Managing Enterprise Automation with Red Hat Ansible Automation Platform
Apply configuration changes to Red Hat Ansible Automation Platform based on files stored in a Git repository by triggering job execution with webhooks.
A webhook is a user-defined HTTP callback, performed as a HTTP POST request, that allows applications to communicate and share information with each other. Most frequently, webhooks are used to notify applications about events. The message sent by the POST request is usually formatted as JSON or XML content or form data that the application can interpret. Webhook calls are usually authenticated to ensure that unauthorized requests are rejected.
You can set up your automation controller to use webhooks so that it is notified when events occur for a Git repository, such as new commits being added to a particular branch. Automation controller can then perform specific tasks when it receives certain events. For example, a new commit to a Git repository could cause automation controller to automatically update a related project and launch a job template that uses it.
Webhooks help you automate workflows that involve multiple applications and components.
As an example of one way that webhooks can help automate workflows, the following diagram illustrates a common Continuous Integration (CI) workflow that might be used to perform tasks for the devices managed by Ansible.
In this example, the operations team is in charge of providing automation content that performs tasks on the Ansible-managed hosts. When the developers' team pushes a change to the Git content repository, the Jenkins CI tool captures this event. The event signals Jenkins to use the API on automation controller to automatically launch a job template that updates its copy of the project and runs on the managed hosts.
The following diagram shows another approach that uses webhooks:
By using webhooks, you simplify the workflow. In this case, when a developer pushes something to the Git content repository, automation controller gets notified directly by a webhook. Automation controller then launches a job template that updates its copy of the project and runs on the managed hosts.
Therefore, one major benefit is that you can use webhooks to trigger actions on automation controller without the need to maintain and manage an additional Continuous Integration (CI) tool such as Jenkins.
To set up webhooks, you need to prepare both your Git repository server so that it triggers webhooks, and your automation controller to listen for them. You also need to configure both sides so that the Git repository can authenticate its messages to automation controller.
Important
In the following example, GitLab is used as the Git repository server because it matches the classroom environment used by this course for hands-on exercises. In practice, you can use other Git repository servers and services such as GitHub instead. They can be configured using a procedure similar to the one illustrated for GitLab by this course.
To configure a project to update a job template to launch automatically when automation controller is notified by a webhook, you must configure the project and job template to meet certain requirements:
For the project, you must enable the option. This ensures that automation controller pulls the latest revision from the Git repository when it launches the job template because the Git repository has changed.
Because you cannot interact with the job template, you must disable all the settings in any job template that webhook notifications might launch.
After you have met the previous requirements, then you have to configure automation controller to listen for webhook notifications.
The following example outlines one way to do this for notifications from a GitLab repository. It enables a webhook listener for an existing job template that is already configured to run without prompting and that uses a project that is configured with selected.
Log in to the automation controller web UI as the
adminuser.Navigate to → , and click the icon for the job template that you want to edit.
Select the checkbox, and choose from the field.
Click and then go to tab to see the webhook URL and webhook key needed to configure the webhook in GitLab. GitLab needs to send the webhook notification to the webhook URL and use the webhook key to authenticate its message to automation controller.
Before any user can configure webhooks on your GitLab server, an administrator of the server must allow them to be used.
If this has not been done, you need to log in to your GitLab server as a user that has an admin role. Navigate to → → → . Make sure that the automation controller to which you want to send webhook notifications is listed under .
The result should appear similar to the following:
If this requirement is correctly configured, a regular user can create webhooks for their Git projects.
Log in to the GitLab web UI as a regular user.
Navigate to your Git project (one of the repositories under → ), and then go to → .
On the configuration page, create the webhook by adding the information you obtained from automation controller, putting the webhook URL into the field and the webhook key into the field.
In the section, select which events trigger the webhook notification, and click .
You can test the webhook by clicking → . You get the message
Hook executed successfullyif you configured it correctly.
You can use webhooks with automation controller in a variety of ways. The subsections that follow explore two of them.
For this use case, you use a webhook for a job template specifying a branch from the field. When you push new content for the given branch, the job template starts performing Ansible tasks on the inventory that you set up for that job template.
Important
The field is only available if you set up a Git project with selected.
For example, suppose you want to test a Git repository for a development environment before going to production. In that case, you can create a development branch for the repository, configure the job template to use this branch, and associate the inventory with the development hosts. When you add a commit to the development branch, the webhook launches the job template for the development hosts.
