Terraform vs Vault

Overview

Terraform

Stacks22.9K

Followers14.7K

Votes344

GitHub Stars47.0K

Forks10.1K

Vault

Stacks816

Followers802

Votes71

GitHub Stars33.4K

Forks4.5K

Terraform vs Vault: What are the differences?

Introduction:

Terraform and Vault are two popular tools developed by HashiCorp that serve different purposes in the realm of infrastructure and security. While both tools play important roles in managing and securing IT environments, there are several key differences between Terraform and Vault.

Infrastructure Automation vs. Secret Management: The primary difference between Terraform and Vault lies in their primary purposes. Terraform is an infrastructure automation tool used for provisioning and managing infrastructure resources, while Vault is a secret management tool designed to securely store and distribute sensitive information such as passwords, API keys, and certificates.
Declarative vs. Imperative Configuration: Another key difference is in the way configuration is handled. Terraform, being an infrastructure automation tool, relies on a declarative approach for defining the desired state of infrastructure resources. It allows users to describe the desired state and Terraform handles the execution. On the other hand, Vault requires an imperative approach for its configuration, where users interact and execute commands to manage secrets.
State Management: Terraform relies on a state file to keep track of infrastructure resources and their current state. This state file, usually stored locally or remotely, keeps track of all the resources created by Terraform and helps in updating or destroying them. In contrast, Vault utilizes its own storage backend to persist secrets securely, such as a database or filesystem backend.
Integration with external systems: Terraform is designed to integrate with a variety of external systems, such as cloud providers like AWS, Azure, and GCP, as well as other infrastructure tools like Ansible and Docker. It provides a wide range of providers and modules to interact with different systems, making it highly adaptable. On the other hand, Vault focuses on integrating with applications and systems to securely access and manage secrets.
Scope of Management: Terraform typically handles the full lifecycle of infrastructure resources, from provisioning to configuration management. It can perform tasks such as creating virtual machines, configuring networking, and deploying applications. In contrast, Vault focuses on managing secrets and access control, ensuring that sensitive information is stored and accessed securely.
Community and Ecosystem: Both Terraform and Vault have active communities and ecosystems. However, Terraform has a larger user base and community support due to its broader use case. This often results in more resources, modules, and community-driven enhancements for Terraform, making it easier for users to find solutions to their problems.

In summary, Terraform and Vault differ in their purpose, configuration approach, state management, integration capabilities, scope of management, and community ecosystems. Terraform is focused on infrastructure automation, while Vault specializes in secret management, making them complementary tools in managing and securing IT environments.

Share your Stack

Help developers discover the tools you use. Get visibility for your team's tech choices and contribute to the community's knowledge.

View Docs

CLI (Node.js)

Manual

Advice on Terraform, Vault

Sung Won

Nov 4, 2019

Decidedon

Google Cloud IoT Core

Terraform

Python

Context: I wanted to create an end to end IoT data pipeline simulation in Google Cloud IoT Core and other GCP services. I never touched Terraform meaningfully until working on this project, and it's one of the best explorations in my development career. The documentation and syntax is incredibly human-readable and friendly. I'm used to building infrastructure through the google apis via Python , but I'm so glad past Sung did not make that decision. I was tempted to use Google Cloud Deployment Manager, but the templates were a bit convoluted by first impression. I'm glad past Sung did not make this decision either.

Solution: Leveraging Google Cloud Build Google Cloud Run Google Cloud Bigtable Google BigQuery Google Cloud Storage Google Compute Engine along with some other fun tools, I can deploy over 40 GCP resources using Terraform!

Check Out My Architecture: CLICK ME

Check out the GitHub repo attached

2.25M views2.25M

Comments

Timothy

SRE

Mar 20, 2020

Decided

I personally am not a huge fan of vendor lock in for multiple reasons:

I've seen cost saving moves to the cloud end up costing a fortune and trapping companies due to over utilization of cloud specific features.
I've seen S3 failures nearly take down half the internet.
I've seen companies get stuck in the cloud because they aren't built cloud agnostic.

I choose to use terraform for my cloud provisioning for these reasons:

It's cloud agnostic so I can use it no matter where I am.
It isn't difficult to use and uses a relatively easy to read language.
It tests infrastructure before running it, and enables me to see and keep changes up to date.
It runs from the same CLI I do most of my CM work from.

385k views385k

Comments

Daniel

May 4, 2020

Decided

Because Pulumi uses real programming languages, you can actually write abstractions for your infrastructure code, which is incredibly empowering. You still 'describe' your desired state, but by having a programming language at your fingers, you can factor out patterns, and package it up for easier consumption.

