IaC tools vs configuration-management tools (diagram overview)
On the left side of the diagram are tools that share Terraform’s core goal: provisioning and managing cloud infrastructure.- CloudFormation and Bicep are cloud-native, declarative IaC systems tightly integrated with a single cloud provider (AWS and Azure respectively). They give deep provider-specific features and often get new provider functionality sooner.
- Pulumi is cloud-agnostic like Terraform but exposes general-purpose programming languages (TypeScript, Python, Go, etc.) to define infrastructure, which can appeal to developer-centric teams.
- Terraform is cloud-agnostic and focuses on declarative HCL to provide a consistent experience across many providers, making it a common choice for multi-cloud strategies.
- Ansible, Chef, Puppet, and SaltStack are configuration management systems focused on in-VM tasks: installing packages, templating and distributing configuration files, managing OS services, and enforcing runtime desired state.
- These tools typically run inside provisioned instances (or via agentless connections) and are best suited for application configuration, ongoing drift correction, and orchestration of software deployment.
Typical pattern: combine provisioning with configuration
A common and recommended separation of concerns is:- Provision infrastructure resources with Terraform (or another IaC tool): VMs, networking, load balancers, managed databases, and cloud-managed services.
- Configure software and runtime behavior inside those instances with configuration-management tools or boot-time mechanisms (Ansible, Chef, Puppet, SaltStack,
cloud-init, baked images, or container orchestration).
Quick comparison table
| Category | Examples | Primary use | Strengths |
|---|---|---|---|
| Infrastructure as Code (cloud-specific) | CloudFormation, Azure Bicep | Declarative provisioning within a single cloud | Deep provider integration, fast access to provider features |
| Infrastructure as Code (cloud-agnostic) | Terraform, Pulumi | Multi-cloud provisioning and resource management | Portability across providers, consistent workflows |
| Configuration management | Ansible, Chef, Puppet, SaltStack | Package installs, config files, service management, runtime state enforcement | In-VM orchestration, drift remediation, rich templating |
| Bootstrapping / cloud-init | cloud-init | Instance initialization and first-boot tasks | Lightweight, runs at VM boot, commonly used for initial setup |
Terraform is primarily for infrastructure provisioning. CloudFormation and Bicep are cloud-specific with deep provider integration. Configuration-management tools (Ansible, Chef, Puppet, SaltStack) handle in-VM software and runtime configuration. Pulumi is another cloud-agnostic IaC option that uses general-purpose programming languages and offers a different developer experience.
How to choose
- Use cloud-native IaC (CloudFormation/Bicep) when you need the deepest, earliest access to provider-specific features and you operate mainly within one cloud.
- Use Terraform or Pulumi when you require consistent multi-cloud workflows and a provider-agnostic model.
- Use configuration management tools (or
cloud-init) where you need agent-based/agentless in-VM configuration, application deployment, or ongoing state enforcement. - In many environments, a combined approach yields the best balance: Terraform (or Pulumi) to provision cloud resources and a configuration system to install and manage software inside instances.
Links and references
- AWS CloudFormation
- Pulumi Essentials
- Learn Ansible Basics - Beginners Course
- Chef
- Puppet
- SaltStack
cloud-init— https://cloud-init.io/