Managing Enterprise Automation with Red Hat Ansible Automation Platform

Bookmark this page
P123456789101112
PreviousNext

Guided Exercise: Configuring Red Hat Ansible Automation Platform with Collections

  • Use a Red Hat certified collection to configure resources on automation controller.

Outcomes

  • Use the ansible.controller collection in playbooks to create users and teams in automation controller.

  • Use a job template to create users and teams in automation controller.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that automation controller is installed, and creates a Git repository that provides the required files for the exercise. It also creates the following automation controller resources: a project, an inventory (with an inventory source), and two job templates.

[student@workstation ~]$ lab start code-collection

Procedure 8.1. Instructions

  1. Pull the ee-supported-rhel8 automation execution environment from hub.lab.example.com. You use this automation execution environment to execute playbooks with the ansible-navigator command.

    1. Use the podman login command to log in to the private automation hub at hub.lab.example.com, using the admin user with redhat as the password.

      [student@workstation ~]$ podman login hub.lab.example.com
Username: admin
Password: redhat
Login Succeeded!

    2. Pull the ee-supported-rhel8 automation execution environment image.

      [student@workstation ~]$ podman pull hub.lab.example.com/ee-supported-rhel8
Trying to pull hub.lab.example.com/ee-supported-rhel8:latest...
Getting image source signatures
Copying blob 858b1db62e17 done
Copying blob 3cbba8687c73 done
...output omitted...

  2. Clone the https://git.lab.example.com/git/code-collection.git Git repository into the /home/student/git-repos directory. This repository contains the files for this exercise.

    1. From a terminal, create the /home/student/git-repos directory if it does not already exist, and then change into it.

      [student@workstation ~]$ mkdir -p ~/git-repos/
[student@workstation ~]$ cd ~/git-repos/

    2. Clone the code-collection.git repository and then change into the cloned repository:

      [student@workstation git-repos]$ git clone \
> https://git.lab.example.com/git/code-collection.git
Cloning into 'code-collection'...
...output omitted...
[student@workstation git-repos]$ cd code-collection

    3. Review the files inside the code-collection directory.

      [student@workstation code-collection]$ tree
.
├── add_teams.yml 1
├── add_users.yml 2
├── ansible.cfg 3
├── ansible-navigator.yml 4
├── inventory 5
├── tasks
│   ├── add_user_roles.yml 6
│   └── add_users.yml 7
└── vars
    ├── auth.yml 8
    └── users_teams.yml 9
2 directories, 9 files

      1

      The add_teams.yml playbook uses the ansible.controller.team module to add teams to automation controller. If the team has users, the playbook calls the tasks/add_users.yml file to add those users to automation controller.

      2

      The add_users.yml playbook calls the tasks/add_users.yml file to add users to automation controller. This playbook is appropriate for adding users who do not belong to a team, such as system administrators and system auditors.

      3

      The ansible.cfg file is the configuration file for this project.

      4

      The ansible-navigator.yml file contains configuration for the ansible-navigator command. This file is only used by the ansible-navigator command and is not used by automation controller.

      5

      The inventory file contains the inventory for this project. Because the playbooks in this project only connect to the automation controller API, the playbooks use the localhost host. Recall that a playbook that targets the localhost host runs on the automation execution environment itself.

      6

      The add_user_roles.yml and add_users.yml task files add users and assign roles to the automation controller resources.

      7

      The auth.yml and users_teams.yml files contain variables used by the playbooks in this project. Because these files contain passwords, the files are encrypted with a Vault password of redhat123.

    4. View the vars/users_teams.yml file with the ansible-vault view command using redhat123 as the password. This file contains the list of users and teams. The add_users.yml and add_teams.yml playbooks use the variables defined in this file to add users and teams to automation controller. After viewing the file, press q to exit from the ansible-vault view command.

      [student@workstation code-collection]$ ansible-vault view vars/users_teams.yml
Vault password: redhat123
---
system_auditors:
  users:
    - username: sylvia
      first_name: Syliva
      last_name: Simons
...output omitted...

  3. Add users to automation controller by using the ansible.controller collection.

    1. Navigate to https://controller.lab.example.com and log in as the admin user with redhat as the password.

    2. Navigate to AccessUsers and make a note of the existing users. The lab command removed previously created users and teams.

    3. Go back to the terminal and review the content of the add_users.yml playbook.

      ---
- name: Add users to automation controller
  hosts: localhost
  gather_facts: False
  vars_files: 1
    - vars/auth.yml
    - vars/users_teams.yml
  vars:
    user_array: 2
      - "{{ system_auditors['users'] }}"
      - "{{ system_administrators['users'] }}"
      - "{{ users_no_team['users'] }}"
  tasks:
    - name: Add users with task file
      vars:
        the_users: "{{ user_array | flatten }}"
      include_tasks: tasks/add_users.yml 3

      1

      Variable files encrypted with Ansible Vault.

