Ansible - Automation remote or local?

Question

If running an automation tool like Ansible to build your infrastructure stack in the cloud (e.g. AWS), is it enough to have your automation tool and build stack in separate regions/VPCs in the cloud, or does it make more sense to have your automation tool and scripts locally (own datacenter/machine)?

Both seem to be used, but I was just wondering if there was a best practice standard.

Answer 1

As a contrast to xeraa's good answer we run as much as possible from inside AWS.

The real benefits we get from this is that it allows us to use centralised Jenkins servers that run Ansible (and Terraform in our case for the actual AWS provisioning with Ansible just used to configure EC2 instances and run ad-hoc playbooks for administrative tasks).

We can then control access to these Jenkins servers through credentials and/or security groups/NACLs.

Doing it this way means we can control the amount of people who have some form of credentials that would allow them to build anything they like and/or destroy anything they like.

Ideally we'd only provide credentials to the Jenkins servers via IAM EC2 instance roles but we're not quite there yet.

One real positive out of this is that our front line/second line support guys who use Windows pretty much exclusively can access a nice web GUI for managing things in the middle of the night and run Jenkins jobs that they specifically have access to run that will do things such as restarting a server/service or even rebuilding part of a VPC.

We have a separate "dev" account that developers have access to from their own machines and it's here that we build things out as we develop our Ansible (and Terraform) code base before that code base is then used in our test and production environments.