<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>ansible &#8211; Made For Cloud</title>
	<atom:link href="https://madeforcloud.com/tag/ansible/feed/" rel="self" type="application/rss+xml" />
	<link>https://madeforcloud.com</link>
	<description>Just another WordPress site</description>
	<lastBuildDate>Sun, 12 Jul 2026 02:02:20 +0000</lastBuildDate>
	<language>en-AU</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0.1</generator>
	<item>
		<title>The Two Patterns of Ansible Automation</title>
		<link>https://madeforcloud.com/2026/07/12/the-two-patterns-of-ansible-automation/</link>
					<comments>https://madeforcloud.com/2026/07/12/the-two-patterns-of-ansible-automation/#respond</comments>
		
		<dc:creator><![CDATA[gocallag]]></dc:creator>
		<pubDate>Sun, 12 Jul 2026 02:01:14 +0000</pubDate>
				<category><![CDATA[Ansible]]></category>
		<category><![CDATA[Ansible Tower]]></category>
		<category><![CDATA[AWX]]></category>
		<category><![CDATA[ansible]]></category>
		<guid isPermaLink="false">https://madeforcloud.com/?p=313</guid>

					<description><![CDATA[Pipeline Execution vs Controller Execution Most teams don’t realize they’re choosing an automation architecture every time they run a playbook. They think they’re choosing a tool. They’re actually choosing a pattern. In my opinion, there are only two patterns that matter: Both work. Both fail. Both solve different problems. This article breaks down the patterns,&#8230;<p><a class="more-link" href="https://madeforcloud.com/2026/07/12/the-two-patterns-of-ansible-automation/" title="Continue reading &#8216;The Two Patterns of Ansible Automation&#8217;">Continue reading <span class="meta-nav">&#8594;</span></a></p>]]></description>
										<content:encoded><![CDATA[
<h3 class="wp-block-heading">Pipeline Execution vs Controller Execution</h3>



<p class="wp-block-paragraph">Most teams don’t realize they’re choosing an automation architecture every time they run a playbook. They think they’re choosing a tool. They’re actually choosing a <strong>pattern</strong>.</p>



<p class="wp-block-paragraph">In my opinion, there are only two patterns that matter:</p>



<ol start="1" class="wp-block-list">
<li><strong>Pipeline‑Driven Execution</strong></li>



<li><strong>Controller‑Driven Execution (AWX/AAP)</strong></li>
</ol>



<p class="wp-block-paragraph">Both work. Both fail. Both solve different problems.</p>



<p class="wp-block-paragraph">This article breaks down the patterns, the guidance for using them, the anti‑patterns that cause outages, and when combining them actually makes sense.</p>



<h1 class="wp-block-heading">Pattern 1: Pipeline‑Driven Execution</h1>



<h3 class="wp-block-heading">“Automation lives in Git. Execution happens in CI.”</h3>



<p class="wp-block-paragraph">This is the alleged cloud‑native. I hate the term &#8216;cloud-native&#8217;, it&#8217;s just a modern pattern and can equally apply to on-premises, but I&#8217;ll use it as it&#8217;s become an industry norm.</p>



<p class="wp-block-paragraph">The pipeline:</p>



<ul class="wp-block-list">
<li>checks out the repo</li>



<li>runs <mark style="background-color:#eee" class="has-inline-color">ansible-playbook</mark> directly</li>



<li>injects secrets at runtime</li>



<li>uses inventories stored in Git</li>



<li>uses vars stored in Git</li>



<li>uses execution environments defined in Git</li>



<li>tests automation before deploying</li>



<li>runs deterministically and reproducibly</li>
</ul>



<p class="wp-block-paragraph">This pattern treats Ansible like any other automation tool: <strong>code &#8212;> test &#8212;> deploy &#8212;> verify</strong>.</p>



<h3 class="wp-block-heading">When to use it</h3>



<p class="wp-block-paragraph">Pipeline execution is the right answer when you need:</p>



