In the previous blog, Mastering Ansible for Server Management – Part 2, we discussed Ansible, discovering its fundamental concepts and learning how to set up a robust Ansible project. While Open Source Ansible has proven to be a stalwart in configuration management, RedHat Ansible Automation Platform takes automation to new heights.
It’s more than just a tool; it’s a comprehensive platform designed to meet the evolving needs of large-scale enterprises.
What we will cover today
In this blog, we will build on the Ansible open source foundation, and delve further into the world of automation by exploring the Red Hat Ansible Automation Platform (AAP). We will learn about:
- Core Elements of Ansible Automation Platform
- Navigating Ansible Tower in AAP
- Role-Based Access Control (RBAC) in AAP
- Simplified Workflows with AAP’s Workflow Designer
- Credential Encryption
- Integration with source code repository
Important Note: Ansible Automation Platform is an extension of Ansible. You must know the basics of Ansible.
Discover RedHat Ansible Automation Platform
Let’s take a closer look at a conversation between Matt H, Lead Engineer and his teammates to understand RedHat Ansible Automation Platform.
Sam: Hey Matt, working with Open Source Ansible has been great, but there are a few challenges we’ve come across.
Matt: Alright. What hurdles are you facing?
Sam: There are few actually:
- Team Collaboration: As our team grows, keeping tabs on who’s doing what has become a bit of a puzzle.
- Workflow Complexity: Our automation workflows are evolving and becoming more complex. Managing the execution order has become quite a challenge. We even tried exploring Jenkins pipelines, but it turned out to be quite an effort.
- Security Concerns: Storing Ansible-specific encrypted credentials is also on our radar. It’s crucial, but we’re figuring out the most secure and efficient way to handle it.
We have identified AWS Secrets Manager to store these credentials and to use AWS CLI to get them at the run time. - Execution Reporting Woes: Lastly, reporting on executions has turned into a bit of a nightmare. It’s challenging to generate detailed reports on which playbooks were executed on a specific server. Right now, we’re relying heavily on manual reporting, and it’s not the most efficient process.
Matt: Those are some significant pain points, Sam. You know, RedHat Ansible Automation Platform (AAP) could be the game-changer you’re looking for.
Sam: Really? How so?
Matt: Well, AAP addresses these challenges head-on. With Ansible Tower in AAP, you get Role-Based Access Control (RBAC) that makes team collaboration more organised and secure.
The Workflow Designer simplifies the complexities of automation workflows, offering a streamlined way to manage execution order.
Plus, AAP has robust features for handling encrypted credentials securely. And when it comes to reporting, Ansible Tower provides detailed execution logs and reports, saving you from the manual reporting hassle.
Sam: That sounds like just what we need. One more thing, we have Ansible playbooks stored in our Azure DevOps repository. Does AAP take this into consideration?
Matt: Absolutely, Sam. AAP seamlessly integrates with source code repositories, including Azure DevOps, GitHub. With this integration, you can continue to store and manage your Ansible playbooks in Azure DevOps.
Ansible Tower, the central component of AAP, is designed to work with version control systems, making it easy to pull playbooks directly from repositories. This ensures that your existing workflow with Azure DevOps is not only preserved but also enhanced by the capabilities of Ansible Automation Platform. It’s all about integrating smoothly into your existing processes.
Sam: This is so awesome. Could you please help us in converting one playbook to show how it will look like in AAP with all the components used?
Matt: Absolutely, Sam. Let’s take one of your existing playbooks and transform it into an Ansible Automation Platform (AAP) setup.
We’ll incorporate components like inventory, credentials, and roles to make it fit seamlessly into the AAP structure.
This way, you’ll see how AAP adds an extra layer of organisation and control to your automation workflows. Which playbook are we working with?
Sam: Maybe we can start with the “Configure NTP” playbook.
Matt: Great choice, Sam. Let’s break it down step by step. In Ansible Automation Platform, we’ll organise it into a structured setup.
Steps to perform in order:
Here are the steps we will perform in order:
- Organisation Setup:
- First of all start by creating an Organisation.
- Go to “Organizations” and click add and create a new org.
- Azure DevOps Credential Creation:
- Go to Credentials in the left pane and click Add.
- Enter Name and Description and select Organisation created in Step 1.
Select Credential Type as Source Control.
- Project Configuration:
- Once the SCM credential is created, go to Projects and click Add.
- Enter Name and select Organisation created in Step 1 and Source Control Type as “Git”
- Enter Source Control URL and select credentials created in Step 2 and click Save.
For Azure DevOps repository – provide url like:
https://<org>@dev.azure.com/<org>/Ansible/_git/Ansible
- Click the “Sync” button and ensure it gets to the Successful status.
This will ensure the AAP project is in sync with your Azure DevOps repository.
- Inventory Host Setup:
- Next, we’ll set up Inventory hosts. Go to the “Inventories” tab and “Add new inventory”.
- Select the “Sources” tab and select “Sourced from a Project”.
- Select the project created in Step 3 and provide an inventory file path. Based on our project structure it will be “inventory” since this is the name we have given to our inventory file and it is stored in the root of the project.
Once Sync, you will start seeing all the hosts and groups in the SCM file appearing in AAP. Confirm this by navigating to the “Hosts” tab.
- Credential for Remote Hosts:
Before creating a template (playbook), please ensure to add a new Credential which is required to connect to the remote hosts. Go to Credentials again and select Credential Type as “Machine” and provide username and key.
