Original article
Ansible and Terraform: Better Together

Why do you need more than Ansible?

Ansible doesn’t necessarily have to own and do every single task that it sets out to do; Like an instrument in an orchestra, others may be better positioned for particular tasks.

Ansible Vault vs Terraform Vault

I would assume, since Terraform is a Hashicorp product, then the recommended secret solution would their Vault.

1
ewwlinks +/"The Vault provider allows Terraform to read from, write to, and configure Hashicorp Vault." "https://www.terraform.io/docs/providers/vault/index.html"

Using Ansible Vault outside the context of ansible

  • Put secrets.tf.vault in the repo.
  • Put secrets.tf in the .gitignore.
  • ansible-vault decrypt secrets.tf.vault --output=secrets.tf

Super brief GPT-3 summary of first half of transcript

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
We will show you how our tools work together,
and how they are synergistic.

So Red Hat Ansible Automation is a toolset
that makes other tools work better together.

And we'll show you how to use three of them
today.

Ansible vault is a tool to protect your
secrets.

It is a tool that helps you keep your secrets
safe.

Terraform is a tool that allows you to
automate the management of your
infrastructure.

This means that you can use terraform to build
your servers, install software, and configure
it just like you would with ansible.

The difference is that the code is written in
HCL instead of YAML.

vault is a tool that protects sensitive data,
like passwords and tokens, that you want to
use in a playbook.

vault is easy to use and works with ansible
and terraform.

when we talk about ansible vault it is like a
feature to us, it is a place where you can
take sensitive data and store it in a safe
place.

Transcript from video

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
I'm Sean Carolyn solutions engineer with Hashi
Corp and I'm based out of Austin Texas and I'm
Dillon Silva I'm the product manager for
ansible engine or ansible core or just ansible
project whatever you want to call it and I'm
out of this fair bay area of San Francisco all
right so today we're gonna present to you our
musings on the subject of how our tools work
better together yeah so you know a lot of you
and a lot of our users pretty much like the
Pegasus as an either/or story and our goal
here is to really tell you how these two tools
or how the hasha corp suite of tools and the
ansible suite of tools are really very
synergistic with each other and pretty much
just kick back enjoy the ride with us and kind
of hear us our our mutterings amongst
ourselves on how these work together how many
folks in the room today are using terraform ok
good and then keep your hands up how many of
you are actually ansible users as well

alright so paramount nice so I'll apologize in
advance I got a boring slide coming but we'll
get passed through that one yeah pretty
quickly we'll try to spice it up all right so
the first question why well we look at it this
way from Red Hat ansible Automation side which
really is the culmination of engine tower
galaxy ansible vault it's it's how do we take
that toolset and take the community that comes
from it and extend it out to the rest of the
ecosystem so occasionally you'll hear us
mention ansible is the glue of all that as
automation all that is the you know the DevOps
tool ecosystem that we all work with well
taking that step back ansible doesn't
necessarily have to own and do every single
task that it's set out to do so being that
glue or being the orchestrator think of it as
the composer of a nice symphonic piece we can
reach out until other tools and work with
other tools to do the tasks that it's best
suited for so we're not that big instrument
that owns the whole piece there are other
instruments that can do the job better than us
or can actually do it in a sense that we
wouldn't actually be able to tackle it with so
that being said today we'll be showing you how
three different Hoshi Corp tools can benefit
the ansible user

first we'll take a look at how Hoshi court
vault our secrets management product and how
it compares to ansible vault next we'll show
you how ansible can be combined with terraform
or Packer to enable powerful and efficient
build pipelines there are many products and
projects that contain vault in their name when
you think of a vault you might think of a
giant you know safe in a bank the big door and
you can lock your secrets inside of the vault
Hacha core vault can certainly be used to
store your secrets but it can also generate
new secrets or even encrypt your data on the
fly think of a modern multi-cloud distributed
API driven secrets management engine and we
have a lot of those same concepts as well with
our ansible vault but we want to expand on
this by saying a couple of things Hacha core
vault comes in both open-source and enterprise
versions the vault cluster can store secrets
or generate dynamic credentials multiple
authentication methods are possible

