Prerequisites
Ansible Tower Prerequisites
The SovLabs Tower module uses Ansible Tower Job Templates to execute Ansible playbooks. We recommend testing an Ansible Tower Job Template prior to configuration of the SovLabs module to familiarise yourself with the Ansible Tower constructs.
This will require configuration of the following:
- Organisations, Projects, Job Templates and Machine Credentials
- Project is configured with required playbooks
- Basic Auth (over HTTPS) is enabled for API (default)
- DNS resolution of provisioned VMs from vRO and Ansible Tower hosts
Ansible Tower Account Setup
User Account Setup
- Local/LDAP User Account (not Social, Azure AD login or Kerberos)
- User Type: Normal User
- SSH User: Only required for Dynamic Inventories
Simple Configuration
This provides sufficient rights to use static inventories and provides organisation isolation on a shared Ansible Tower environment.
| Role Required | Applies to |
|---|---|
| Admin | Organisation |
Ansible Tower Organisation Admin Role
Advanced Configuration
If you need to grant more granular permissions, this is an example for a single static inventory and single job template. This can be extended as required for additional job templates and/or inventories.
Ansible Tower Minimal User Role
Organisations
The SovLabs module has the capability to create an Organisation in Ansible Tower. This is useful for test environments as it reduces the configuration steps required in Ansible Tower. However for production scenarios it is not recommended to grant System Administrator rights for this functionality.
| Option | Role Required | Applies to | Notes |
|---|---|---|---|
| Admin creates Organisation | Member | Organisation | Recommended |
| SovLabs creates Organisation | System Administrator | System-wide | Not recommended for Production |
Projects and Job Templates
Projects and Job Templates must be created by an Ansible Tower user for consumption by the SovLabs module. These can be configured by a privileged user and rights granted to the SovLabs service account as follows.
| Role Required | Applies to |
|---|---|
| Use | Projects |
| Execute | Job Templates |
Inventories
Inventory Types: Static vs Dynamic
Static inventories only require API access to the Ansible Tower instance and so are preferred in restricted Ansible Tower deployments. The user role can be granted sufficient permissions via the built-in Ansible Tower Role Based Access Control.
Dynamic inventories are more complex as they require both API and SSH/SCP access to the Ansible Tower host. The requirement for SSH access to a root shell means that they’re often incompatible with docker based deployments and security policy for some organisations.
Static Inventory
To allow creation of inventories from SovLabs you need to assign the Inventory Admin role in the Organisation.
To only allow use of inventories created in Ansible you need the Admin role on them to allow management of inventory groups.
| Option | Role Required | Applies to |
|---|---|---|
| SovLabs creates Inventory | Inventory Admin | Organisation |
| Admin created Inventory | Admin | Inventory |
Dynamic Inventory
A Dynamic Inventory is an Ansible Tower Inventory which has an external Inventory Source as a Custom Script.
To configure a Dynamic Inventory automatically, SovLabs requires SSH/SCP access to the Ansible Tower host and Organisation Admin rights to create the inventory script configuration files.
| Role Required | Applies to |
|---|---|
| Admin | Organisation |
SSH User
The SSH user account must fulfil the following requirements
- Login via SSH
- Have a valid shell, e.g. /bin/bash
- sudo (or other elevation), to root shell without sudo password prompt
It is recommended to create a user specific to this integration so that use of the account can be audited. Please consult your Ansible administrator for the creation of this account as this process will be specific to your environment.
An example sudoers configuration for a user vrasvc is shown:
# /etc/sudoers.d/vrasvc
vrasvc ALL=(ALL) NOPASSWD: ALL
Defaults:vrasvc !requiretty
Dynamic Inventory without SSH/SCP
If you wish to revoke sudo rights after initial configuration of the dynamic inventories or if you wish to setup dynamic inventories without SSH access please contact Customer Success for assistance.