Declartive approach for configuration management

After provision of any instances we have dependent on configuration tool to deploy sets of scripts. but however we are looking for declarative approach as local/remote exec using shell or ansible not showing any of the outcome during terraform plan. can you provide any guidance on it. we are looking for gitops + terraform as single source of truth to manage end to end.

using local/remote exec each time runs using null resource doesnt show up what gonna to be change in the plan.

Hi @karthickshiv,

Terraform cannot provide details of what your ‘provisioner’ either local-exec or remote-exec is going to do as it has no visibility of that. Your scripts that you are running can perform arbitrary actions - Terraform cannot plan the effects. Provisioners will just execute what they have been configured to do - it is then down to the script or whatever you are running to determine its actions

Another reason is that provisioners might involve a lot more than usual Terraform tasks: they need to access your servers directly, use credentials to sign in, and ensure that all the required external software is set up, and so on.

Also, by default, provisioners are only run during creation , not during updating or any other lifecycle action - so exactly for bootstrapping such as you is seems are doing.

You mention Ansible which as a configuration tool is complimentary to Terraform as an IaC tool. Using the Ansible playbook ‘check mode’` and ‘diff mode’ could be used to provide similar detail to a plan (check simulates) and apply (diff details any changes made)

Integrating Ansible into your gitops alongside Terraform is likely to be a much more robust solution that trying to somehow channel everything through Terraform in some manner. Keeping both within their specialist domain - Ansible handles configuration, while Terraform sets up infrastructure.

Thank you for detailed explanation. however even we tried using ansible which uses null_resource which is not declarative approach. other provisioner does terraform any resource block which handle state of the configuration management.?

What I was trying to describe was to use Ansible outside Terraform. It can still be part of your GitOps processes and pipelines but use Terraform (the IaC tool) purely on the Infrastructure provisioning and manage the configuration of the VM resources using the configuration management tool (Ansible)

Yes, you may use a small script to bootstrap the VMs into Ansible management - in which case this could be a remote-exec provisioner and would only need to run the first time the resource is created (And is exactly a use case for this). But if you are trying to ‘proxy’ your Ansible configuration and application of Ansible playbooks via Terraform, expecting anything other than to run provisioner scripts with the limited feedback they give, then you are going to end up in the situation you are now.


  • Repo for TF config

  • Repo for Ansible playbooks

  • Build into your CI/CD pipelines the required GitOps elements for both Terraform and Ansible around dev, check-ins and merges, etc. based upon your requirements

  • Deployment pipelines would:

    • Deploy the infrastructure (TF Plan-Apply)
    • Bring the VMs under Ansible management as soon as they are deployed (either via Ansible bootstrapping, deploy custom image or some sort of provisioner in TF)
    • Run Ansible playbooks - go through a (Check-Run-Diff)

If your only on-boot setup need is to arrange for Ansible to do configuration management, I don’t think you should need provisioners at all, because most cloud VM images have cloud-init installed, and it has a built-in module for setting up Ansible.

You will need to provide a small cloud-init configuration via your cloud platform’s “user data” mechanism, but Terraform just arranges for that configuration to be available when cloud-init requests it, and then your VM should be able to bootstrap itself without Terraform ever needing to connect to it directly via SSH.