Terraform + Ansible — Provision and Configure in One Automated Workflow

Terraform and Ansible solve different problems, and using one for both is a mistake we see regularly. Terraform's provisioner blocks can run scripts on newly created instances, but they only run on creation — not on subsequent applies. If your configuration needs to change (new package, updated config file, rotated certificate), Terraform's provisioners cannot help. Ansible is designed for exactly this: idempotent configuration that can be re-applied at any time.

Conversely, Ansible's cloud modules can provision AWS resources, but they lack Terraform's state management, dependency graph, and plan/apply workflow. Provisioning a VPC with subnets, route tables, NAT gateways, and security groups in Ansible requires manually ordering the tasks and handling failures — work that Terraform does automatically.

The right split is clear: Terraform provisions cloud resources (VPCs, instances, load balancers, databases, DNS). Ansible configures operating systems and applications (packages, users, services, config files, deployments). The integration point is Ansible's dynamic inventory, which reads Terraform output or queries the cloud API to discover what Terraform created.

Terraform outputs include instance IPs, hostnames, and metadata as structured data. We write a dynamic inventory script (or use the cloud provider's inventory plugin) that reads these outputs and groups instances by role, environment, and service. When Terraform creates a new instance, Ansible's inventory updates automatically — no manual IP address management.

The CI/CD pipeline orchestrates both tools. On merge, the pipeline runs terraform apply first, waits for completion, then runs the relevant Ansible playbooks against the affected instances. If Terraform creates new instances, Ansible runs the full configuration playbook. If only Ansible code changed (playbooks, roles, templates), only Ansible runs — Terraform is skipped.

For teams running containers exclusively (ECS, EKS), Ansible may not be needed — Docker images encapsulate the configuration. But for hybrid environments with VMs and containers, or for configuring the host OS on Kubernetes nodes, the Terraform + Ansible combination remains the standard.

We store both Terraform and Ansible code in the same repository with a clear directory structure. Shared variables (environment names, CIDR blocks, service names) are defined once and referenced by both tools, preventing configuration drift between provisioning and configuration layers.

An integrated infrastructure automation workflow:

• Terraform provisioning — cloud resources defined and managed as code
• Ansible configuration — OS and application setup in idempotent, reusable roles
• Dynamic inventory — Ansible discovers instances from Terraform output or cloud APIs
• Unified pipeline — single CI/CD workflow that runs Terraform then Ansible in sequence
• Selective execution — detects which tool needs to run based on changed files
• Shared configuration — common variables referenced by both tools, defined once
• Testing — Terratest for infrastructure, Molecule for configuration, both in CI
• Runbook — operational guide for the combined workflow