Menu
If running an automation tool like Ansible to build your infrastructure stack in the cloud (e.g. AWS), is it enough to have your automation tool and build stack in separate regions/VPCs in the cloud, or does it make more sense to have your automation tool and scripts locally (own datacenter/machine)?
Both seem to be used, but I was just wondering if there was a best practice standard.
814
Ansible disadvantages include debugging, performance, complex data structures and control flow. Complex data structures. Many network automation tasks require complex data structures. One of the first things I considered when learning Ansible was to use it to perform network discovery.
Ansible Network modules extend the benefits of simple, powerful, agentless automation to network administrators and teams. Ansible Network modules can configure your network stack, test and validate existing network state, and discover and correct network configuration drift.
Ansible is an open source IT automation engine that automates provisioning, configuration management, application deployment, orchestration, and many other IT processes.
Ansible is one of the most popular open source network automation tools. Network pros can use it to perform basic network automation tasks, like collecting ARP table data.
As a contrast to xeraa's good answer we run as much as possible from inside AWS.
The real benefits we get from this is that it allows us to use centralised Jenkins servers that run Ansible (and Terraform in our case for the actual AWS provisioning with Ansible just used to configure EC2 instances and run ad-hoc playbooks for administrative tasks).
We can then control access to these Jenkins servers through credentials and/or security groups/NACLs.
Doing it this way means we can control the amount of people who have some form of credentials that would allow them to build anything they like and/or destroy anything they like.
Ideally we'd only provide credentials to the Jenkins servers via IAM EC2 instance roles but we're not quite there yet.
One real positive out of this is that our front line/second line support guys who use Windows pretty much exclusively can access a nice web GUI for managing things in the middle of the night and run Jenkins jobs that they specifically have access to run that will do things such as restarting a server/service or even rebuilding part of a VPC.
We have a separate "dev" account that developers have access to from their own machines and it's here that we build things out as we develop our Ansible (and Terraform) code base before that code base is then used in our test and production environments.
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
