Managing Enterprise Automation with Red Hat Ansible Automation Platform
- Section Creating a Project for Ansible Playbooks
- SectionObjectives
- SectionAutomation Controller Projects
- SectionCreating a Project
- SectionProject Roles
- SectionManaging Project Access
- SectionCreating SCM Credentials
- SectionSCM Credential Roles
- SectionManaging Access to SCM Credentials
- SectionUpdating Projects
- SectionSupport for Ansible Content Collections and Roles
- Guided Exercise: Creating a Project for Ansible Playbooks
- Creating Job Templates and Launching Jobs
- Guided Exercise: Creating Job Templates and Launching Jobs
- Lab: Managing Projects and Launching Ansible Jobs
- Summary
Abstract
| Goal |
Create projects and job templates in the web UI, and use them to launch Ansible Playbooks that are stored in Git repositories in order to automate tasks on managed hosts. |
| Objectives |
|
| Sections |
|
| Lab |
|
Create a project in automation controller that uses playbooks and other project materials from an existing Git repository.
A Red Hat Ansible project represents at least one playbook that is usually stored in a remote version control system, typically using Git. The project might also include additional playbooks, inventories, and inventory variable files. If the project requires Ansible Content Collections or roles, then the project might also include them, or it might include requirements.yml files that specify them and from where automation controller can download them.
Automation controller can automatically download and get updates for project materials and the resources specified by requirements.yml files when a job template that uses the project is launched.
You can use the following procedure to create a project to share a collection of Ansible Playbooks and roles managed in an existing Git repository.
Log in to the automation controller web UI as a user with either the
AdminorProject Adminrole in an organization.Navigate to → and then click to open the page.
Enter a unique name for the project in the field. If desired, enter a description in the field.
Click the search icon next to the field to display a list of organizations within automation controller. Select an organization from the list and then click . By default, new projects are assigned to the
Defaultorganization.Specify the default execution environment used for jobs in this project (optional).
In the drop-down menu, choose .
In the section, enter the location of the Git repository in the field. In the field, specify the branch, tag, or commit of the repository to use for the project (optional).
If authentication is required to access the Git repository, click the search icon next to the field to display a list of available source code management (SCM) credentials. Select an SCM credential from the list and click . The creation of SCM credentials is discussed later in this section.
Select the desired action to be taken to update the project against its SCM source. Available options are
Clean,Delete,Update Revision on Launch, andAllow Branch Override. These four options are discussed in further detail at the end of this section.Click .
Users are granted permissions to project resources through assigned roles on the project resource. Roles can be assigned directly to a user or indirectly through a team. For example, for a user to gain permissions on a specific project, they must be assigned or inherit a role for that project.
The following project roles are available:
- Admin
The
Adminrole grants users full access to a project. Users with this role can modify or delete the project, including its permissions. This role also grants users theUse,Update, andReadroles, which are discussed later in this section.- Use
The
Userole grants users the ability to use a project in a template resource. The use of a project in a template resource is discussed in detail in a later section. This role also grants users the permissions associated with the projectReadrole.- Update
The
Updaterole enables users to schedule or manually update project materials from its SCM source. This role also grants users the permissions associated with the projectReadrole.- Read
The
Readrole enables users to view the details, permissions, and notifications associated with a project.
Initially, only users with the System Administrator or System Auditor user type can access projects. You must specifically configure access for users with the Normal User user type. You cannot assign roles when you create the project; create the project first and then add any roles.
You can assign roles in the section of the project editor. Use the following procedure to set roles for a project:
Log in as a user with the
Adminrole for the organization in which the project was created.Navigate to → and then click the name of the project.
Click the tab and then click to start adding permissions.
Select either or and then click .
Select the users or teams to be granted permissions and then click to display the list of project roles and their definitions.
Select the desired project roles for each user or team and then click .
Note
You can also add roles for projects through either the user or the team management pages.
Source control management credentials, also called SCM credentials, store authentication information that automation controller can use to access project materials stored in a version control system such as Git. SCM credentials store the username and the password or private key (and private key passphrase, if any) needed to authenticate access to the source control repository.
Use the following procedure to create an SCM credential so that automation controller can retrieve playbooks, roles, or other materials from a Git repository for a project.
Log in as a user with the appropriate role assignment.
To create a private SCM credential, there are no specific role requirements.
To create an SCM credential that belongs to an organization, log in as a user with the
Adminrole for the organization.
Navigate to → and then click to display the page.
Enter the required information for the new credential.
Enter a unique name for the credential in the field.
If you are creating an organization credential, click the search icon next to the field, select the organization to create the credential in, and then click . Skip this step if creating a private credential.
