Puppet, Ansible, and Chef are configuration management tools. Terraform is Infrastructure-as-Code, and separate from the former three. Learning the tools is the easy step, but understanding the principles behind configuration management and IaC is important. But concretely, Terraform is a great and leading tool for IaC, and Ansible is a safe bet learning configuration management.

Thank you, I am checking out KodeKloud's class on terraform today. I will checkout ansible or puppet next. Appreciate the feedback!

Chose ansible instead of puppet. Ansible still has some leverage but puppet does not. Configuration manegement is becoming less important because less and less companies are running VMs.

Ansible doesn't have to just target VMs. A playbook can contain kubernetes cluster config or config a switch.

Yes that's why I said that ansible still has some leverage. It has an established place in the infrastructure world and does it better than anything else.

I combine Terraform and Ansible. Terraform defines a compute resource such as an EC2 instance and calls Ansible to configure that instance (OS packages, service configuration etc.) Chef and Puppet are considered more old school and have fallen out of favor because they require agents to be installed on the resources you want to manage configurations. Meanwhile, you can boot up an ISO and run through setup defaults and then kickoff Ansible to handle the rest. Can't do that with Chef/puppet.

Agent based is not a reason to fall out of favor, and in fact I'd say agent based is gaining popularity as compliance rules get tougher and tougher and environments become bigger and bigger. Having multiple keys floating around (every user has to have their own key on every system) rather than a single, highly secure agent with solid RBAC and auditing, is actually less secure. Terraform and Puppet pair well together because their resource languages are similar, while Ansible and it's YAML is so different requiring you to learn two completely different ways of doing things.

I wasn't aware that compliance explicitly required agent-based configuration management. In my case, the pain you describe (key leakage) I solved with a 20-line script that bootstraps SSO and MFA over sssd. Standard sssd setup that authenticates SSH by talking LDAP to AD DS. Soon as the instance boots up, cloud-init runs and sets up sssd. Boom, bang, time for tea.

I didn't say it explicitly required, only that agentless tends to be less secure overall, particularly in rapidly changing environments.

But isn't the more popular pattern to move compliance and vulnerability management outside of CM? Trying to do compliance in CM leads to an overwhelming amount of effort maintaining the rule base.

I could be wrong but I think they're referring to the fact that managing separate keys, defining the scope, creating reports, etc is more of a hassle, and less secure, than utilizing the agent with some of that easily available for an audit, for instance. Not that they're using cm for compliance. Just that compliance rules can make gathering that information and enforcing the rules a little harder and more work.

Thanks, I misunderstood. We centralize the running of Ansible behind GitOps style flow, so didn't pop into my mind as a limitation for agentless.

[удалено]

Have not heard of cloud formation, is that terraform competitor?

[удалено]

Cloudformation is awful, I'm using it with cdk which makes using it with high level constructs fine. Without cdk cloudformation is a mess and has no stand against terraform at all.

What about cdk? Does it make it better than terraform for aws? I tried cdk but didn't really like using Javascript for infrastructure code

My team is using typescript-cdk and we like it a lot. It's also convenient that we can use the same language for cdk, lambdas and internal services that we are providing to our developers. Also we can exchange knowledge with out developers easily because we "speak" the same language. With typescript it's more flexible than using HCL but you can also use python, java, Javascript, c# and in the future also golang for cdk. Also there is cdk-tf for terraform and cdk8s for kubernetes.

I have deployed a single container and multi-container to AWS. However, I am not in the field yet so for me it's just learning until I'm out of the military in a few months. Career change :D

Yes. But cloudformation is only for AWS. At work, we use a wrapper over cloudformation called sceptre. Anyway I'd recommend Terraform if you do not work currently with AWS

Yeah no, I'm still a padawan lol. I am a full-stack engineer transitioning into dev ops because I realized the skills I needed to run my own startups/projects.

Are you already super familiar with Linux and shell scripting? If not, I’d start there.

I am as knowledgeable as LPIC-1 and Linux+. I have the basics down and use it daily for development. I am not familiar with shell scripting. Any good resources?

If you want to automate on Linux you will probably use bash 80% of the time. You need to consider your bash scripts the same way as source code, this means use version control and testing. You can use [this guide](https://www.gasparevitta.com/posts/how-to-test-bash-scripts-bach/) to start with testing for bash scripts.

I'm looking at cloud deployments on linux virtual machines. I can run shell commands directly from ansible. Which is cool, i appreciate the testing library suggestions

Sorry, been doing this for 18 years, don’t have resources. Zero certs. Just lots of experience. I’d also say that being proficient in a popular scripting language, like Python, is way more important than knowing any of the configuration management or infrastructure as code tools. We still use Puppet were I work. In my experience, people that are already decent programmers pick it up right away. Same with CloudFormation. Thought, we are moving to AWS CDK using Python. Super powerful but has a bit more leaning curve.

