Updated on March 3, 2017 by UpGuard
When we speak of the DevOps and continuous delivery/integration (CI/CD) toolchain, we’re referring to a superset of tools—many with overlapping capabilities—for helping organizations achieve faster and safer deployment velocity. This encompasses a broad range of solutions: provisioning tools, orchestration tools, testing frameworks, configuration management (CM) and automation platforms, and more. Comparisons between CM products usually steal the show (e.g., Puppet vs. Chef), but in this case we’ll compare two orchestration and management tools for provisioning infrastructures: Terraform and CloudFormation.
If the intricacies of the DevOps and CI/CD toolchain are a mental roadblock for you, rest assured you’re not to blame. Solutions with competing features are often deployed together to round out each other’s shortcomings, and in many cases the tools’ stated benefits overlap. The following may help to clarify matters —at least in this context.
CM tools primarily deal with machines that have been already created, streamlining/automating the installation and management of software and services. Solutions like Terraform and CloudFormation are not CM tools, but instead codify entire infrastructures and datacenters into high-level abstractions for easier replication and management—usually serving as the starting point for fully realized DevOps pipelines. These solutions build the infrastructure essentials for supporting server instances, while the actual CM tool—be it Puppet or Chef—manages the details of the actual deployments: configurations, application details, dependencies, and so forth.
Terraform By Hashicorp
Having developed popular tools like Vagrant, Atlas, and Packer, Hashicorp set out to build a solution for codifying the creation of the entire datacenter. Terraform is the culmination of these efforts, giving developers and operations staff the ability to build, combine, and launch infrastructures from soup-to-nuts.
If you’re familiar with infrastructure-as-code, Terraform’s value will be immediately apparent: the tool enables the abstraction of infrastructure configurations into archivable, version-controlled code. So while Puppet and Chef automate the provisioning of nodes—servers, applications, and such—Terraform handles all the setting up of underlying infrastructure resources and services required for automation tools to effectively do their jobs.
Terraform uses its own domain-specific language (DSL) called the Hashicorp Configuration Language (HCL): a fully JSON-compatible language for describing infrastructure as code. Configuration files created with HCL describe the components necessary for building an infrastructure and can be checked into source control—as well as used for creating GitHub pull requests and run as executable documentation. This in turn lays the foundation for other CM and automation tools like Puppet and Chef to deploy systems in an infrastructure environment. So in a hypothetical Terraform and Puppet setup, Puppet is called by Terraform’s provisioners to create server resources during HCL-based configuration runs.
Like Terraform, Amazon CloudFormation’s gives developers and operators the tools for easily and automatically provisioning underlying infrastructure resources. These resources are managed as stacks and codified in JSON configuration files known as templates. By describing infrastructure as code in these templates, Amazon AWS customers enjoy predictability and reuse in their infrastructure deployments: changes are easily made in one place, with CloudFormation taking care of the creation, updating, and deleting of AWS resources described in the stack.
CloudFormation enables all the expected benefits of infrastructure-as-code. Because templates and stacks are human-readable and serve as executable documentation, the solution enables significant operational efficiency and error reduction through automation and consolidation of infrastructure configurations. And since it captures configuration details in version-controllable, testable infrastructure code, CloudFormation can be integrated easily into an organization’s existing CI/CD pipeline.
Adding a stack in CloudFormation. Source: Amazon.
Side-By-Side: Terraform and CloudFormation
You may be wondering again: why the need for Terraform and CloudFormation, if tools like Puppet and Chef can also do infrastructure-as-code? While automation and CM tools can manage most infrastructure and system-related configurations, they usually assume the pre-existence of certain bare-metal components and services. The abstraction of these datacenter-level items is best suited for tools like Terraform and CloudFormation. Additionally, the two are not CM tools, per se—but instead build the underlying components for tools like Chef and Puppet to do their jobs.
Terraform sums this up quite nicely on its website:
“Configuration management tools install and manage software on a machine that already exists. Terraform is not a configuration management tool, and it allows existing tooling to focus on their strengths: bootstrapping and initializing resources.”
The same goes for CloudFormation. It creates all the necessary underlying infrastructure components and services to specification via templates—managed as stacks—and then kicks off any CM/automation tools to take care of application-level configurations. So for instance, after preparing the services associated with the datacenter and other infrastructure-related abstractions, CloudFormation kicks off Puppet or Chef to provision the necessary software layer components, with further customization provided through Chef Recipes or Puppet Manifests.
Now, as for how Terraform and CloudFormation compare:
CloudFormation is specific to AWS cloud resources, while Terraform supports all cloud vendors. So if your environment consists of multi-cloud deployments (e.g., Microsoft AWS or Google Cloud), CloudFormation is not for you. That said, some Amazon AWS resources cannot be managed by Terraform, so if you’re using AWS resources such as EC2 server instances and S3 storage—you’re best advised to stick with CloudFormation. Call it “vendor knows best”—it is what it is.
*Note: Terraform 0.6.16 now fully supports Amazon AWS, with create/update/versioning capabilities on par with AWS CloudFormation. Check out AWS' writeup on using Terraform to manage AWS cloud resources.
Infrastructure Lifecycle Management
A couple of highly useful Terraform features absent in CloudFormation include separate tools for planning and execution phases of deployment. These take the guess work out of implementing infrastructure changes, as Terraform’s planning phase tool shows which resources will be created, modified, and terminated. Visualizations such as Terraform graph give developers and operators any easy way to comprehend dependent ordering. This allows for a certain level of deployment validation lacking in CloudFormation.
Product Maturity and Support
Terraform is at version 0.6.3, which makes it not-quite-ready-yet for prime time. On the other hand, CloudFormation is a stable and mature tool managed by Amazon—and has been utilized in mission-critical enterprise infrastructures for years. That said, we’re excited to see what Hashicorp—the makes of Vagrant, Packer, and Consul—have coming down the pipe for Terraform in future releases.
In short, Amazon AWS-centric cloud infrastructures will benefit the most from CloudFormation, while those seeking multi-cloud support will opt for Terraform. Enterprises may be more at ease with a tried-and-true solution like CloudFormation, but for those who wish to avoid vendor lockdown—Terraform offers the necessary open integration capabilities.
Regardless of which infrastructure orchestration and management tool you use, the proper validation mechanisms are necessary to ensure that your environments—from bare-metal to the application stack—are free from quality deficits and misconfigurations. In conjunction with CM/automation tools, these solutions can easily stand up development environments that are reportedly identical to production—but provide no independent mechanisms for further validation. To this end, ScriptRock can validate that your entire infrastructure lifecycle is free from vulnerabilities and security gaps and that configurations are as expected.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.