<ul class="wp-block-list">
<li>reproducibility</li>



<li>portability</li>



<li>deterministic execution</li>



<li>Git as the single source of truth</li>



<li>cloud‑neutral automation</li>



<li>ephemeral runners</li>



<li>multi‑cloud or hybrid cloud</li>



<li>developer‑friendly workflows</li>



<li>automation that can run anywhere</li>
</ul>



<p class="wp-block-paragraph">This is the pattern used by &#8216;cloud‑native&#8217; teams, platform teams, and anyone who values <strong>Git truth over controller truth</strong>.</p>



<h3 class="wp-block-heading">Strengths</h3>



<ul class="wp-block-list">
<li>Fully reproducible</li>



<li>Fully portable</li>



<li>Fully version‑controlled</li>



<li>No hidden state</li>



<li>No GUI configuration</li>



<li>No controller dependency</li>



<li>Works in any CI/CD system</li>



<li>Works locally</li>



<li>Works in DR</li>



<li>Works in multi‑cloud</li>
</ul>



<h3 class="wp-block-heading">Weaknesses</h3>



<ul class="wp-block-list">
<li>Pipelines must understand environment boundaries</li>



<li>Pipelines must manage secrets securely</li>



<li>Pipelines must enforce guardrails</li>



<li>Pipelines can become too flexible</li>



<li>Pipelines can accidentally bypass governance</li>
</ul>



<p class="wp-block-paragraph">This is why enterprises often avoid this pattern, not because it’s wrong, but because they fear losing control. The fear is real.</p>



<h1 class="wp-block-heading">Pattern 2: Controller‑Driven Execution (AWX/AAP)</h1>



<h3 class="wp-block-heading">“Automation runs inside a governed platform.”</h3>



<p class="wp-block-paragraph">This is the typical enterprise pattern.</p>



<p class="wp-block-paragraph">AWX/AAP:</p>



<ul class="wp-block-list">
<li>pulls playbooks from Git</li>



<li>stores inventories</li>



<li>stores credentials</li>



<li>enforces RBAC</li>



<li>provides audit trails</li>



<li>standardizes execution environments</li>



<li>triggers automation from events</li>



<li>provides multi‑team visibility</li>
</ul>



<p class="wp-block-paragraph">This pattern treats Ansible as a <strong>governed automation platform</strong>, not a CLI tool.</p>



<h3 class="wp-block-heading">When to use it</h3>



<p class="wp-block-paragraph">Controller execution is the right answer when you need:</p>



<ul class="wp-block-list">
<li>RBAC</li>



<li>credential isolation</li>



<li>auditability</li>



<li>inventory synchronization</li>



<li>standardized execution environments</li>



<li>event‑driven automation</li>



<li>multi‑team governance</li>



<li>compliance and regulatory controls</li>
</ul>



<p class="wp-block-paragraph">This is the pattern used by large enterprises, regulated industries, and teams with strict governance requirements.</p>



<h3 class="wp-block-heading">Strengths</h3>



<ul class="wp-block-list">
<li>Centralized governance</li>



<li>Centralized credentials</li>



<li>Centralized inventory</li>



<li>Centralized audit</li>



<li>Standardized execution environments</li>



<li>Event‑driven automation</li>



<li>Multi‑team visibility</li>



<li>Strong guardrails</li>
</ul>



<h3 class="wp-block-heading">Weaknesses</h3>



<ul class="wp-block-list">
<li>Hidden state</li>



<li>GUI configuration</li>



<li>Non‑portable automation</li>



<li>Not fully reproducible</li>



<li>Not fully version‑controlled</li>



<li>Controller dependency</li>



<li>Harder to test automation before deployment</li>



<li>Harder to run automation outside AWX</li>
</ul>



<p class="wp-block-paragraph">This is why &#8216;cloud‑native&#8217; teams avoid this pattern, not because it’s wrong, but because it’s not portable.</p>



<h1 class="wp-block-heading">Anti‑Patterns</h1>



<p class="wp-block-paragraph">These are the patterns that break automation, cause outages, and create drift.</p>