After you verify that the development branch of your automation is working correctly, you can merge your changes to the production branch, and even use the same webhook mechanism to automatically launch a job template that runs for managed hosts in your production inventory.
Configuration as code is a technique that uses a version control repository to describe the desired state of your configuration.
You can use configuration as code methods in conjunction with Ansible Content Collections and Ansible Playbooks to manage the configuration of your Red Hat Ansible Automation Platform systems in a version control system. This is similar in principle to the concept of Infrastructure as Code, and has similar benefits.
For example, you could implement configuration as code to automatically reconfigure and help you maintain your Ansible Automation Platform servers. You set up files and Ansible Playbooks in a Git repository that define and apply the desired configuration for your automation infrastructure.
You can accomplish this by combining webhooks with playbooks that use the ansible.controller Ansible Content Collection. Using this Ansible Content Collection, you can configure most of the objects in automation controller (such as job templates, projects, inventories, and so on), using Git as a single source of truth.
To illustrate how this might work, imagine that you have a Git repository that contains an Ansible Playbook named add-users.yml that adds users to your automation controller.
That playbook contains the following play:
---
- name: Add user
hosts: workstation
gather_facts: False
tasks:
- name: Add user in controller
ansible.controller.user:
controller_host: "{{ controller_auth['host'] }}"
controller_username: "{{ controller_auth['username'] }}"
controller_password: "{{ controller_auth['password'] }}"
validate_certs: False
username: "{{ item['username'] }}"
first_name: "{{ item['first_name'] }}"
last_name: "{{ item['last_name'] }}"
email: "{{ item['email'] }}"
password: "{{ item['password'] }}"
update_secrets: "{{ item['update_secrets'] | default(False) }}" 
is_superuser: "{{ item['is_superuser'] | default('False') }}" 
is_system_auditor: "{{ item['is_system_auditor'] | default('False') }}" 
state: present
loop: "{{ system_users['users'] }}"
loop_control:
label: "Adding user: {{ item['username'] }}"
| If the |
| The |
| The |
Important
A user can be a system administrator (a super user), a system auditor, or a normal user. If the is_superuser variable has a value of True, then the is_system_auditor variable must have a value of False (and vice versa). If both variables have a value of False, then the user is a normal user.
The preceding play ensures that users exist on automation controller by looping over a list of users, and information about those users, stored in the system_users['users'] variable.
For example, to update that information without changing the Ansible Playbook, that variable is set in the project’s host_vars/workstation/users_teams.yml file. This could be written as follows:
---
system_users:
users:
- username: patrick
first_name: Patrick
last_name: Star
email: patrick@lab.example.com
password: redhat123
update_secrets: False
is_superuser: False
is_system_auditor: False
user_roles:
- role: member
user: patrick
organization: Default
...output omitted...You modify the users_teams.yml host variable file to update the list of users that should exist on automation controller, including appropriate information about what user type and team memberships each user should have.
Then, the following steps occur when you commit and push to the Git repository:
It triggers the webhook and notifies automation controller.
Automation controller detects the change through the webhook and then launches a job template to run the changed content based on information in the notification message.
The webhook message contains information about who pushed the change, to what branch, what files were modified, and so on. The content of the message is available to your plays through the tower_webhook_payload variable. The following figure shows an excerpt of the payload that automation controller receives from the GitLab webhook:
You can also combine the ability to trigger a job template based on a given Git branch with this configuration as code technique to link different configuration states to different environments, such as development, test, and production.
To summarize some benefits of storing and managing your Ansible Automation Platform configuration as code:
You can standardize your configuration in several operating environments.
You can easily track the changes in your configuration by using the version control features and see who made what changes and when, which can help you troubleshoot and resolve issues.
You can easily replicate and deploy additional Ansible Automation Platform deployments with the same configuration.
References
For more information on webhooks, refer to the "Working with Webhooks" chapter in the Automation Controller User Guide at https://docs.ansible.com/automation-controller/latest/html/userguide/webhooks.html
For more information on configuration as code, refer to the "Configuration consistency across multi Ansible Automation Platform deployments" chapter in the Deploying Ansible Automation Platform 2.1 reference architecture at https://access.redhat.com/documentation/en-us/reference_architectures/2021/html-single/deploying_ansible_automation_platform_2.1/index#config_as_code_using_webhooks
