Why config files should't be changed line-by-line with Chef / Puppet?

Question

Why is changing lines in configuration file considered an anti-pattern in Chef or Puppet? It's something like bad habit, as I understood. I assume that this file-editing is done in some idempotent way and with advanced tools (augeas for example).

Why is deploying the whole files, with ERB templates, considered a preferred method?

You can find a lot of examples where dev-ops are suggesting usage of templates instead of file-editing. For example here, here, here, etc.

Answer 1

Actually there is a large part of the DevOps community that sees accepting system/package defaults for config files and only modifying what you need through augeas as the preferred method, Github devops would be one of them(if you happened to catch them at Puppet Conf 2012).

I think having a default pattern of always using templates creates too high of a maintenance load and almost always requires you lock in specific versions for everything across your stack or you risk having an incompatible template against a newer version of that resource.

There's use cases for both options but in general I favor the "own as little as possible" practice vs the "own everything even if you don't have to" practice.

Answer 2

In terms of setting the your system to a known state, deploying whole files is better than editing, because you are sure the file is exactly as intended when you are done.

If you are tinkering around finding potential solutions to a problem and hand edit some configuration file, you don't have to worry about the hand edit you made staying around as an uncontrolled part of your environment. The next time you run chef-client, you know that the state will be exactly as specified in the Chef recipe, and won't include your edit.

Also, it is just in general harder and more complicated to robustly edit a file than it is to just generate one. You might write something that is idempotent in the basic case, but if the file contains a syntax error or something invalid, than your editing no longer works.

As always though, sometimes you don't have a choice, and editing is the only way to go.