Run ansible-playbook from cron, webhooks, or any HTTP signal. Add step-level retries, parsed per-host results via the Kestra callback, approval gates between waves, and chain Ansible with Terraform, NetBox, or ServiceNow in one execution history.
Replace Ansible Tower / AAP with a workflow engine that listens to cron, webhooks, or alerts, handles drift detection and rolling waves with per-host verification, and chains ansible-playbook with Terraform, NetBox, and ServiceNow. Drop the AAP subscription; halt a wave at the first failed health probe.
What Kestra wraps around your Ansible runs: when playbooks fire, what comes back per host through the callback, who approves the next wave, and where the audit lives. Your playbooks, roles, inventory, and Vault stay where they are.
Native cron, fixed intervals, webhooks, S3 file arrivals, Kafka messages, and database row changes all fire ansible-playbook directly. The trigger payload reaches the flow as trigger.body, so the right host gets the right --extra-vars from a single execution. No AWX, no Tower, no EDA controller.
Run the playbook with --check --diff on a nightly schedule. The Kestra Ansible callback emits per-host changes, the flow surfaces only the hosts that drifted, and the diff lands in Slack. No enforcement, no surprises, the whole fleet audited overnight.
A terraform output, a NetBox API call, or vmware.vcenter.ListVms writes the inventory at the start of the flow. The next task templates it into inventory.ini. No stale static inventory file, no manual sync between source of truth and what Ansible reads.
The Kestra Ansible callback emits structured per-host outputs after each play. A ForEach task loops over the hosts and branches on changed, failed, or any fact. Route alerts by tag, hand failing hosts to a remediation flow, or upload the play recap to S3.
Set serial: 1 (or 10%) in the play. The playbook runs against one batch at a time. Between batches, a Kestra HTTP probe checks the service is healthy. A failed probe halts the flow before the next batch, preserving the rest of the fleet.
Every play, every host, every task output is stored per execution. Open last week's run, click into the failing host, replay that step against the same target. The original inventory, vars, and ansible.cfg are preserved with the run, so the replay matches the original conditions.
Patterns infrastructure teams run in production today. Each one shows the flow end to end, with the real plugin classes in play.
Run the playbook with --check --diff against the fleet on a nightly schedule. The Kestra Ansible callback emits structured per-host output. A ForEach loops through hosts and posts a Slack alert only when a host comes back with changed: true. Clean runs stay quiet, the play recap stays attached to the execution for audit.
--check + --diff reports what would change without touching the host.
The Kestra Ansible callback writes per-host JSON the flow can iterate with ForEach.
Keeps Slack quiet on clean nights, surfaces only the hosts that drifted.
Every nightly audit is timestamped, attributed, and replayable from the execution UI.
Published as the ansible-config-drift blueprint in the Kestra catalog.
ansible-playbook with serial: 1 patches one host at a time. Between batches, a Kestra core.http.Request task probes the application health endpoint. If the probe fails, the flow halts before the next batch and pages on-call. No half-broken fleet, no manual stop-the-pipeline.
serial: 1, serial: 10%, or a mix. Ansible enforces the batching, Kestra runs the verify task per batch.
core.http.Request with a retry policy decides whether the wave continues.
The flow exits before the next batch, the unpatched hosts stay on the old version.
Each batch has its own log line in the execution, with the host list and the probe result.
A Splunk or CloudWatch alert fires on high CPU or a failed health check. The webhook hits Kestra, Kestra runs the remediation playbook against the affected host (inline inventory built from the alert payload), updates the ServiceNow incident with the playbook output, and posts to Slack. Same flow, same audit trail, whether the alert fires once a week or a hundred times a day.
Fire a playbook from Splunk, PagerDuty, ServiceNow, or any HTTP source. No glue service required.
The host name from trigger.body becomes a one-line inventory.ini, scoped to the affected host only.
Push the playbook's diagnostic output back into the ServiceNow ticket as a work note.
Re-run the playbook against the original target with one click from the execution view.
terraform output or a NetBox device query emits the inventory at the start of the flow. The next task templates it into inventory.ini (or hands it as a JSON dynamic inventory). The playbook runs against the freshly resolved hosts. No stale static inventory file, no manual sync between source of truth and Ansible.
The inventory comes from the tool that actually knows the hosts: Terraform state, NetBox DCIM, or a cloud API.
Inline inputFiles writes the inventory from outputs.fetch_inventory at the start of the playbook task.
Every run sees the current state, not yesterday's snapshot.
The orchestration of Ansible is very poor compared to what we can do with Kestra. I doubt that we can only use Terraform and Ansible to do all our complex orchestration.
| Capability | | | GitHub Actions | |
|---|---|---|---|---|
| Check-mode drift detection with per-host alerting | Native, Kestra Ansible callback parses changed=true per host | Survey-driven runs, no native drift loop | Possible via shell + stdout parsing | Possible via job steps, manual parse |
| Rolling restart with serial + per-batch health probe | <code>core.http.Request</code> between batches halts on failure | serial works, verify needs custom plugin | serial works, verify is a custom step | Manual orchestration |
| Dynamic inventory from Terraform, NetBox, vCenter, cloud APIs | Native plugin tasks emit inventory at run time | AAP inventory plugins (config-managed) | Custom shell to build inventory | Resource model plugin |
| Per-host result parsing via callback | Kestra Ansible callback, structured outputs iterable in YAML | AAP run history, harder to chain downstream | stdout parsing in shell | Job log parsing |
| Wave gating between dev / staging / prod | Native Pause + resume, named reviewer logged | Workflow approval (paid tiers) | Environment approvals (deploy only) | Pause-on-input step |
| Event triggers (webhook, S3, Kafka, file) | Native, cross-source | EDA controller add-on | Webhook events on the repo | Webhook only |
| Ansible Vault decryption from secrets backend | Vault file mounted from secrets at run time | Built-in credential store | Secrets in env, manual mount | Key Storage Service |
| Chain Ansible with Terraform / NetBox / ServiceNow / ArgoCD | Native plugin tasks, outputs flow forward | Possible via collections | Possible via actions and glue | Job steps, manual wiring |
| Air-gapped / private network deploy | Self-hosted by default | Self-hosted (Red Hat subscription) | Self-hosted runners | Self-hosted |
| Orchestrate beyond Ansible | 1400+ plugins, cross-stack | Ansible-centric | Possible, action-dependent | Possible, plugin-dependent |
Side-by-side breakdown across event-driven runs, Ansible callback parsing, dynamic inventory, wave gating, and cross-tool chaining.
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.
Automate infrastructure with Kestra, Ansible and Terraform
The AnsibleCLI task end to end, with a Terraform handoff for a full provision-and-configure flow.
Automate infrastructure workflows in Kestra
How Kestra orchestrates Docker, Terraform, OpenTofu, Terragrunt, Ansible, and cloud CLIs in one declarative flow.
Top alternatives to Ansible for modern DevOps
Where Ansible fits among Puppet, Chef, Salt, Terraform, and Kestra, and when each one is the right tool.
Ansible plugin reference
Every Ansible CLI task and parameter, with copy-ready YAML examples.
Drive check-mode drift detection, gate patch waves, build inventory from Terraform or NetBox, and parse per-host results with the Kestra Ansible callback. Open source, self-hosted, event-driven.
