configuration inside those VMs, like installing software or copying files. For a new AWS project, that means: Terraform to launch EC2 instances, then Ansible to set up the web server. Don't let Ansible touch your cloud resources — its ec2 module is a joke compared to Terraform's AWS provider. If you're all on-prem, flip it: Ansible for everything, because Terraform can't provision physical hardware. But let's be real — you're probably in the cloud, so Terraform is non-negotiable.
What Most Comparisons Get Wrong
They treat these tools as competitors. They're not. The real question is: are you managing infrastructure or configuring servers? If it's infrastructure, Terraform's state management is worth the HCL syntax pain. If it's configuration, Ansible's simplicity beats Terraform's overkill. But here's the kicker: many teams use Pulumi instead of Terraform because it lets you write IaC in real programming languages (Python, TypeScript). If you hate HCL, skip Terraform and go straight to Pulumi — it's like Terraform but for developers who value sanity. Ansible has no real alternative for agentless configuration, though SaltStack comes close if you want speed.
Quick Comparison
| Factor | Ansible | Terraform |
|---|---|---|
| Primary Use Case | Configuration management (install software, manage files) | Infrastructure as code (provision cloud resources) |
| Pricing | Free and open-source (Red Hat offers paid Ansible Tower) | Free and open-source (Hashicorp offers paid Terraform Cloud) |
| Language | YAML playbooks (procedural) | HCL configuration files (declarative) |
| State Management | Stateless — no built-in tracking of changes | Stateful — tracks resources in a state file |
| Cloud Provider Support | Modules for AWS, Azure, etc. (limited depth) | 300+ providers (AWS, Azure, GCP, Kubernetes, etc.) |
| Agent Requirement | Agentless (uses SSH/WinRM) | Agentless (uses cloud APIs) |
| Learning Curve | Low — YAML is easy for beginners | Medium — HCL syntax and state concepts take time |
| Ideal For | On-premises servers, post-provisioning config | Cloud infrastructure, multi-environment deployments |
The Verdict
Use Ansible if: You're managing existing servers (on-prem or cloud) and need to run ad-hoc commands or simple configurations. Ansible is your tool for patching systems or deploying apps.
Use Terraform if: You're building cloud infrastructure from scratch and need predictable, repeatable deployments. Terraform is mandatory for AWS, Azure, or Kubernetes setups.
Consider: Pulumi — if you want infrastructure as code without HCL, using Python or TypeScript instead. It's Terraform's cooler, developer-friendly cousin.
Terraform's declarative state management means you can't accidentally destroy production. Ansible's procedural scripts are a ticking time bomb for complex infrastructure.
Related Comparisons
Disagree? nice@nicepick.dev