- Playbook Template Creation:
Next up is to create the most important component i.e. playbook. Go to Templates, click Add and select “Add job template”
- We will use the credentials created in Step 5 to be used by the playbook just like how we passed in the cli command.
Select all the required details as below and your playbook is ready to be executed.
Please remember to Sync the project if you don’t see your playbook in the “Playbook” dropdown option.
By following these steps, you’ve organised your Ansible playbook within Ansible Automation Platform, enhancing management, security, and workflow efficiency.
Setting up RBAC for playbooks:
Sam: This sounds very straightforward. This means we still manage everything as code, but this is just a platform for organising and execution. How do we restrict other teams from accessing our playbooks?
Matt: Excellent question, Sam. Remember I mentioned RBAC earlier. RBAC allows you to define granular permissions, ensuring that only authorised teams or individuals can access specific components.
Sam: That’s reassuring. Could you walk me through how we set up RBAC for our playbooks?
Matt: Certainly, Sam. Here’s a step-by-step guide:
- Define Users and Teams: Under Organisation, define users and teams, assigning specific roles based on responsibilities. Roles can include Admin, Member, Auditor, or Custom Roles tailored to your needs.
- Roles for Inventories and Projects: For the inventory and project, assign roles to control access. This allows you to specify who can view, modify, or execute playbooks within a given inventory or project.
- Credential Permissions: Similarly, we can restrict access to credentials to certain team member roles.
Sam: I observed in the template screenshot above that default variables can be specified. What if there’s a need to override these values during execution? How can this be accomplished?
Matt: Certainly, for that, AAP introduces the concept of a “Survey.” Here, you can pose a specific question and assign it a variable name. Users can then input the variable value at runtime, allowing for dynamic overrides during execution.
Here is a screenshot of a Survey question prompting the user to enter the value for “target_host” at runtime. The default value for this variable is set to “melbourne.”
Important note: don’t forget to enable the survey question to incorporate user input during runtime.
Sam: How do we execute a playbook and see its results?
Matt: Very straightforward, Sam. Once your playbook is set up in Ansible Automation Platform (AAP), follow these steps:
- Navigate to Templates
- Choose the playbook template you want to execute and click on Launch.
- Fill in any required parameters or options for the playbook execution. This includes selecting the inventory, credentials, and any extra variables needed.
- Click on “Launch” to initiate the playbook execution.
- You can monitor the progress of the job in real-time. AAP provides detailed logs and outputs, allowing you to track each step of the playbook.
- For a deeper dive, you can access execution logs and reports. This is especially useful for troubleshooting or auditing purposes.
Sam: That does sound simple. Can we schedule playbook executions for specific times?
Matt: Absolutely. AAP allows you to set up schedules for playbook executions. This is handy for tasks that need to run at specific intervals or during non-business hours. You can configure the frequency, timing, and other parameters to automate the execution process.
Sam: We touched upon the reporting aspect earlier. How does that work in AAP?
Matt: In AAP, there’s a convenient view that allows you to check which playbooks have been executed for a specific host. This feature provides a quick and insightful overview of the automation activities related to a particular host, enhancing visibility and facilitating efficient management of playbook executions.
Similarly, in AAP, you can also review the results of a specific playbook execution. This feature provides detailed insights into how a particular playbook is performing, including the status of individual tasks, any encountered errors, and overall execution trends. It’s a valuable tool for monitoring the health and effectiveness of playbook runs, allowing for prompt identification and resolution of issues.
Sam: You also mentioned job workflows. What exactly are they?
Matt: Job workflows in AAP are sequences of jobs or tasks that you can string together. It allows you to define a series of steps, dependencies, and conditions, creating a more sophisticated automation process.
For example, you can set up a workflow to first configure servers, then deploy applications, and finally perform testing – all as a cohesive, automated sequence. It’s a powerful way to orchestrate complex tasks with precision and efficiency.
Sam: I was wondering, what we have done above is all ClickOps. Is there any AAP Controller API that can be used to create all the above components, e.g., inventory, project, credentials, etc., using code?
Matt: Absolutely, Sam. Ansible Automation Platform provides a robust RESTful API, known as the Ansible Tower API. It allows you to programmatically create and manage various components like inventories, projects, credentials, and more. This way, you can automate the setup and configuration processes, making it more efficient and scalable. If you’re comfortable with scripting or using tools that support API calls, you can seamlessly integrate Ansible Automation Platform into your broader automation workflows.
API Reference – https://docs.ansible.com/automation-controller/latest/html/controllerapi/api_ref.html
Sam: Great, Matt. This adds a layer of automation and convenience to our playbook execution process.
Matt: Yes, let’s get onto it. You will learn a lot of new things once you get your hands dirty. The best way to understand is by doing, and Ansible Automation Platform offers a hands-on experience that will broaden your skills and insights.
Dive in, and don’t hesitate to explore and experiment. If you have any questions along the way, feel free to reach out. Happy automating!
Conclusion
In this blog, we delved into the seamless integration of Ansible Automation Platform (AAP) into our automation workflow. The transition from Open Source Ansible to AAP not only preserves the code-centric approach but also introduces a structured platform for efficient organisation and execution.
We explored the step-by-step process of setting up an organisation, configuring source control management, and structuring inventories and playbooks within AAP. The introduction of Role-Based Access Control (RBAC) ensures that access to playbooks and related components is meticulously controlled, enhancing security and organisation.
As we embark on this journey with Ansible Automation Platform, the emphasis is on hands-on learning. So, with Ansible Automation Platform, we’re not just automating tasks; we’re evolving our approach, embracing efficiency, security, and the power of organised automation.