      2

      The user_array variable contains a list of users to add to automation controller. In this example, the user_array variable contains users from the system_auditors, system_administrators, and users_no_teams variables, which are defined in the vars/users_teams.yml file.

      3

      The tasks/add_users.yml file contains tasks to add users.

    4. Review the content of the tasks/add_users.yml playbook.

      ---
- name: Add users
  ansible.controller.user: 1
    controller_host: '{{ controller_auth["host"] }}'
    controller_username: '{{ controller_auth["username"] }}'
    controller_password: '{{ controller_auth["password"] }}'
    validate_certs: False
    username: '{{ item["username"] }}'
    first_name: '{{ item["first_name"] }}'
    last_name: '{{ item["last_name"] }}'
    email: '{{ item["email"] }}'
    password: '{{ item["password"] }}'
    update_secrets: '{{ item["update_secrets"] | default(False) }}'
    is_superuser: '{{ item["is_superuser"] | default(False) }}'
    is_system_auditor: '{{ item["is_system_auditor"] | default(False) }}'
    state: present
  loop: '{{ the_users }}' 2
  loop_control:
    label: Adding the '{{ item["username"] }}' user.

- name: Assign user roles
  vars:
    the_roles: '{{ role_item["user_roles"] }}'
  include_tasks: add_user_roles.yml 3
  loop: '{{ the_users }}'
  loop_control:
    loop_var: role_item
    label: Assigning roles to the '{{ role_item["username"] }}' user.

      1

      The task uses the user module from the ansible.controller collection to add automation controller users.

      2

      The task loops through a variable to provide values for the ansible.controller.user module options. The task also provides default values for the update_secrets, is_superuser, and is_system_auditor options if they are not defined. Consult the documentation for the ansible.controller.user module for information about module options.

      3

      The second task includes the add_user_roles.yml task file for each defined user. This task file uses the ansible.controller.role module to assign roles, such as assigning organization and team roles to users. Consult the documentation for the ansible.controller.role module for information about module options.

    5. Run the playbook using the ansible-navigator command with the --ask-vault-pass option. When prompted, enter redhat123 as the password.

      [student@workstation code-collection]$ ansible-navigator run add_users.yml \
> --ask-vault-pass
Vault password: redhat123
...output omitted...
TASK [Add users] *********************************************************
changed: [localhost] => (item=Adding the 'sylvia' user.)
changed: [localhost] => (item=Adding the 'simon' user.)
changed: [localhost] => (item=Adding the 'sam' user.)
changed: [localhost] => (item=Adding the 'user1' user.)
...output omitted...

    6. In the automation controller web UI, navigate to AccessUsers and verify that the sam, simon, sylvia, and user1 users exist. The sam and user1 users are normal users. The simon user is a system administrator and the sylvia user is a system auditor.

  4. Add teams to automation controller by using the ansible.controller collection.

    1. Review the content of the add_teams.yml playbook.

      ---
- name: Add team
  hosts: localhost
  gather_facts: False
  vars_files:
    - vars/auth.yml
    - vars/users_teams.yml
  vars:
    team_array: 1
      - '{{ team1 }}'
      - '{{ team2 }}'
      - '{{ team3 }}'
      - '{{ team_developers }}'
  tasks:
    - name: Add team in controller 2
      ansible.controller.team:
        controller_host: '{{ controller_auth["host"] }}'
        controller_username: '{{ controller_auth["username"] }}'
        controller_password: '{{ controller_auth["password"] }}'
        validate_certs: False
        name: '{{ the_team["name"] }}'
        description: '{{ the_team["description"] | default(omit) }}'
        organization: '{{ the_team["organization"] | default("Default") }}'
      loop: '{{ team_array }}'
      loop_control:
        loop_var: the_team
        label: Adding the '{{ the_team["name"] }}' team.

    - name: Add users and assign roles using a task file 3
      vars:
        the_users: '{{ the_team["users"] }}'
      include_tasks: tasks/add_users.yml
      loop: '{{ team_array }}'
      loop_control:
        loop_var: the_team
        label: Adding users to the '{{ the_team["name"] }}' team.
      when: the_team["users"] is defined

      1

      The team_array variable contains a list of teams to add. The vars/users_teams.yml file defines the team1, team2, team3, and team_developers variables.

      2

      This task adds teams to automation controller using the ansible.controller.team module. Consult the documentation for the ansible.controller.team module for information about module options.

      3

      Each team might define a list of users. If a team defines users, then this task passes the team users to the tasks/add_users.yml task file. As seen previously, that task file creates users and assigns roles to users. Because the team1 variable does not define users, the playbook skips this task for the team1 team.

