Ansible_awx
Ansible AWX / Automation Platform
Section titled “Ansible AWX / Automation Platform”Overview
Section titled “Overview”Red Hat Ansible Automation Platform (formerly AWX) provides a web-based UI, REST API, and task engine for Ansible. It enables team collaboration, scheduling, and enterprise-scale automation.
Why AWX?
Section titled “Why AWX?”- Web UI: Visual interface for Ansible operations
- RBAC: Role-based access control for teams
- Scheduling: Schedule playbooks to run automatically
- Inventory Management: Centralized inventory management
- Credential Management: Secure credential storage
- Job History: Audit trail of all executions
Architecture
Section titled “Architecture”┌─────────────────────────────────────────────────────────────────┐│ AWX Architecture ││ ││ ┌──────────────┐ ││ │ Web UI │ ┌──────────────┐ ││ │ REST API │───▶│ PostgreSQL │ ││ └──────────────┘ └──────┬───────┘ ││ │ ││ ┌──────────────┐ │ ││ │ Redis │◀──────────┤ ││ │ (Celery) │ ▼ ││ └──────────────┘ ┌──────────────┐ ││ │ Task │ ││ ┌──────────────┐ │ Engine │ ┌──────────────┐ ││ │ Executor │◀──│ (Workers) │───▶│ Ansible │ ││ │ Nodes │ └──────────────┘ │ Nodes │ ││ └──────────────┘ └──────────────┘ │└─────────────────────────────────────────────────────────────────┘Installing AWX
Section titled “Installing AWX”Using Operator (Recommended for Kubernetes)
Section titled “Using Operator (Recommended for Kubernetes)”# Create namespacekubectl create namespace awx
# Install AWX Operatorkubectl apply -f https://raw.githubusercontent.com/ansible/awx-operator/devel/config/samples/awx_v1alpha1_awx.yaml
# Create AWX instancekubectl apply -f - <<EOFapiVersion: awx.ansible.com/v1alpha1kind: AWXmetadata: name: awx namespace: awxspec: service_type: nodeport ingress_type: none replicas: 1EOFUsing Docker Compose
Section titled “Using Docker Compose”# Clone AWXgit clone https://github.com/ansible/awx.gitcd awx/installer
# Edit inventoryvi inventory
# Run installeransible-playbook -i inventory install.ymlAWX Concepts
Section titled “AWX Concepts”Projects
Section titled “Projects”Projects connect AWX to your Git repositories containing playbooks:
# Project configurationname: My Projectdescription: Playbooks for web applicationscm_type: gitscm_url: https://github.com/username/playbooks.gitscm_branch: mainscm_credential: GitHub Credentialupdate_revision_on_launch: trueInventories
Section titled “Inventories”Inventory sources in AWX:
# Inventory configurationname: Production Inventorydescription: Production serversorganization: Defaultvariables: ansible_user: admin ansible_ssh_private_key_file: /tmp/keyInventories can be sourced from:
Section titled “Inventories can be sourced from:”- Manual (static)
- AWS EC2
- Azure Resource Manager
- GCP Compute Engine
- VMware vCenter
- Red Hat Satellite
- Custom script
Credentials
Section titled “Credentials”Credential types in AWX:
# Machine credentials- name: Production SSH credential_type: Machine username: admin password: <encrypted> ssh_key_data: <private key>
# Vault credentials- name: Production Vault credential_type: Vault vault_password: <encrypted>
# Cloud credentials- name: AWS Production credential_type: Amazon Web Services access_key: <key> secret_key: <secret>Templates (Job Templates)
Section titled “Templates (Job Templates)”Job templates combine projects, inventories, and credentials:
name: Deploy Web Appdescription: Deploy web application to productionjob_type: Runproject: My Projectplaybook: deploy.ymlinventory: Production Inventorycredentials: - Production SSH - Production Vaultexecution_environment: Custom EEforks: 10verbosity: NormalJob Templates
Section titled “Job Templates”Basic Job Template
Section titled “Basic Job Template”name: Run Ad-hoc Commanddescription: Ping all hostsjob_type: Runinventory: Developmentproject: My Projectplaybook: ping.ymlcredential: SSH KeySurvey (Prompt for Variables)
Section titled “Survey (Prompt for Variables)”# Enable survey in job templatesurvey_enabled: true