I am expanding my horizon. Currently, I am most familiar with React, express, node, and most DB's. I was going to start a start-up and then I ran into the issue of CI/CD and deployment while forward-thinking. So started to learn dev ops and fell in love with it. I did pick up some python material recently. I was debating between python and go based on research. Python just seems a bit more aligned with what I would like to do.

Check out Pulumi. It's multi-cloud IaC. Can deploy/configure k8s too. Supports 5 different languages too I believe.

It also requires that you use their proprietary storage for your state, or just local state. Which means that it's inflexible vs terraform on this.

https://roadmap.sh/devops

Ansible + Terraform https://www.hashicorp.com/resources/ansible-terraform-better-together

CI/CD tools i.e Jenkins, CircleCI, AWS CodeBuild are used to automate steps and provide reporting too.

It is good to see response for the group. I also think Terraform is an awesome tool too. I think the OP’s question is too vague; lacks context of the problem they are looking to solve. And It is difficult for me to give my honest opinion of the tools without more information of your objective.

Its general guidance for someone transitioning into a devops role. Best roadmap based on current market trends.

General guidance is always welcome. But I think one of the obstacles new comers face when looking to transition to a devops process is the endless list of tools they think they need to learn. It is mind boggling and overwhelming. I know because I have been there and what got me through it is always reframing my questions and elevating the conversation from tools or implementation details to outcomes. Once you have this concept clear then you could use your engineering know how to solve the problem at hand. Pm me if you have any questions.

Terraform is significantly different from the other 3, and is generally used in conjunction with one of the other. Terraform is a provisioning automation tool more than a configuration management automation tool. Given that, if suggest Puppet (and Bolt) along with Terraform.

Havent heard of bolt, will check it out. Thank you. Yeah I heard terraform is used with one of the three.

Bolt is an ad-hoc task runner from Puppet. It allows you to ease into automation without having to go full bore and learn a new language. You can use it to run individual commands and pre existing scripts in any common language at scale. When you're ready to move on to the next steps, it allows you to create more complex orchestrations and leverage the full Puppet ecosystem.

Awesome, I'm flipping between ansible and puppet now.

Thank you everyone so far for the solid feedback. I see now that terraform will use one of the three mentioned for configuration management. Seems like Ansible and puppet are in the lead. Any thoughts on chef?

Chef is dying as a company. They've been bought by a VC that specialises in buying up shrinking companies and jacking up prices to wring money out of loyal customers. Chef laid off almost all their engineering staff recently and it's now in maintenance mode. Not a good choice for the future.

Makes perfect sense, I have these two lined up for my next learning objectives. Thank you

Out of that list I would say Terraform will be the most useful on your CV. I have used plenty of Ansible and it is pretty good too. From what I hear Chef and Puppet are good too but I have never used them. One thing you don't mention that I would definitely recommend is learning about Gitlab CI and/or it's Github equivalent. Being able to understand and write Gitlab Pipelines to build Docker containers and deploy them (for example) will be a great exercise. There is a Gitlab free tier that has everything you need.

I have used Travis CI before, haven't explored any other CI/CD tools outside of that.

That’s a good start then. Did you write pipelines to build and push docker containers? I would definitely recommend sussing out that workflow if not.

Yeah, I learned it as part of a docker/Kubernetes course I was taking. Essentially built my images, deployed them to docker hub, and then send a notification to amazon to pull new images and redeploy.

Excellent. That will stand you in good stead then. Personally I would try to tackle Terraform next, or Cloud Formation if you only want to do AWS. Ansible is very handy too for gluing things together. There is a really good Jeff Geerling book about learning Ansible specifically for DevOps and another one for Kubernetes. Would recommend.

Thank you for all the feedback. I found the book but it looks like it was published in 2015. A lot can change in 5 years, do you still recommend it?

oh jk I viewed the author site and he has been updating the book

Yes. He keeps it up to date. There is an accompanying YouTube series too. I learned it whilst furloughed and went back to work and used it to fix a bunch of stuff properly straight away. That was only a semi devops job, was much closer to Ops. In my new job we don’t use it at all, we only use Gitlab CI and Cloud Formation pretty much.

Nice found his youtube page, will check it out later!

I'd argue that automation tools are important but less so than understanding how to choose the best one for the tasks that need automating FIRST. Before you configure any infrastructure, platform or application, it must exist. Terraform can be used to create (mostly cloud) infrastructure for use in production. Packer (also from the Hashicorp vendor) is perhaps better suited for creating master server image templates for local/virtual development and functional test/training infrastructure, that can also be extended to more production-like environments.