AWS CLI vs Terraform

Imperative vs declarative.

Overview

AWS CLI and Terraform solve different problems despite both touching AWS APIs. The CLI is imperative: run a command, watch a side effect happen. Terraform is declarative: describe the desired state, let the planner reconcile reality with config. Use each for what it is good at; do not pretend one is a substitute for the other.

• AWS CLI. Imperative, scriptable, immediate, perfect for one-off operations and ad-hoc investigation. No state management, no plan review.
• Terraform. Declarative, plan-and-apply, state-managed, reviewable in PRs. Infrastructure changes become reviewable artefacts instead of tribal knowledge.
• Operational fit. CLI for incident response, debugging, and one-off operations; Terraform for everything that should outlive the operator who created it.
• Per-task decision. The same engineer uses both in the same week; the choice is per-task, not per-team.

The approach

Default to Terraform for anything that creates persistent infrastructure. Reach for the CLI when the answer is "this is one-off and reversible."

• Terraform-by-default for persistent state. VPCs, IAM roles, RDS instances, security groups; anything you would not want to recreate by hand.
• CLI for ad-hoc investigation. Reading current state, debugging permissions, querying CloudWatch, killing a stuck task.
• Plan-on-PR for Terraform. Plans live in pull request comments; nobody applies what nobody reviewed.
• Document the choice and the boundary. Capture which surfaces are Terraform-managed and which are explicitly out-of-band.

Why this compounds

The right tool per task keeps paying back: infrastructure becomes reviewable, ad-hoc operations stay fast, and on-call has the right reflex for both kinds of work.

• Operational reliability. Plan-on-PR catches mistakes before apply; CLI fast paths keep incident response unblocked.
• Engineering velocity. Both tools used well shorten the path from "I need to do X" to "X is done and reviewed."
• Knowledge retention. Terraform configs become institutional memory; CLI usage stays in incident docs.
• Decision trail for the next environment. Each documented boundary teaches the next team what to Terraform versus what to keep imperative.