In the field, select the credential type. This exposes the section.
Enter authentication data into the appropriate fields. For example, you might need to specify a username and password for your account on the version control system. If you are using an SSH private key to authenticate to the version control system, either copy and paste or drag and drop your private key into the field. That key can be a passphrase-encrypted SSH private key, in which case you must provide the passphrase to automation controller in the field.
Click to create the new SCM credential.
Like machine credentials, private SCM credentials are only usable by their creators and System Administrator and System Auditor users. However, you can share SCM credentials with other users by assigning the credentials to an organization and assigning appropriate roles on those credentials to teams or users in that organization.
The following is the list of roles for SCM credentials:
- Admin
The
Adminrole grants users full permissions over an SCM credential. These permissions include deleting and modifying the SCM credential. This role also grants users permissions associated with the credentialUseandReadroles.- Use
The
Userole grants users the ability to associate an SCM credential with a project resource. This role also grants users the permissions associated with the credentialReadrole.The
Userole does not control whether a user can themselves use the SCM credential to update a project, only whether they can assign that SCM credential so that it can then be used by someone who has theUpdaterole on the project.For example, if an SCM credential is associated with a project, any user assigned the
Updaterole on the project can use the associated SCM credential without being granted theUserole on the credential.- Read
The
Readrole grants users the ability to view the details of an SCM credential.
Initially, only users with the Admin or Auditor organization role can access SCM credentials within their organization. You need to specifically configure any additional user access.
The assignment of SCM credential roles to users or teams dictates who has permissions to an SCM credential belonging to an organization. You cannot assign these permissions when you create the SCM credential. You can adjust them after their creation by editing the credential.
You can assign roles through the section of the credential editor page. Use the following procedure to grant permissions to an existing SCM credential that is assigned to an organization.
Log in as a user with the
Adminrole in the organization to which the SCM credential belongs.Navigate to → and then click the name of the SCM credential.
Click the tab and then click to start adding permissions.
Select either or and then click .
Select the users or teams to which you are granting permissions, and then click to display the list of credential roles and their definitions.
Select the desired credential roles for each user or team and then click .
Note
You can also add permissions for SCM credentials through either the user or team management pages.
An SCM project resource in automation controller represents a copy of playbooks, collections, and roles obtained from an SCM source. Because modifications to the contents of these playbooks, collections, and roles are managed in an external SCM system, their respective counterparts in an automation controller project must be routinely updated from the SCM source to reflect changes.
The following sections describe different ways to update SCM project resources in automation controller.
This option removes local modifications before getting the latest revision from the source control repository.
This option completely removes the local project repository on automation controller before getting the latest revision from the source control repository. This takes longer than the Clean option for large repositories.
This option allows overriding the branch, tag, or reference when executing job templates that use a given project.
This option updates the project from the source control repository each time the project is used to launch a job. Automation controller creates a separate job to update the project.
If you do not want to use these automatic settings, you can manually update a project to the latest version in the source control repository.
Use the following procedure to manually update a project from its SCM source:
Log in as a user with the
Updaterole in the project.Navigate to → and then click the icon for the project that you want to update.
If the update succeeds, then the status column displays the message and the revision column displays the latest commit hash.
Important
The Update role only dictates whether a user can manually trigger an update of a project from its SCM source. It does not impact the update behavior configured by the project’s SCM update option.
For example, a project configured with the Update on Launch SCM update option still performs updates even when the project is used by a user who has not been granted the Update role on the project.
A project can include a copy of the Ansible Content Collections or roles that it needs. It can be a better practice, however, to store those Ansible Content Collections or roles in a separate repository, especially if they are managed by other people, and have automation controller automatically retrieve that content as needed. These sources could be automation hub, the community Ansible Galaxy site, or your own Git repository server, for example.
You manage this by creating a requirements.yml file, just like the one used by the ansible-galaxy command. At the end of a project update, if a project repository includes a valid roles/requirements.yml file, then automation controller automatically installs the defined roles. The output of the project update job contains a task similar to the following:
...output omitted... TASK [fetch galaxy roles from requirements.(yml/yaml)] ************************* changed: [localhost] => (item=/var/lib/awx/projects/_13__example_project/roles/requirements.yml) ...output omitted...
Similarly, if a project repository includes a valid collections/requirements.yml file, then automation controller automatically installs the defined collections. The output of the project update job contains a task similar to the following:
...output omitted... TASK [fetch galaxy collections from collections/requirements.(yml/yaml)] ******* changed: [localhost] => (item=/var/lib/awx/projects/_13__example_project/collections/requirements.yml) ...output omitted...
