AAP Controller setup with redhat-cop collection

tower-playbook.yml → auth-setup.yml

@@ -7,7 +7,7 @@
   gather_facts: false
 
   vars:
-    awx_host: "{{ groups.tower[0] }}"
+    awx_host: "{{ groups.automationcontroller[0] }}"
     # yamllint disable-line rule:line-length
     cfg: "-k --conf.host https://{{ awx_host }} --conf.user {{ awx_user | default('admin', true) }}"
 
@@ -32,9 +32,3 @@
         src: tower_cli.cfg
         dest: "~/.tower_cli.cfg"
         mode: 0600
-
-  roles:
-    - role: tower_content
-      tags:
-        - tower_content
-...

collections/requirements.yml

@@ -1,3 +1,4 @@
 ---
 collections:
   - name: awx.awx
+  - name: redhat_cop.controller_configuration

configs/ad_hoc_commands.yml

@@ -0,0 +1,6 @@
+---
+controller_ad_hoc_commands:
+  - job_type: run
+    inventory: localhost
+    credential: Demo Credential
+    module_name: ping

configs/controller_auth.yml

@@ -0,0 +1,6 @@
+# User may add controller auth creds to this file and encrypt it using `ansible-vault`
+---
+controller_hostname: server01
+controller_username: admin
+controller_password: 'IT-audited?'
+controller_validate_certs: false

configs/credentials.yml

@@ -0,0 +1,23 @@
+---
+# Credentials for AAP
+controller_credentials:
+  - credential_type: Machine
+    organization: Research & Development
+    name: Vagrant
+    description: This credential can be used with any Vagrant machine.
+    inputs:
+      username: vagrant
+      ssh_key_data: "{{ lookup('file', '~/.vagrant.d/insecure_private_key') }}"
+  - credential_type: Source Control
+    name: Git
+    description: General token for git
+    inputs:
+      username: git
+      password: password
+    organization: Research & Development
+  - credential_type: Vault
+    name: ansible-vault
+    inputs:
+      vault_password: s3cr3t
+    description: Ansible Vault Password
+    organization: Research & Development

configs/execution_environments.yml

@@ -0,0 +1,5 @@
+---
+controller_execution_environments:
+  - name: "My EE"
+    image: quay.io/ansible/creator-ee
+    pull: always

configs/organizations.yml

@@ -0,0 +1,6 @@
+---
+controller_organizations:
+  - name: Marketing
+  - name: Manufacturing
+  - name: Distribution
+  - name: Research & Development

configs/projects.yml

@@ -0,0 +1,11 @@
+---
+controller_projects:
+  - name: Hashicorp Vault Demo
+    scm_type: git
+    scm_url: https://github.com/dockpack/tower_vault.git
+    scm_branch: main
+    scm_clean: true
+    description: Hashicorp Vault Demo
+    organization: Research & Development
+    wait: true
+    update: true

configs/settings.yml

@@ -0,0 +1,4 @@
+---
+controller_settings:
+  settings:
+    AWX_ISOLATION_BASE_PATH: /usr/local/tmp

configs/settings_individuale.yml

@@ -0,0 +1,44 @@
+---
+controller_settings_individuale:
+  - name: AWX_TASK_ENV
+    value: {'GIT_SSL_NO_VERIFY': 'True'}
+  - name: AUTH_LDAP_SERVER_URI
+    value: "ldap://ldap.example.com"
+  - name: AUTH_LDAP_USER_DN_TEMPLATE
+    value: "uid=%(user)s,ou=Users,dc=example,dc=com"
+  - name: AUTH_LDAP_GROUP_SEARCH
+    value: "['dc=example,dc=com', 'SCOPE_SUBTREE', '(objectClass=person)']"
+  - name: AUTH_LDAP_GROUP_TYPE
+    value: "GroupOfUniqueNamesType"
+  - name: AUTH_LDAP_USER_SEARCH
+    value: "['OU=Users,DC=example,DC=com', 'SCOPE_SUBTREE', '(cn=%(user)s)']"
+  - name: AUTH_LDAP_START_TLS
+    value: true
+  - name: AUTH_LDAP_REQUIRE_GROUP
+    value: "cn=satellite-qe,ou=adhoc,ou=managedGroups,dc=example,dc=com"
+  # Next name helps fetch Email addr and name from LDAP and save it in tower user.
+  - name: AUTH_LDAP_USER_ATTR_MAP
+    value: '{"first_name": "displayName","last_name": "sn","email": "examplePrimaryMail"}'
+  # Next name helps each sat-qe-infra group to become superuser in tower as soon as they login
+  - name: AUTH_LDAP_USER_FLAGS_BY_GROUP
+    value: "{u'is_superuser': ['cn=sat-qe-infra,ou=adhoc,ou=managedGroups,dc=example,dc=com']}"
+  # This maps all users to satellite-qe org and makes sure they are not part of satlab-admin
+  - name: AUTH_LDAP_ORGANIZATION_MAP
+    value: '{
+     "Satellite": {
+      "users": true
+     }
+    }'
+  # This maps all users to satellite-qe team and we need to add this team to all resources we create for them
+  # that way users can access the things that their team has permissions for
+  - name: AUTH_LDAP_TEAM_MAP
+    value: '{
+     "satellite-qe": {
+      "organization": "Satellite",
+      "users": true
+     },
+     "satlab-admin": {
+      "organization": "Satellite",
+      "users": "cn=sat-qe-infra,ou=adhoc,ou=managedGroups,dc=example,dc=com"
+     }
+    }'

configs/teams.yml

@@ -0,0 +1,14 @@
+---
+controller_teams:
+  - name: Operators
+    organization: Marketing
+  - name: Operators
+    organization: Distribution
+  - name: Developers
+    organization: Marketing
+  - name: Developers
+    organization: Distribution
+  - name: Administrators
+    organization: Marketing
+  - name: Administrators
+    organization: Distribution

platform-playbook.yml

@@ -0,0 +1,40 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- name: Playbook to configure ansible controller post installation
+  hosts: localhost
+  connection: local
+  vars_files:
+    - configs/controller_auth.yml
+  collections:
+    - awx.awx
+    - redhat_cop.controller_configuration
+
+  pre_tasks:
+
+    - name: Wait for Controller to come up
+      ansible.builtin.uri:
+        url: "https://{{ controller_hostname }}/api/v2/ping"
+        status_code: 200
+        validate_certs: "{{ controller_validate_certs }}"
+      register: result
+      until: result.status == 200
+      retries: 20
+      delay: 30
+      ignore_errors: true
+
+    - name: Sleep for 10 seconds and allow awx to come up.
+      ansible.builtin.wait_for:
+        timeout: 10
+      delegate_to: localhost
+
+    - name: Include vars from configs directory
+      ansible.builtin.include_vars:
+        dir: ./configs
+        ignore_files: [controller_auth.yml]
+        extensions: ["yml"]
+      tags:
+        - always
+
+  roles:
+    - dispatch  # The dispatch role calls all of the other roles.