Posted on June 23, 2025June 23, 2025 | by priteshgeek

📘 Introduction & Overview

✅ What is Ansible?

Ansible is an open-source automation engine used for configuration management, application deployment, task automation, and IT orchestration. Developed in Python, it uses a declarative language (YAML) to describe system configurations.

Ansible = Agentless + Idempotent + Declarative

🕰️ History & Background

Year	Milestone
2012	Ansible was created by Michael DeHaan
2015	Acquired by Red Hat
2019	Became a key Red Hat Automation Platform component
2020+	Widely adopted in DevOps and DevSecOps pipelines

🔐 Why is Ansible Relevant in DevSecOps?

Security as Code: Automate security hardening tasks across infrastructure.
Compliance Automation: Implement CIS benchmarks, STIGs.
Immutable Infrastructure: Prevent drift using repeatable playbooks.
Agentless: Reduces attack surface by avoiding persistent agents on nodes.
Auditability: YAML playbooks are human-readable and version-controlled.

📚 Core Concepts & Terminology

🗂️ Key Terms

Term	Definition
Playbook	A YAML file defining automation tasks
Inventory	A list of managed hosts (static/dynamic)
Module	A unit of work (e.g., `yum`, `apt`, `user`)
Role	A reusable, modular set of tasks/files
Facts	Auto-collected system variables
Vault	Encrypt secrets like passwords or keys

🔄 Fit in DevSecOps Lifecycle

DevSecOps Phase	Ansible Role
Plan	Define compliance requirements (e.g., roles for CIS)
Develop	Automate security checks for dev environments
Build	Embed playbook execution in CI pipelines
Test	Enforce tests like port scans, config audits
Release	Ensure hardened images/configs
Deploy	Automate secure provisioning to cloud/on-prem
Operate	Enforce continuous compliance
Monitor	Re-run playbooks to correct drift or violations

🧠 Architecture & How It Works

⚙️ Core Components

Control Node: Executes playbooks
Managed Nodes: Target servers (no agent needed)
Modules: Perform tasks
Plugins: Extend Ansible (e.g., callback, connection, inventory)
Inventory: Define managed hosts
Roles/Collections: Code reuse and packaging

🔁 Internal Workflow (Step-by-step)

Load inventory
Read playbook
Connect via SSH or WinRM
Execute modules on nodes
Collect output and apply changes
Generate logs and optionally call callbacks

🖼️ Architecture Diagram (Description)

[Control Node (Ansible CLI)]
      |
      |---[SSH or WinRM]
      |
[Managed Node 1] [Managed Node 2] ... [Cloud APIs]

Playbooks live on the control node
Inventory defines which nodes to affect
Tasks run in parallel or serial as defined

🔌 Integration with CI/CD & Cloud

CI/CD: Integrates with Jenkins, GitLab CI, GitHub Actions via Ansible CLI or Ansible Tower API
Cloud: Modules for AWS, Azure, GCP, VMware, OpenStack
Secrets: Integrates with HashiCorp Vault, AWS KMS

⚙️ Installation & Getting Started

🧾 Prerequisites

Python 3.8+
SSH access to managed nodes
Linux/macOS or WSL (Windows Subsystem for Linux)

📥 Installation (Linux/macOS)

# Install using pip
pip install ansible

# Verify version
ansible --version

🛠️ Hands-On: Basic Setup

Create Inventory File

[web]
192.168.1.100 ansible_user=ubuntu

[db]
192.168.1.101 ansible_user=ubuntu

Write a Playbook

# playbook.yml
- hosts: web
  become: yes
  tasks:
    - name: Install NGINX
      apt:
        name: nginx
        state: present

Run It

ansible-playbook -i inventory.ini playbook.yml

🌍 Real-World Use Cases in DevSecOps

🛡️ Use Case 1: Security Hardening

- name: Ensure UFW is enabled
  ufw:
    state: enabled
    policy: deny

🧪 Use Case 2: Security Testing with OpenSCAP

ansible-galaxy install ansible-lockdown.rhel7-cis
ansible-playbook -i inventory.ini rhel7-cis/site.yml

🧰 Use Case 3: Dynamic Cloud Provisioning

Provision secure EC2 instances with encrypted EBS volumes
Add security groups, IAM roles via Ansible AWS modules

🏥 Industry Example: Healthcare

Enforce HIPAA compliance across on-prem and cloud infra using prebuilt compliance playbooks

⚖️ Benefits & Limitations

✅ Benefits

Agentless = Lower resource usage
Declarative, readable YAML = Easy collaboration
Massive community and module ecosystem
Great for compliance as code

❌ Limitations

No GUI in OSS (Ansible Tower is paid)
Slower with large inventories unless optimized
Python dependency on the control node
Learning curve for dynamic inventories

💡 Best Practices & Recommendations

🔐 Security Tips

Use Ansible Vault to encrypt credentials
Restrict become: yes usage
Audit playbooks regularly

📏 Compliance & Performance

Use CIS roles
Schedule regular audits with cron + playbooks
Split tasks into roles for modularity

⚙️ Maintenance

Use collections to manage reusable code
Tag tasks for selective execution
Document every task properly

🔁 Comparison with Alternatives

Tool	Agentless	Language	Best For
Ansible	✅ Yes	YAML	Simplicity, DevSecOps
Puppet	❌ No	Ruby DSL	Large-scale config mgmt
Chef	❌ No	Ruby DSL	Infrastructure as code
SaltStack	✅ Yes	YAML + Python	Event-driven automation

Choose Ansible if you prefer:

Simple YAML syntax
Agentless architecture
Fast prototyping and DevSecOps integration

🏁 Conclusion

Ansible brings together simplicity, scalability, and security—all vital for modern DevSecOps pipelines. Whether you’re automating security patching, enforcing compliance, or hardening infrastructure at scale, Ansible offers a battle-tested and community-backed solution.

📌 Next Steps

Learn about Ansible Tower or AWX (GUI version)
Explore collections on Ansible Galaxy
Automate your full CI/CD + compliance pipeline

🛡️ Ansible in DevSecOps: A Comprehensive Tutorial