What is the best setup if you want version control on playbooks?

We’re wanting to deploy the ansible control node to AWS with Terraform and have it managed by Terraform, and be able to deploy a couple test machines with Terraform as part of the build process for playbooks to be tested on.

Does this sound standard?

Ansible playbooks will be doing the configuration of several web servers for a web app deployment by Terraform. But, we’re also thinking we want to manage the Ansible deployment + testing with Terraform?

Anyone have any recommendations or tips/tricks? Our team is not new to Terraform but, is very new to Ansible.


you speak of an ansible control node, Are you using AWX/Controller, as you can set the project branch to use a release tag, and manage your project configuration with code.

This would be for a long term application, otherwise, I’d set it up so you check out a certain release tag with git and use the git process to version control the playbook as well, just without AAP.

1 Like

We’re not using AWX but, perhaps we ought to? Sounds like that makes things easier when doing a build/version control outside of Ansible?

This surely requires a bit more setup having a web gui etc.

1 Like

Check out the Interactive Labs page and try the “Getting started with automation controller” lab here: Learn Red Hat Ansible Automation Platform | Interactive labs

This will let you have a sandbox to play with and see if you want to go this route. Automation controller is the downstream of AWX, but will be close enough to give you an idea of what @sean_sullivan is talking about.


AWX/AAP Controller would make it easier to scale ansible playbooks in more then just the scenario you describe.But that might take you longer to implement, but likely help you scale long term to use ansible more.

However short term, quick dirty fix I was more thinking along a script that did
git clone projecturl
git checkout version
Run ansible-playbook -i inventory playbook.yml

Benefits of AWX are centralized logging of playbooks, Rbac, different Jobs/Plays can use the same project and use different branches, and chaining playbooks together.

Also going to plug this in there, in addition to Sean’s Recommendation of the lab, if you are interested in AWX, is my book on Demystifying AAP, which was written to work with AWX as well.


I don’t see us needing to scale, we’re not a fast growing application and our infrastructure is relatively monolothic. Would a simple t2 micro dedicated ec2 running ansible playbooks be acceptable with a script or playbook to pull down updated playbooks from an S3 bucket?

1 Like

that would definitely work, or just a container Execution environment with the right collections installed, would work as well. Don’t even need a whole VM.

Technically if you are using a Git server, you could use the CI tool to just run the playbook as well, would need to auth to your aws account the servers.

1 Like

Just saw this bit of documentation as well Automate Ansible playbook deployment with Amazon EC2 and GitHub | Integration & Automation

Seems like this would be mighty convenient, as we could trigger playbooks with webhooks? :o Is this secure?

1 Like

This is really a “you do you” type of decision. But basically, utilize something like a GIT repo for your code is the basics.

My situation is we have a team of 4 that use Ansible. Since it is 1 team, only 4 people, we haven’t tried to add the complexity of AWX or Tower (or whatever it’s called now lol). If we had multiple teams using it, we might look at something with a GUI interface, to be able to lock down based on groups, but we don’t currently have the need.

We have a GIT Repo, and I have 1 Dev Ansible server (using ansible v8.3.0 command line). That is where I (and sometimes others) create & test new roles/playbooks/etc, as well as new versions of Ansible or Ansible Collections. Since our scope currently is just AWS, I use dynamic inventory files, so I can limit my testing to any combination of Dev, Staging, and Prod, depending on the need. We then have a Prod server that we use for day-to-day tasks.

I will note that we have a “files-temp” directory that is not tied to the GIT Repo for “one-off” playbooks - for example, if someone wanted to throw together a playbook that queries a setting on all servers. Stuff that doesn’t really need to go through any GIT Repo/SDLC process. Granted, if we had a bigger (or less trustworthy lol) group we might not allow this…

Standard GIT Process - develop/test things in Dev, when signed off, migrate changes to Prod.

We are currently being offered to use Terraform here. You can Google search “Terraform and Ansible”, there are several articles about when to use each. We haven’t really gotten into it, but if we use it, we likely will draw a line and use Terraform for some things, Ansible for the rest. We are leaning towards “VPC level and above” in Terraform, purely because we don’t use Ansible for those now, as they are rare. If we do this, we will decide whether we actually run things through Terraform, or utilize Ansible collections to run the Terraform things for us. It’s very early for us in this realm, and we haven’t really decided if / how we will utilize Terraform. We use Ansible heavily with no issues, so there is no real reason to move away from something that works so well.

Hope these thoughts help.


I would try either of these things and report back the results, Like all things Ansible, there are 10 ways to solve this, and all of them Good solutions, just what works with your current practices and what you are trying to achieve.

1 Like

Hi @k4bigon! It looks like the post might be solved - could you check to see if any of the responses above worked for you?

If so, it would be super helpful if you could click the :heavy_check_mark: on their post to accept the solution - it helps users find solutions (solved topics have a higher search priority), recognises the input of the people who help you, helps our volunteers find new issues to answer, and keeps the forum nice and tidy. It’s just a nice way to give back, and only takes a moment :slight_smile:

(this is template reply, do feel free to reply if I’ve misunderstood the situation!)