so vault is easy to integrate with the
provisioning and config management tools
like ansible or terraform and when we talk
about ansible vault it really is just a
feature to us it's a place where you can
take protected sensitive data and have it
vaulted to use in a playbook run that's
pretty much it when we think of places to
succour secure your passwords or tokens or
other authentication methods that's really
something that hashey core vault is really
good for and we actually suggest you users
to push towards something like that how many
of you are using ansible vault today show
hands ok yep good handful where do you store
the password ok we have a thing for that in
case you need a place to store the password
all right

so brief review some of this will
be review for most of you what is terraform
in case any of you are brand new to
terraform here's a real quick brief
introduction

terraform is an open source
command-line tool that can be used to
provision any kind of infrastructure on dozens
of different platforms and services terraform
code is written in HCl or the Hashi Corp
config language you can see an example of that
up here HCl is easy to learn and easy to
troubleshoot it's meant to strike a balance
between human friendly and machine readable
code with terraform you simply declare
resources and how you want them configured and
then terraform will map out the dependencies
and build everything for you in a moment we'll
show you a demo where terraform stands up a
server and then calls on ansible to configure
it and then when we talk about ansible there's
two things that we like to touch on one it's
the project itself the engine that's what
drives the automation forward for ansible and
everything is perfectly described in that
ansible playbook as you guys know and then
tower

as the second part is the framework that sits
on top of the engine to drive that automation
so that is our pretty much our glue between
all of the different tools in the ecosystem to
work together in harmony

and then here is an example of a playbook for
those of you that don't know it I won't read
it to you but it's in Y amel syntax so very
human readable as well from top to bottom runs
tasks sequentially by default so then moving
forward you can see all the different
highlights of the things that make up a part
of a playbook so moving on to terraform well
back to terraform does everybody know what
this is yeah this is a graph of a bunch of
terraform code so when you run terraform it
very quickly and efficiently crawls through
your code and puts everything in the correct
order I used a free open-source tool called
blast radius to this graph when you run
terraform plan it builds the graph before it
actually goes and deploys your infrastructure
so this graph represents all the variables
resources and dependencies required to stand
up a single VM in Azure now

just imagine how complicated this can get when
you need to stand up entire networks of
machines including load balancers and platform
services terraform automatically maps out all
these dependencies in the correct order for
you let's talk about Packer who's using Packer
today all right nice Packer is the third hoshi
Corp tool that we mentioned Packer builds
machine images on different platforms the
modern operations team is actually a software
delivery team and servers are no longer
physical machines that you you set up and
build instead they're software artifacts that
we deliver with CIC be pipelines why might you
want to build your images with Packer well
first of all Packers easy to use and it works
great with your existing ansible code it
allows you to create security hardened images
or pre install large software packages for
quick deployments or auto scaling you can bake
the latest OS patches into your images on
multiple platforms and you can ensure that the
same OS image is being used on Prem and in the
cloud our first use case here is building a
simple Amazon machine image or ami as they're
called using packer and ansible Packer works
with all the major cloud platforms as well as
VMware OpenStack and docker so we're gonna
break here real quick to demo actually we just
saved the demo for the end right that might be
better lost my slide put it back present there
we go and we're back in business we'll save
the demo for the end of course we need our
notes now to multi-monitor is so fun okay and
we're back in business all right so here I'll
let you take this slide yeah the idea is is
basically taking the creation of any image and
extending that next step onto ansible so the
the concept of configuring and making that
beautiful golden image that we all look
towards deploying in our environments right
that's the step that ansible can do for Packer
when you're building that image but then the
the concept that we'd also like to talk about
is the little interweaving of it is ansible
working with Packer and telling Packer to take
that step to build an image so basically
building an ansible workflow to go through the
process of building the golden image and then
deploying it I like to call this DevOps
ception so here's another use case you can use
terraform to call ansible terraform is a great
infrastructure provisioning tool but you may
have noticed it doesn't come with a config
management system that's where ansible comes
in we use terraform to stand up VMs or cloud
instances and then we hand over the reins to
ansible to finish up the configuration of our
OS and applications and then once again
ansible calling terraform and ansible 2.5 we
released a terraform module to do just that so
within that module you can actually tell
terraform to run a plan to actually apply and
set up your terraformed environment right then
and there so going through that flow you could
start with Packer and then move on to
terraform all through one ansible playbook
speaking of DevOps ception we have this so
here you got on the slide this is the idea
that we're trying to to tell everybody let's
think about it so you have to be one or the
other yeah let's see if we can describe what's
going on here all right so we have ansible
well let's start with Packer we have Packer
calling ansible to build our machine images
those are gonna live in the artifact repo then
ansible calls terraform to build an instance
or multiple instances from those images that
we created along the way you might fetch some
secrets from vault then what happens next then
we call ansible again to finish configuring
the machine to do any last mile config that
you need to do to get it ready for production
so the two tools can actually be used you know
very in a very complementary manner so I think
this is where your yeah equal to your your
actual let's do the demos and stuff all right
so just a moment while we I'm gonna switch to
mirrored mode so we don't have to play window
hide-and-seek here