    2. Run the playbook using the ansible-navigator command with the --ask-vault-pass option. When prompted, enter redhat123 as the password.

      [student@workstation code-collection]$ ansible-navigator run add_teams.yml \
> --ask-vault-pass
Vault password: redhat123

PLAY [Add team] **********************************************************

TASK [Add team in controller] ********************************************
changed: [localhost] => (item=Adding the 'team1' team.)
changed: [localhost] => (item=Adding the 'team2' team.)
changed: [localhost] => (item=Adding the 'team3' team.)
changed: [localhost] => (item=Adding the 'Developers' team.)
...output omitted...

    3. In the automation controller web UI, navigate to AccessTeams and verify that the Developers, team1, team2, and team3 teams exist.

    4. (Optional) For each team, click the name of the team and then click the Access tab to see which users belong to the team. The playbook created the team users and assigned a team role for each user. The team1 team does not have any users aside from system users.

  5. Modify the add_teams.yml playbook to add another team called Operations. When you are finished, commit and push your changes to the remote Git repository.

    1. View the vars/users_teams.yml variable file and search for the team_operations variable. When prompted, enter redhat123 as the password. Look at the entries in the team_operations variable for the Operations team, and the oliver and ophelia users. After viewing the file, press q to exit from the ansible-vault view command.

      [student@workstation code-collection]$ ansible-vault view vars/users_teams.yml
Vault password: redhat123
...output omitted...
team_operations:
  name: Operations
  description: Ops Team
  organization: Default
  users:
    - username: oliver
      first_name: Oliver
      last_name: Stone
      email: oliver@lab.example.com
      password: redhat123
      update_secrets: false
      is_superuser: false
      is_system_auditor: false
      user_roles:
        - role: member
          user: oliver
          organization: Default
        - role: member
          user: oliver
          target_team: Operations
...output omitted...

    2. Modify the add_teams.yml playbook to include the team_operations variable, which is already defined in the vars/users_teams.yml file. By making this change, the playbook adds the Operations team and the oliver and ophelia users. Edit the add_teams.yml file and add the '{{ team_operations }}' variable to the team_array variable. The content of the add_teams.yml file should contain the following:

      ---
- name: Add team
  hosts: localhost
  gather_facts: False
  vars_files:
    - vars/auth.yml
    - vars/users_teams.yml
  vars:
    team_array:
      - '{{ team1 }}'
      - '{{ team2 }}'
      - '{{ team3 }}'
      - '{{ team_developers }}'
      - '{{ team_operations }}'

    3. Commit and push the changes to the remote Git repository.

      [student@workstation code-collection]$ git add add_teams.yml
[student@workstation code-collection]$ git commit -m "Added Operations team"
[main d164229] Added Operations team
 1 file changed, 1 deletion(-)
[student@workstation code-collection]$ git push -u origin main
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 4 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 298 bytes | 298.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
To https://git.lab.example.com/git/code-collection.git
   c967656..d164229  main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.

  6. The lab command created several automation controller resources for you, but the lab command did not create a Vault credential. Create a Vault credential that you can use to automatically decrypt the vars/auth.yml and vars/users_teams.yml files.

    1. In the automation controller web UI, navigate to ResourcesCredentials and then click Add.

    2. On the Create New Credential page fill in the details as follows:

      FieldValue
      Name vault-cred
      Description To unlock files in the Code Collection project
      Organization Default
      Credential Type Vault
      Vault Password redhat123

    3. Click Save.

  7. Associate the vault-cred credential with the Add Teams and Add Users job templates.

    1. Navigate to ResourcesTemplates.

    2. Click the Edit Template icon for the Add Teams job template.

    3. Click the search icon under Credentials.

    4. In the Select Credentials dialog box, click the Selected Category list to access the list of available credential types. Choose the Vault credential from the list.

    5. In the lower pane, select the credential named vault-cred and click Select.

    6. Click Save.

    7. Repeat these steps for the Add Users job template.

      Important

      Make sure that you add the Vault credential to both the Add Teams and the Add Users job templates.

  8. Launch the Add Teams job template.

    1. Navigate to ResourcesTemplates.

    2. Click the Launch Template icon for the Add Teams job template and wait for the job to complete.

  9. Verify that the job template adds the Operations team to the automation controller.

    1. Navigate to AccessTeams.

    2. Click the link for the Operations team.

    3. Click the Access tab and confirm that the oliver and ophelia users have roles in the Operations team.

      Note

      This exercise automated the creation of users and teams for your automation controller, as one example of what the ansible.controller Ansible Content Collection can do.

      You can also use the modules and other plug-ins provided by the collection to automate many other tasks, whether you want to create or remove other resources such as projects, credentials, and job templates, or to actually run job templates and workflows on your automation controller.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish code-collection

This concludes the section.

PreviousNext
Revision: do467-2.2-08877c1