# Survey specificationsurvey_spec: name: "" description: "" spec: - question: "Environment" type: "multiplechoice" choices: - dev - staging - prod required: true - question: "Version" type: "text" required: trueSchedule
Section titled “Schedule”# Job template scheduleschedule: name: Daily Deploy description: Deploy at midnight rrule: "FREQ=DAILY;INTERVAL=1;COUNT=100" tz: America/New_YorkWorkflows
Section titled “Workflows”Workflows orchestrate multiple job templates:
┌─────────────────────────────────────────────────────────────────┐│ Workflow Template ││ ││ ┌──────────┐ ││ │ Start │ ││ └────┬─────┘ ││ │ ││ ▼ ││ ┌──────────┐ ││ │ Build │───▶ Success ││ └────┬─────┘ │ ││ │ │ ││ ▼ ▼ ││ ┌──────────┐ ┌──────────┐ ││ │ Test │ │ Failed │ ││ └────┬─────┘ └──────────┘ ││ │ ││ ▼ ││ ┌──────────┐ ││ │ Deploy │ ││ └────┬─────┘ ││ │ ││ ▼ ││ ┌──────────┐ ││ │ Notify │ ││ └──────────┘ │└─────────────────────────────────────────────────────────────────┘Workflow Template Example
Section titled “Workflow Template Example”name: CI/CD Pipelinedescription: Build, test, and deployworkflow_nodes: - unified_job_template: name: Build job_type: job success_nodes: - unified_job_template: name: Test failure_nodes: - unified_job_template: name: Notify Failure - unified_job_template: name: Test success_nodes: - unified_job_template: name: Deploy Staging failure_nodes: - unified_job_template: name: Notify FailureRBAC (Role-Based Access Control)
Section titled “RBAC (Role-Based Access Control)”Organizations
Section titled “Organizations”Organization├── Teams│ ├── DevOps│ │ ├── Users│ │ └── Roles│ └── Developers│ ├── Users│ └── Roles├── Inventories├── Projects└── Job Templates- Admin: Full access
- Execute: Run jobs
- Read: View-only access
- Update: Edit resources
- Use: Use resources in jobs
- Approval: Approve workflow jobs
API Usage
Section titled “API Usage”Using the API
Section titled “Using the API”# Get tokencurl -X POST https://awx.example.com/api/v2/tokens/ \ -u admin:password \ -H "Content-Type: application/json"
# List jobscurl -X GET https://awx.example.com/api/v2/jobs/ \ -H "Authorization: Bearer <token>"
# Launch job templatecurl -X POST https://awx.example.com/api/v2/job_templates/1/launch/ \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"extra_vars": {"env": "prod"}}'Python API Client
Section titled “Python API Client”import awxkit
# Connect to AWXapi = awxkit.api.API('http://awx.example.com')api.login('admin', 'password')
# Get job templatejob_template = api.get_job_template(name='Deploy Web App')
# Launch jobjob = job_template.launch( extra_vars={'env': 'prod', 'version': '1.0.0'})
# Wait for completionjob.wait_until_completed()
# Get resultsprint(job.status)print(job.result_stdout)Best Practices
Section titled “Best Practices”1. Use Execution Environments
Section titled “1. Use Execution Environments”version: 3name: custom-eefrom: registry.example.com/ee-minimal-rhel8:latest
dependencies: python: - boto3 - docker - kubernetes system: - git - kubectl
additional_build_files: - src: files/requirements.txt dest: requirements.txt
build_args: PYTHON_VERSION: "3.9"2. Secure Credentials
Section titled “2. Secure Credentials”- Use credential plugins for secrets
- Enable credential masking
- Rotate credentials regularly
- Use Vault for sensitive data
3. Implement RBAC
Section titled “3. Implement RBAC”- Create teams per application
- Use least-privilege access
- Audit access regularly
4. Use Workflows
Section titled “4. Use Workflows”- Chain related jobs
- Add approval gates
- Implement error handling
Summary
Section titled “Summary”Ansible AWX provides:
- Web UI: Visual management interface
- RBAC: Team-based access control
- Scheduling: Automated job execution
- Workflows: Orchestrate complex processes
- Auditing: Track all operations
Key concepts:
- Projects: Source control for playbooks
- Inventories: Target hosts
- Credentials: Authentication
- Job Templates: Run configurations
- Workflows: Multi-job orchestration