it's always fun [Music] how do I use ansible
with terraform let's walk through that example
first pretty standard terraform code we're
standing up a Google compute instance and then
with terraform we have the concept of a
provisioner the provisioner is the thing
that's going to run your shell script or your
ansible code to finish configuring the OS and
applications that live on the machine you
might notice that we have a remote exec and
it's just doing an echo command why would that
be there well the way you run ansible with
terraform using local exec if you don't have a
remote exec in here what will happen is the
local exact attempts to run as soon as the
machine is spun up ssh isn't ready yet and the
command will fail so this is a little bit of a
hack that we use the remote exec ensures that
SSH is up and listening and so we just run
this little echo command and you can put any
command you want in there and that way once
SSH is up you can run your ansible playbook
the same way you always have so local exec is
one method to run ansible on your machines
using terraform and it's probably going to be
the most comfortable and familiar if you're a
long-time ansible user we're SSA Qing into the
machine and we're running our playbook just
like we always have so I've got an example of
that down here I'll just go ahead and run it
in my other terminal so I see an ansible cow
that's a good sign right that was a previous
run and as you know if we run terraform again
we get the same result so I've deployed a
simple cat app I heard you can score internet
points with cats so we put a cat in our
presentation second way you can run ansible
and terraform together is using the remote
exec method how's the text size from the back
can you folks read this all this code is
online by the way we'll give you the link and
that will be posted later the remote exec can
be handy when you don't have SSH access to the
target host so you need to run ansible on that
machine but you know I might not be able to
ssh to it directly or you know you may not may
not be able to connect to it we can use remote
exact you just have to figure out a way to get
your playbooks onto the machine so here I've
kind of hacked together some code that will
push all of the ansible code out there install
ansible and now we're running it from the
remote host itself so a little bit more work
but there are some use cases and scenarios
where this could be handy and then the final
one is Packer Packers really easy to get
started with so if you're not using Packer
today go home and take it for a spin you can
take an existing playbook drop it into a
config file and then you run your Packer
command as I've done here Packer build

and you can see what happens Packer spins up a
new instance it'll even create a temporary key
pair for you so you don't have to worry about
that or how to connect to the machine it'll
get on the machine configure it and then
snapshot it into an image that you can use and
you can actually automate all of this too
using like a CI CD build pipeline or something
and this way you have an image factory maybe
you'd like to have the same version of Red Hat
in both your cloud and your on-prem
environments Packer can enable that for you so
this is the code this will be posted later if
you want to get a copy of this also we have
tutorials on our website that explained how to
use these two tools together and just real
quick - we hadn't shown a demo on this but
from a hash to court vault side of things
ansible we provide a lookup plugin for those
of you who don't know that exists so you're
able to take data out of hash your core vault
and use it in your playbook runs as well so
there's some documentation on that as well
yeah that's documented here it's actually
called the Hashi vault plugin yep and when I
see a lovely typo that we can get fixed right
there you got good eyes yeah all right I think
that stickler for that yeah so that brings us
to questions what I need to keep it simple for
questions do you have for us I see some hands
right there as of right now no that's actually
something from a tower side of things that
were actually adding as a feature in the
future so stay tuned for that yeah if you
didn't catch it the question was can you use
ansible tower with Hoshi core vault it was
more of the question was can you utilize the
credentials within Hoshi core vault as a
credential within tower right now no but
that's something that we're working towards
good I see a question there yeah a little bit
more in the way of moving parts right because
you need obviously the ansible binary that
command itself to be able to run and you've
got to have a way to feed your playbooks or
get them somehow onto that machine so if you
can do those two things either with a shell
script or you know a little wrapper you can
run the remote way where all of the ansible
activity is happening on the machine itself
and you're just doing it to localhost instead
of doing it remotely over SSH I'm gonna defer
to doing on it yeah that would definitely be
one thing if it were systems that only had
access to like that DMZ per se that's that's
one route that you would be taking another use
case that I would be thinking of is when you
actually had a terraform enterprise system and
an ansible tower type system that's the remote
exec right there most of that will be done
over API most likely but from a call back side
of things there may be some instances where
ansible itself has to be interacted with
terraform itself so that's that's that I think
the main use case though would be DMZ related
things like you only have access to that host
from that location and