426k views426k

Comments

Detailed Comparison

Terraform	Vault
With Terraform, you describe your complete infrastructure as code, even as it spans multiple service providers. Your servers may come from AWS, your DNS may come from CloudFlare, and your database may come from Heroku. Terraform will build all these resources across all these providers in parallel.	Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
Infrastructure as Code: Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and treated as you would any other code. Additionally, infrastructure can be shared and re-used.;Execution Plans: Terraform has a "planning" step where it generates an execution plan. The execution plan shows what Terraform will do when you call apply. This lets you avoid any surprises when Terraform manipulates infrastructure.;Resource Graph: Terraform builds a graph of all your resources, and parallelizes the creation and modification of any non-dependent resources. Because of this, Terraform builds infrastructure as efficiently as possible, and operators get insight into dependencies in their infrastructure.;Change Automation: Complex changesets can be applied to your infrastructure with minimal human interaction. With the previously mentioned execution plan and resource graph, you know exactly what Terraform will change and in what order, avoiding many possible human errors	Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.;Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.;Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.;Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.;Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
Statistics
GitHub Stars 47.0K	GitHub Stars 33.4K
GitHub Forks 10.1K	GitHub Forks 4.5K
Stacks 22.9K	Stacks 816
Followers 14.7K	Followers 802
Votes 344	Votes 71
Pros & Cons
Pros 121 Infrastructure as code 73 Declarative syntax 45 Planning 28 Simple 24 Parallelism Cons 1 Doesn't have full support to GKE	Pros 17 Secure 13 Variety of Secret Backends 11 Very easy to set up and use 8 Dynamic secret generation 5 AuditLog
Integrations
Heroku Amazon EC2 CloudFlare DNSimple Microsoft Azure Consul Equinix Metal DigitalOcean OpenStack Google Compute Engine	No integrations available

What are some alternatives to Terraform, Vault?

Ansible

Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates. Ansible’s goals are foremost those of simplicity and maximum ease of use.

Chef

Chef enables you to manage and scale cloud infrastructure with no downtime or interruptions. Freely move applications and configurations from one cloud to another. Chef is integrated with all major cloud providers including Amazon EC2, VMWare, IBM Smartcloud, Rackspace, OpenStack, Windows Azure, HP Cloud, Google Compute Engine, Joyent Cloud and others.

Capistrano

Capistrano is a remote server automation tool. It supports the scripting and execution of arbitrary tasks, and includes a set of sane-default deployment workflows.

Puppet Labs

Puppet is an automated administrative engine for your Linux, Unix, and Windows systems and performs administrative tasks (such as adding users, installing packages, and updating server configurations) based on a centralized specification.

Salt

Salt is a new approach to infrastructure management. Easy enough to get running in minutes, scalable enough to manage tens of thousands of servers, and fast enough to communicate with them in seconds. Salt delivers a dynamic communication bus for infrastructures that can be used for orchestration, remote execution, configuration management and much more.

Fabric

Fabric is a Python (2.5-2.7) library and command-line tool for streamlining the use of SSH for application deployment or systems administration tasks. It provides a basic suite of operations for executing local or remote shell commands (normally or via sudo) and uploading/downloading files, as well as auxiliary functionality such as prompting the running user for input, or aborting execution.

AWS OpsWorks

Start from templates for common technologies like Ruby, Node.JS, PHP, and Java, or build your own using Chef recipes to install software packages and perform any task that you can script. AWS OpsWorks can scale your application using automatic load-based or time-based scaling and maintain the health of your application by detecting failed instances and replacing them. You have full control of deployments and automation of each component

cPanel

It is an industry leading hosting platform with world-class support. It is globally empowering hosting providers through fully-automated point-and-click hosting platform by hosting-centric professionals

Webmin

It is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. It removes the need to manually edit Unix configuration files.

Doppler

Doppler’s developer-first security platform empowers teams to seamlessly manage, orchestrate, and govern secrets at scale.

Related Comparisons

Terraform vs Vault: What are the differences?

Introduction:

Infrastructure Automation vs. Secret Management: The primary difference between Terraform and Vault lies in their primary purposes. Terraform is an infrastructure automation tool used for provisioning and managing infrastructure resources, while Vault is a secret management tool designed to securely store and distribute sensitive information such as passwords, API keys, and certificates.
Declarative vs. Imperative Configuration: Another key difference is in the way configuration is handled. Terraform, being an infrastructure automation tool, relies on a declarative approach for defining the desired state of infrastructure resources. It allows users to describe the desired state and Terraform handles the execution. On the other hand, Vault requires an imperative approach for its configuration, where users interact and execute commands to manage secrets.
State Management: Terraform relies on a state file to keep track of infrastructure resources and their current state. This state file, usually stored locally or remotely, keeps track of all the resources created by Terraform and helps in updating or destroying them. In contrast, Vault utilizes its own storage backend to persist secrets securely, such as a database or filesystem backend.
Integration with external systems: Terraform is designed to integrate with a variety of external systems, such as cloud providers like AWS, Azure, and GCP, as well as other infrastructure tools like Ansible and Docker. It provides a wide range of providers and modules to interact with different systems, making it highly adaptable. On the other hand, Vault focuses on integrating with applications and systems to securely access and manage secrets.
Scope of Management: Terraform typically handles the full lifecycle of infrastructure resources, from provisioning to configuration management. It can perform tasks such as creating virtual machines, configuring networking, and deploying applications. In contrast, Vault focuses on managing secrets and access control, ensuring that sensitive information is stored and accessed securely.
Community and Ecosystem: Both Terraform and Vault have active communities and ecosystems. However, Terraform has a larger user base and community support due to its broader use case. This often results in more resources, modules, and community-driven enhancements for Terraform, making it easier for users to find solutions to their problems.

Terraform vs Vault

Overview