What are Terraform Provisioners and when should you avoid them?

Terraform Provisioners execute scripts on local or remote machines during resource creation or destruction. Types: local-exec: runs a command on the machine running Terraform. remote-exec: SSH into a resource and run commands. file: copy files to a remote resource. Example: install software after creating a VM. Why to avoid them: HashiCorp officially recommends using provisioners as a last resort. Problems: provisioners run only at creation/destroy, not on updates; they break Terraform's idempotency; they can fail silently or leave resources in partial states; they make plans unreliable (Terraform cannot know what the script does). Better alternatives: use cloud-init/user_data for initial VM configuration, use purpose-built configuration management tools (Ansible, Chef, Puppet) post-provisioning, use pre-baked images with Packer, or use container images. Reserve provisioners only for bootstrapping that cannot be handled any other way.