Automating Configuration Managment

So many choices!  Puppet, Chef, Salt, Ansible!  What’s an organization to do?
We initially went down the Puppet path, as one of our distributed IT organizations invested lots of time in getting Puppet going.  We ended up not going too far down the path as we started using Ansible.
The biggest reason is that Ansible is agentless.  All the commands go over ssh, and there is nothing to install on destination servers.  We’ve run into a couple of issues where the documentation doesn’t match the behavior when developing an Ansible playbook, but nothing insurmountable.
We realize many benefits from having a fully self-documenting infrastructure, and find that it, in concert with git (we use BitBucket b/c of free unlimited private repos for educational institutions), enables the adoption of devops principles.
At a high level, we have a playbook we call Ansible-Core which contains a variety of roles, maintained by our Platform team.  These roles correspond to specific configurations, including:
  • Ensuring that our traditional Platform/OS engineers have accounts/sudo
  • Account integration with central authentication
  • Common software installation
    • NGINX, configuration of our wildcard SSL certificate chain, etc
When developing a playbook for an individual service, the developer scripting software installation/configuration may encounter a dependency which is not specific to the service.  For example, installation of the AWS CLI (not there by default if you start with a minimal machine config).  Upon realizing that, it leads to a conversation with the Platform team to incorporate the addition of that role into Ansible-Core.  That can happen two ways:
  • By the dev, who issues a pull request to the Platform team.  That team reviews the change and merges as appropriate.
  • By a member of the Platform team
In the process of creating Ansible scripts, conversation between traditional operations folks and developers flows naturally, and we end up with truly reusable chunks of infrastructure code.  Everyone wins, and more importantly, everyone learns!