that part of the network that's a good
question on the ansible cider on the that's a
good one I never actually thought of that
thank you I'll put the host name put it in the
inventory yeah but it's it's more to of I'm
wondering if there's a way that we could
leverage enterprise to to generate a dynamic
inventory because all of the data that's
coming from terraform as the source of truth
at that point that's right so you could with
terraform enterprise have you know remote
workspaces advertising or have those outputs
available you could just fetch them with an
API call yeah and and since that API is
presenting it in Jason there's there's the way
that ants will consumes that data already
right so it would just be the the basic key
value pairs that would come from any dynamic
inventory plug-in and put it there but I'd I
like that as an idea that's something that
will we'll definitely be talking about
together because I hadn't thought about that
yeah if you want you want to chat some more
after and just come and see us after the talk
any other questions there's a question here
here here okay we'll get to each one yeah
please mmm-hmm I think that's that's pretty
much the whole point of this right is is kind
of building that awareness and getting people
to realize that there is a lot of synergy
between the tools as far as us building those
integrations together that's something that's
of work in progress with each other work we've
got a full list of roadmap items as to
companies to work towards and start delivering
so you'll start seeing all of that over time
as they come so got a request to repeat the
beach questions okay for the recording yeah
got it okay who's next question here and then
there was one gentleman in the second row hi
Kevin

yeah so it was more of a statement of this
this is a good way to to prove that there is
still value for configuration management
outside of system policy or infrastructure as
code my views on the subject are definitely
akin to that I also I mean it always gets to
the Bakke versus FRA discussion right you know
our are we baking a fully golden image or are
we getting all the pieces together and frying
it at the end I'm more of the latter in my
past of operations I feel like it's better to
get as much together as you possibly could and
build that image and then do your deployments
at the end because there is always going to be
that little bit of configuration management
you have to do and then when I think
advancable at in the bigger scheme of things
there's more to it than just the system's
being set up right you have your your
application monitoring you have to do an
orchestrate you have to tell that to set up
and set up the alerts for all of that I always
think of that bigger picture and I think from
a policy standpoint that's always one thing
that's lacked when it comes to to to talking
about that policy to you know your your actual
reviewers of of your let's say that you're
actually about to go public and you need
everything reviewed over those are some things
that are overlooked that I always liked to
highlight when I was in operations I like
Kevin's approach because it's very practical
there are gonna be shared services that you
stand up and just leave alone and and you know
it's important to have good config tools for
building and maintaining those things with
that kind of Splunk for example yeah that's a
good one Samson there's I mean and that's the
thing right is there are so many tools in this
ecosystem that we all have to work with and
it's just a matter of how do you get them all
working with each other and that's kind of the
story here today good yes yes good okay so to
kind of sum up the question we showed you how
to use ansible and Terra forum and terraform
and ansible or ansible to call terraform and
then call ansible what are some recommended
patterns about how to do that and use you know
to get the but the most of both tools with
that kind of I think one of the most effective
ways is that we could actually have an ansible
provisioner so that's that's one thing that
we're actively working on as to companies and
getting that built so stay tuned for that
along those other lines I'd I would say it's
it's more dogma at that point I wouldn't
necessarily want to prescribe to any person to
say to use one or the other because it really
comes down to your actual corporate policies
at that point and there are some cases where
users may want to go through terraform
enterprise as a pair as opposed to ansible
Tower and vice versa if it's really really
specific that I personally wouldn't want to
self-prescribed that but at least from the to
the two tools together there are some
improvements I have a question I'd like to
turn this around folks who raised their hands
for using both terraform and ansible is there
anyone calling terraform with ansible and
doing orchestrating terraform runs with
ansible how many are using the terraform
module today yeah I see a hand there how do
you do it what's it look like okay great okay
good so a couple just to repeat a couple of
options they have terraform calling jenkins
and then jenkins will call ansible and that
way they know if there's a failure in the
build one more yeah okay good yep with
principles alone correct so the the point was
that terraform enterprise has a good audit log
of what's happening in the cloud I think you
know we have the same thing to a point and
ansible tower as well but that's more just
access to to tower and and who is running
ansible jobs in there but that's that's more
of the data that's shared between the tools
there's a lot that could be done there about
getting that data somewhere that can can do it
you know think of things like Splunk or ELQ
right going back to that previous discussion
there's there's a lot of work that we can do
there together that we're thinking about - oh
yeah oh yeah gentlemen and second row had had
a question he's been so patient yep so the
question was have we used remote exec to call
tower and do ansible yeah so that that's
actually stuff that we're working on today

