Think of provisioners as duct tape in your Lego city. They’re handy for quick fixes like patching a broken bridge or wiring a lamp but if you rely on duct tape for the whole city, things will eventually fall apart.

Provisioners in Terraform work the same way: they’re useful for last‑mile tasks, but overusing them can lead to brittle, unpredictable infrastructure. This chapter teaches you the best practices for using provisioners responsibly and highlights the common pitfalls to avoid.

Key Concepts

✅ Best Practices

• Use sparingly: Provisioners should be the exception, not the rule.
• Prefer configuration management tools: Use Ansible, Chef, or Puppet for complex setups.
• Keep scripts idempotent: Ensure commands can run multiple times without breaking.
• Document usage: Explain why a provisioner is necessary in your README.
• Test in staging: Validate provisioners before running in production.
• Combine wisely: Use file + remote-exec together for file transfer and execution.
• Handle failures gracefully: Use on_failure = continue if non‑critical tasks shouldn’t block deployment.

❌ Common Pitfalls

• Overuse: Relying on provisioners for full configuration leads to fragile infra.
• Non‑idempotent scripts: Commands that break when re‑run cause unpredictable results.
• Connectivity issues: Remote provisioners fail if SSH/WinRM isn’t ready.
• Hidden dependencies: Scripts may rely on external tools not documented in Terraform.
• State corruption risk: Failed provisioners can leave resources half‑configured.
• Hardcoding secrets: Storing passwords in provisioner scripts is insecure.

Hands‑On Lab / Demo

Lab: Safe Provisioner Usage

Add on_failure = continue for non‑critical logging tasks:

provisioner "local-exec" {
  command    = "echo Instance ${self.id} created >> instances.log"
  on_failure = continue
}

Use remote-exec to run the script:

provisioner "remote-exec" {
  inline = [
    "chmod +x /tmp/setup.sh",
    "sudo /tmp/setup.sh"
  ]
}

Create an EC2 instance with a file provisioner:

provisioner "file" {
  source      = "setup.sh"
  destination = "/tmp/setup.sh"
}

Pro Tips & Best Practices

• Treat provisioners as temporary scaffolding, not permanent solutions.
• Always prefer Terraform resources or external tools over provisioners.
• Keep provisioner logic minimal and transparent.
• Use outputs to expose results instead of relying on provisioner logs.
• Audit provisioners regularly - remove them once better solutions exist.

Summary & Cheatsheet

• Best practices: Use sparingly, keep idempotent, document, test, handle failures.
• Pitfalls: Overuse, fragile scripts, connectivity issues, hidden dependencies, insecure secrets.
• Golden rule: Provisioners = duct tape, not foundation.

Quick mnemonic: Use Less, Test More, Document Always

The Hckers Notebook

Provisioners are powerful but risky. By following best practices and avoiding common pitfalls, you ensure they remain helpful tools rather than sources of chaos. Think of them as last‑mile helpers, not the backbone of your infrastructure.