Prerequisites

Ansible Tower Prerequisites

The SovLabs Tower module uses Ansible Tower Job Templates to execute Ansible playbooks. We recommend testing an Ansible Tower Job Template prior to configuration of the SovLabs module to familiarise yourself with the Ansible Tower constructs.

This will require configuration of the following:

  • Organisations, Projects, Job Templates and Machine Credentials
  • Project is configured with required playbooks
  • Basic Auth (over HTTPS) is enabled for API (default)
  • DNS resolution of provisioned VMs from vRO and Ansible Tower hosts

Ansible Tower Account Setup

User Account Setup

  • Local/LDAP User Account (not Social, Azure AD login or Kerberos)
  • User Type: Normal User
  • SSH User: Only required for Dynamic Inventories
Simple Configuration

This provides sufficient rights to use static inventories and provides organisation isolation on a shared Ansible Tower environment.

Role Required Applies to
Admin Organisation
Ansible Tower Organisation Admin Role Screenshot
Advanced Configuration

If you need to grant more granular permissions, this is an example for a single static inventory and single job template. This can be extended as required for additional job templates and/or inventories.

Ansible Tower Minimal User Role Screenshot

Organisations

The SovLabs module has the capability to create an Organisation in Ansible Tower. This is useful for test environments as it reduces the configuration steps required in Ansible Tower. However for production scenarios it is not recommended to grant System Administrator rights for this functionality.

Option Role Required Applies to Notes
Admin creates Organisation Member Organisation Recommended
SovLabs creates Organisation System Administrator System-wide Not recommended for Production

Projects and Job Templates

Projects and Job Templates must be created by an Ansible Tower user for consumption by the SovLabs module. These can be configured by a privileged user and rights granted to the SovLabs service account as follows.

Role Required Applies to
Use Projects
Execute Job Templates

Inventories

Inventory Types: Static vs Dynamic

Static inventories only require API access to the Ansible Tower instance and so are preferred in restricted Ansible Tower deployments. The user role can be granted sufficient permissions via the built-in Ansible Tower Role Based Access Control.

Dynamic inventories are more complex as they require both API and SSH/SCP access to the Ansible Tower host. The requirement for SSH access to a root shell means that they’re often incompatible with docker based deployments and security policy for some organisations.

Static Inventory

To allow creation of inventories from SovLabs you need to assign the Inventory Admin role in the Organisation.

To only allow use of inventories created in Ansible you need the Admin role on them to allow management of inventory groups.

Option Role Required Applies to
SovLabs creates Inventory Inventory Admin Organisation
Admin created Inventory Admin Inventory
Dynamic Inventory

A Dynamic Inventory is an Ansible Tower Inventory which has an external Inventory Source as a Custom Script.

To configure a Dynamic Inventory automatically, SovLabs requires SSH/SCP access to the Ansible Tower host and Organisation Admin rights to create the inventory script configuration files.

Role Required Applies to
Admin Organisation
SSH User

The SSH user account must fulfil the following requirements

  • Login via SSH
  • Have a valid shell, e.g. /bin/bash
  • sudo (or other elevation), to root shell without sudo password prompt

It is recommended to create a user specific to this integration so that use of the account can be audited. Please consult your Ansible administrator for the creation of this account as this process will be specific to your environment.

An example sudoers configuration for a user vrasvc is shown:

# /etc/sudoers.d/vrasvc
vrasvc        ALL=(ALL)       NOPASSWD: ALL
Defaults:vrasvc !requiretty
Dynamic Inventory without SSH/SCP

If you wish to revoke sudo rights after initial configuration of the dynamic inventories or if you wish to setup dynamic inventories without SSH access please contact Customer Success for assistance.