<h2 class="wp-block-heading">Anti‑Pattern 1: AWX as the “automation store”</h2>



<p class="wp-block-paragraph">Pipelines call AWX job templates as if AWX stores automation.</p>



<p class="wp-block-paragraph">It doesn’t.</p>



<p class="wp-block-paragraph">AWX stores <strong>configuration</strong>, not automation.</p>



<p class="wp-block-paragraph">Automation lives in Git. AWX overrides Git with controller‑side state.</p>



<p class="wp-block-paragraph">This creates split‑brain automation, if you think git is the source of truth, surprise, it isn&#8217;t.</p>



<h2 class="wp-block-heading">Anti‑Pattern 2: Pipelines storing credentials</h2>



<p class="wp-block-paragraph">This is a governance failure.</p>



<p class="wp-block-paragraph">Pipelines should inject secrets at runtime, not store them.</p>



<p class="wp-block-paragraph">AWX should manage credentials. Actually, just about anything else should manage credentials.</p>



<h2 class="wp-block-heading">Anti‑Pattern 3: AWX storing inventories that drift from Git</h2>



<p class="wp-block-paragraph">Inventories should be version‑controlled.</p>



<p class="wp-block-paragraph">If AWX is the inventory source of truth, Git is no longer authoritative.</p>



<p class="wp-block-paragraph">This breaks reproducibility.</p>



<h2 class="wp-block-heading">Anti‑Pattern 4: Pipelines bypassing RBAC</h2>



<p class="wp-block-paragraph">If pipelines can run any playbook against any host using any credential, you’ve lost governance.</p>



<p class="wp-block-paragraph">This is dangerous in enterprise environments.</p>



<h2 class="wp-block-heading">Anti‑Pattern 5: AWX storing controller‑side vars that override Git</h2>



<p class="wp-block-paragraph">This creates non‑deterministic execution.</p>



<p class="wp-block-paragraph">Playbooks behave differently depending on controller configuration.</p>



<p class="wp-block-paragraph">This breaks portability.</p>



<h1 class="wp-block-heading">Does the Combination Make Sense?</h1>



<p class="wp-block-paragraph">Here’s the part most teams miss:</p>



<p class="wp-block-paragraph"><strong>The two patterns are not mutually exclusive.</strong> <strong>They are complementary.</strong></p>



<h1 class="wp-block-heading">The Practical Guidance</h1>



<h2 class="wp-block-heading">Use pipeline execution when:</h2>



<ul class="wp-block-list">
<li>automation must be reproducible</li>



<li><strong>automation must be portable</strong></li>



<li>automation must be version‑controlled</li>



<li><strong>automation must run anywhere</strong></li>



<li><strong>automation must be tested before deployment</strong></li>
</ul>



<h2 class="wp-block-heading">Use controller execution when:</h2>



<ul class="wp-block-list">
<li>governance matters</li>



<li>RBAC matters</li>



<li>credential isolation matters</li>



<li>auditability matters</li>



<li>inventory sync matters</li>



<li>event‑driven automation matters</li>
</ul>



<h2 class="wp-block-heading">Use both when:</h2>



<ul class="wp-block-list">
<li>you need reproducibility <strong>and</strong> governance</li>



<li>you need portability <strong>and</strong> control</li>



<li>you need Git truth <strong>and</strong> environment truth</li>



<li>you need cloud‑native execution <strong>and</strong> enterprise guardrails</li>
</ul>



<p class="wp-block-paragraph">This is the two‑layer architecture.</p>



<h1 class="wp-block-heading">Final Takeaway</h1>



<p class="wp-block-paragraph">There are two patterns.</p>



<p class="wp-block-paragraph">Trying to make one do both is how teams create drift, outages, and brittle automation.</p>



<p class="wp-block-paragraph"></p>
]]></content:encoded>
					
					<wfw:commentRss>https://madeforcloud.com/2026/07/12/the-two-patterns-of-ansible-automation/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
