Coding 4 Bread
Microsoft Certified: Azure DevOps Engineer Expert

Microsoft Certified: Azure DevOps Engineer Expert Intermediate — Quiz 2

Microsoft Certified: Azure DevOps Engineer Expert Intermediate — Quiz 2 — Study Guide

Configuration Management Tools: Puppet, Ansible, and Chef

Configuration management is the backbone of modern DevOps practice. Without it, managing hundreds or thousands of servers becomes a chaotic, error-prone nightmare. Tools like Puppet, Ansible, and Chef let you define exactly how your infrastructure should look — and automatically enforce that vision at scale. Whether you're preparing for the Azure DevOps Engineer Expert exam or working in the field, understanding these tools is essential for building reliable, auditable, and secure systems.

What Is Configuration Management?

Configuration management is the practice of automating the setup, maintenance, and enforcement of system configurations across your infrastructure. Instead of manually SSH-ing into servers and running commands, you write code that describes your desired state — what the system *should* look like — and the tool makes it so.

Key Concepts

  • Desired State: The target configuration you want a system to be in (e.g., "Apache must be installed and running").
  • Idempotency: Running the same configuration multiple times produces the same result without unintended side effects. If Apache is already installed, a second run won't reinstall it — it just confirms it's there.
  • Configuration Drift: When servers gradually diverge from their intended state due to manual changes or updates. Configuration management tools detect and correct drift automatically.
  • Auditability: Every change is tracked in code (often in version control), making it easy to see who changed what and when.

    • Analogy: Think of desired state like a recipe. If you want a chocolate cake, the recipe defines exactly what ingredients and steps are needed. Idempotency means if the cake is already baked, you don't bake it again.

    Puppet

    Puppet uses a declarative approach — you describe *what* you want, not *how* to get there. Puppet figures out the steps.

    Puppet Master and Agents

  • The Puppet Master is a centralized server that stores and compiles configurations.
  • Agents run on managed nodes and regularly check in with the master to receive their configuration.
  • The master compiles a catalog — a document describing the desired state for a specific node — and sends it to the agent for enforcement.

    • Manifests and Modules

  • Manifests are Puppet's primary configuration unit, written in Puppet's DSL (.pp files). They define resources like packages, files, and services.
  • Modules group related manifests, templates, and files together for reusability and modularity.

    • # Example Puppet manifest
package { 'nginx':
  ensure => installed,
}
    service { 'nginx':
  ensure => running,
  enable => true,
}

    Hiera and Data Management

    Hiera is Puppet's built-in data management tool. It separates configuration data from code, allowing you to store environment-specific values (like server names or passwords) outside your manifests. This supports secrets management by keeping sensitive data out of your codebase.

    Roles and RBAC

    Puppet supports RBAC (Role-Based Access Control) to control who can manage which nodes or environments. Roles group classes together to describe what a node does (e.g., a "web server" role includes nginx, firewall rules, and monitoring).

    Ansible

    Ansible takes a simpler, agentless approach. It connects to nodes via SSH and executes tasks defined in playbooks.

    Playbook Structure

    A playbook is a YAML file that defines a series of plays, each targeting a group of hosts and listing tasks to run.

    # Example Ansible Playbook

  • name: Configure web servers
    • 
  hosts: webservers
  become: true
  tasks:
    - name: Install nginx
      ansible.builtin.package:
        name: nginx
        state: present
        - name: Ensure nginx is running
      ansible.builtin.service:
        name: nginx
        state: started
        enabled: true

    Key Ansible Modules

    ModulePurpose
    packagePackage management — install/remove software
    fileFile module — manage files and directory creation
    userUser moduleuser management (create/delete users)
    templateTemplate resource — generate dynamic configuration files
    serviceManage services, including service restart

    Handlers

    Handlers are special tasks that only run when notified by another task. A common use case is service restart — if a config file changes, notify a handler to restart the service.

    tasks:
  - name: Copy nginx config
    ansible.builtin.template:
      src: nginx.conf.j2
      dest: /etc/nginx/nginx.conf
    notify: Restart nginx
    handlers:
  - name: Restart nginx
    ansible.builtin.service:
      name: nginx
      state: restarted

    Attributes and Data Storage

    Ansible uses variables and inventory files for data storage and attributes (node-specific values). Like Hiera in Puppet, Ansible Vault handles secrets management by encrypting sensitive variables.

    Chef

    Chef uses a procedural approach — you write recipes in Ruby that describe *how* to configure a system step by step.

    Cookbooks and Recipes

  • Cookbooks are the primary unit of configuration in Chef, similar to Puppet's modules.
  • Recipes live inside cookbooks and contain the actual configuration logic.
  • Chef also uses roles to assign cookbooks to nodes and attributes to store node-specific data.

    • # Example Chef Recipe
package 'nginx' do
  action :install
end
    service 'nginx' do
  action [:enable, :start]
end

    Procedural vs. Declarative

    ApproachToolDescription
    DeclarativePuppetDefine the desired end state; tool determines how
    ProceduralChefWrite step-by-step instructions for how to configure
    HybridAnsibleMostly declarative tasks, executed procedurally

    Security and Automation at Scale

    All three tools support security best practices:

  • RBAC controls who can deploy or modify configurations.
  • Secrets management (Hiera, Ansible Vault, Chef Vault) keeps credentials out of plain-text code.
  • Auditability is built in — configurations live in version control, giving you a full history of changes.
  • Automation reduces human error, the #1 cause of security incidents.

    • Key Takeaways

  • Idempotency means running a configuration multiple times always produces the same result — no duplicate installations or broken states.
  • Puppet uses a declarative, master-agent model where the Puppet Master compiles a catalog and distributes it; manifests and modules are its core building blocks.
  • Ansible is agentless and uses playbooks with handlers for event-driven tasks like service restarts; modules like file, user, and template cover most configuration needs.
  • Chef takes a procedural approach using cookbooks and recipes written in Ruby, giving fine-grained control over configuration steps.
  • Configuration drift, desired state, and auditability are universal concepts across all tools — they exist to ensure your infrastructure stays consistent, secure, and traceable.