is seeing how we can get terraform enterprise
to integrate it with with ansible tower to do
that that callback functionality right yep yep
definitely I mean and I also think of it this
way right you could have terraform enterprise
call ansible tower after those systems are up
and running and then there can be that data
sent back in that call back to terraform and
say you know this is the current state of the
the terraformed world and this is how all my
systems are set up and this is what's been
deployed to them yeah totally can see that how
does an option see some folks back here how
about you and the docker shirt console
integration points with ansible if I if I
recall correctly there is somewhere out in the
ecosystem that has a a consul of entry but I
think it was a dynamic script what I would
love to see is somebody in the community
actually come out and build an imagery plugin
so for those of you that don't know there's a
transition from imagery scripts or dynamic
inventory scripts to imagery plugins and we've
we've kind of we're remastering the whole
ansible code base to be more plug-in based and
what that's giving to you the end user is an
imagery cache that you can pull data from and
I think things like console will lend to
having that cash available to them because
that's already dynamic innovative in of itself
right and we want to get more data out and
usable by the end user in ansible playbook
runs so

that's one thing I would like to see there's
also a lookup plugin that could be in there as
well just pulling data out I mean the sky's
the limit with console it's not something that
we're actively working on right now because we
wanted to tackle that the terraform
provisioner issue first and kind of just tell
this story from a terraform standpoint yep yep
yeah yeah definitely so the the statement
there was that there's there's also value on
the flip side of things is it in an ansible
playbook run once that's done the data that
came from that you can put back into console I
would even take it further and say Hashi core
vault is another place they can put data into
that's been generated so let's say that a
systems been spun up and it has a key that's
been generated as a part of that you could
throw that into hash a court fault but you
know both come into into play it's it's
putting data back into it as well that's part
of the orchestration flow that you can go
through and definitely something to think
about and what we're working towards there's
another two questions over there yeah fire
away the question was are we getting a
terraform provider for ansible tower

not sure if I understand the question a
provision or a provider ah I see what you're
asking we haven't talked about that yet but
that's not a bad idea actually I'll go back to
I'm not the ansible tower p.m.

I'm not the ansible tower p.m. but I'll
definitely talk to them about that and see
what his thoughts are because there's a lot
from an ansible tower side of things that
we're thinking about for I don't want to say
Federation but for a tower Federation on how
we manage multiple tower instances - in your
environment and we're taking the docker
approach for that or a container approach so
you know I think that's actually a a good idea
from from a tower side of things because we
have tower modules I don't see why we can have
terraform providers for Tower as well so yeah
not a bad idea yeah we'll go badger the people
in the purple shirts yeah there is another
question back there

yeah yeah so the question was is there a
recommended folder structure for your Packer
code I generally like to break it up by cloud
or platform and then I try to put all of the
shared files and scripts or play books what-
have-you into the same folder where you know
each each of those individual Packer templates
can reach them Oh yep I remember mine I I
think I had them off to the side so what I
what I did at my last job is I actually built
new AM eyes every single day and those were
CentOS images getting put into Amazon and I
believe I did have the play books in the same
repo on the side yeah that is what it was so
we had one large code base and for our
deployment scripts we had our

we had three directories we had a Packer
directory we had a terraform directory and
then we had a playbook directory and then all
the roles and everything playbooks wise lived
in there and we would just walk our way up to
Packer and start building those those am eyes
and then provision them with terraform and
then go back to ansible to do the application
deployments at that point in time so that that
worked well for me I will say just out of
personal preference stay the hell away from
get sub-modules but once again that's dogma I
don't like sub modules that's me so we're just
about at time we'd like to take one last
opportunity to thank you all for coming
without our users this conference wouldn't be
possible I think this is the last session for
the day is that correct is there one more okay
so pound some coffee and work through the next
session and then come join us in the Tonga
room tonight for a party sponsored by thanks
everybody

[Applause ]