How to Supercharge Terraform with Ansible, Packer, Vault, and Consul

Terraform + Ansible: Configuration Management and Orchestration

Terraform excels at provisioning infrastructure, while Ansible specializes in configuring servers and deploying applications. By letting Terraform create resources and then generating an Ansible inventory dynamically, the two tools can work together seamlessly.

Terraform creates the infrastructure : define EC2 instances, networks, databases, etc.

Generate Ansible inventory using a local-exec provisioner, a null_resource, or the templatefile function to write an inventory file that lists the newly created hosts.

Ansible configures the servers : run a playbook against the generated inventory to install software, configure services, and deploy applications.

# Terraform configuration (main.tf)
resource "aws_instance" "example" {
  count         = 3
  ami           = "ami-0c55b31ad2299a796"
  instance_type = "t2.micro"
  tags = {
    Name = "example-${count.index}"
  }
}

resource "local_file" "ansible_inventory" {
  content  = templatefile("${path.module}/inventory.tpl", { instances = aws_instance.example })
  filename = "${path.module}/inventory"
}

# Ansible inventory template (inventory.tpl)
[webservers]
%{ for instance in instances }
${instance.public_ip} ansible_user=ec2-user ansible_ssh_private_key_file=~/.ssh/id_rsa
%{ endfor }

# Ansible playbook (playbook.yml)
---
- hosts: webservers
  become: yes
  tasks:
    - name: Install Apache
      apt:
        name: apache2
        state: present

Terraform + Packer: Custom Image Building

Packer creates machine images (AMI, Docker, VirtualBox, etc.) that can be used by Terraform. By chaining the two tools, you can automate the creation of custom images and then deploy them with Terraform.

Packer builds the image : define a JSON template that specifies the base image, provisioners, and any software to install.

Packer outputs the image ID after a successful build.

Terraform consumes the image ID as a variable to launch instances based on the custom image.

// Packer configuration (packer.json)
{
  "builders": [{
    "type": "amazon-ebs",
    "access_key": "{{user `aws_access_key`}}",
    "secret_key": "{{user `aws_secret_key`}}",
    "region": "ap-southeast-1",
    "source_ami_filter": {
      "filters": {
        "virtualization-type": "hvm",
        "name": "*ubuntu-focal-20.04-amd64-server-*",
        "root-device-type": "ebs"
      },
      "owners": ["099720109477"],
      "most_recent": true
    },
    "instance_type": "t2.micro",
    "ssh_username": "ubuntu",
    "ami_name": "my-custom-ami-{{timestamp}}"
  }],
  "provisioners": [{
    "type": "shell",
    "inline": ["sudo apt-get update", "sudo apt-get install -y nginx"]
  }]
}

// Terraform configuration (main.tf)
variable "ami_id" { type = string }

resource "aws_instance" "example" {
  ami           = var.ami_id
  instance_type = "t2.micro"
}

Terraform + Vault: Secure Secret Management

Vault provides a centralized, secure store for sensitive data such as passwords, API keys, and certificates. Integrating Vault with Terraform ensures that secrets never appear in plain text within Terraform code or state files.

Store secrets in Vault : use the KV v2 engine to save values like database passwords.

Configure the Vault provider in Terraform : set the Vault address and authentication token.

Read secrets via the vault_generic_secret data source and reference them in resource definitions.

# Vault configuration
vault secrets enable -path=secret kv-v2
vault write secret/database password=mysecretpassword

# Terraform configuration (main.tf)
provider "vault" {
  address = "http://127.0.0.1:8200"
  token   = "your_vault_token"
}

data "vault_generic_secret" "database" {
  path = "secret/database"
}

resource "aws_db_instance" "example" {
  # ... other settings ...
  password = data.vault_generic_secret.database.data["password"]
}

Terraform + Consul: Service Discovery

Consul offers service registration, health checking, and key/value storage. By registering Terraform‑provisioned services with Consul, other applications can discover them dynamically.

Terraform creates service instances (e.g., EC2 instances).

Register services in Consul using the Consul provider or a remote-exec / local-exec provisioner that calls the Consul API.

Clients query Consul to obtain the address and port of the registered services.

# Consul provider configuration (assumes Consul is running)
provider "consul" {
  address = "127.0.0.1:8500"
}

# Terraform creates EC2 instances and registers them with Consul
resource "aws_instance" "example" {
  count         = 3
  ami           = "ami-0c55b31ad2299a796"
  instance_type = "t2.micro"
  tags = {
    Name = "example-${count.index}"
  }
  provisioner "remote-exec" {
    inline = [
      "echo '{\"name\": \"web\", \"port\": 80, \"address\": \"${self.private_ip}\"}' | consul services register -"
    ]
  }
}

Conclusion

By integrating Terraform with Ansible, Packer, Vault, and Consul, teams can build a robust, automated DevOps pipeline that covers infrastructure provisioning, configuration management, image creation, secret handling, and service discovery, resulting in more flexible, secure, and maintainable cloud environments.