The Two Patterns of Ansible Automation

Pipeline Execution vs Controller Execution

Most teams don’t realize they’re choosing an automation architecture every time they run a playbook. They think they’re choosing a tool. They’re actually choosing a pattern.

In my opinion, there are only two patterns that matter:

  1. Pipeline‑Driven Execution
  2. Controller‑Driven Execution (AWX/AAP)

Both work. Both fail. Both solve different problems.

This article breaks down the patterns, the guidance for using them, the anti‑patterns that cause outages, and when combining them actually makes sense.

Pattern 1: Pipeline‑Driven Execution

“Automation lives in Git. Execution happens in CI.”

This is the alleged cloud‑native. I hate the term ‘cloud-native’, it’s just a modern pattern and can equally apply to on-premises, but I’ll use it as it’s become an industry norm.

The pipeline:

  • checks out the repo
  • runs ansible-playbook directly
  • injects secrets at runtime
  • uses inventories stored in Git
  • uses vars stored in Git
  • uses execution environments defined in Git
  • tests automation before deploying
  • runs deterministically and reproducibly

This pattern treats Ansible like any other automation tool: code —> test —> deploy —> verify.

When to use it

Pipeline execution is the right answer when you need:

  • reproducibility
  • portability
  • deterministic execution
  • Git as the single source of truth
  • cloud‑neutral automation
  • ephemeral runners
  • multi‑cloud or hybrid cloud
  • developer‑friendly workflows
  • automation that can run anywhere

This is the pattern used by ‘cloud‑native’ teams, platform teams, and anyone who values Git truth over controller truth.

Strengths

  • Fully reproducible
  • Fully portable
  • Fully version‑controlled
  • No hidden state
  • No GUI configuration
  • No controller dependency
  • Works in any CI/CD system
  • Works locally
  • Works in DR
  • Works in multi‑cloud

Weaknesses

  • Pipelines must understand environment boundaries
  • Pipelines must manage secrets securely
  • Pipelines must enforce guardrails
  • Pipelines can become too flexible
  • Pipelines can accidentally bypass governance

This is why enterprises often avoid this pattern, not because it’s wrong, but because they fear losing control. The fear is real.

Pattern 2: Controller‑Driven Execution (AWX/AAP)

“Automation runs inside a governed platform.”

This is the typical enterprise pattern.

AWX/AAP:

  • pulls playbooks from Git
  • stores inventories
  • stores credentials
  • enforces RBAC
  • provides audit trails
  • standardizes execution environments
  • triggers automation from events
  • provides multi‑team visibility

This pattern treats Ansible as a governed automation platform, not a CLI tool.

When to use it

Controller execution is the right answer when you need:

  • RBAC
  • credential isolation
  • auditability
  • inventory synchronization
  • standardized execution environments
  • event‑driven automation
  • multi‑team governance
  • compliance and regulatory controls

This is the pattern used by large enterprises, regulated industries, and teams with strict governance requirements.

Strengths

  • Centralized governance
  • Centralized credentials
  • Centralized inventory
  • Centralized audit
  • Standardized execution environments
  • Event‑driven automation
  • Multi‑team visibility
  • Strong guardrails

Weaknesses

  • Hidden state
  • GUI configuration
  • Non‑portable automation
  • Not fully reproducible
  • Not fully version‑controlled
  • Controller dependency
  • Harder to test automation before deployment
  • Harder to run automation outside AWX

This is why ‘cloud‑native’ teams avoid this pattern, not because it’s wrong, but because it’s not portable.

Anti‑Patterns

These are the patterns that break automation, cause outages, and create drift.

Anti‑Pattern 1: AWX as the “automation store”

Pipelines call AWX job templates as if AWX stores automation.

It doesn’t.

AWX stores configuration, not automation.

Automation lives in Git. AWX overrides Git with controller‑side state.

This creates split‑brain automation, if you think git is the source of truth, surprise, it isn’t.

Anti‑Pattern 2: Pipelines storing credentials

This is a governance failure.

Pipelines should inject secrets at runtime, not store them.

AWX should manage credentials. Actually, just about anything else should manage credentials.

Anti‑Pattern 3: AWX storing inventories that drift from Git

Inventories should be version‑controlled.

If AWX is the inventory source of truth, Git is no longer authoritative.

This breaks reproducibility.

Anti‑Pattern 4: Pipelines bypassing RBAC

If pipelines can run any playbook against any host using any credential, you’ve lost governance.

This is dangerous in enterprise environments.

Anti‑Pattern 5: AWX storing controller‑side vars that override Git

This creates non‑deterministic execution.

Playbooks behave differently depending on controller configuration.

This breaks portability.

Does the Combination Make Sense?

Here’s the part most teams miss:

The two patterns are not mutually exclusive. They are complementary.

The Practical Guidance

Use pipeline execution when:

  • automation must be reproducible
  • automation must be portable
  • automation must be version‑controlled
  • automation must run anywhere
  • automation must be tested before deployment

Use controller execution when:

  • governance matters
  • RBAC matters
  • credential isolation matters
  • auditability matters
  • inventory sync matters
  • event‑driven automation matters

Use both when:

  • you need reproducibility and governance
  • you need portability and control
  • you need Git truth and environment truth
  • you need cloud‑native execution and enterprise guardrails

This is the two‑layer architecture.

Final Takeaway

There are two patterns.

Trying to make one do both is how teams create drift, outages, and brittle automation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Navigation