Skip to content

Dynamic Inventory (Tower, AWX)

Jump to bottom
TF edited this page Feb 16, 2023 · 5 revisions

Dynamic Inventory in AWX/Tower

While it is recommended to encrypt your credentials for accessing the Open-AudIT API when using "pure" Ansible this is not possible when using AWX / Tower (at least I haven't found a way).

No worries, using a dynamic inventory AWX/Tower is still possible but the credentials will be stored in AWX/Tower instead.

Hint: Even when a vault could be used here it is likely not useful: think of a password change which then would require to update any repo containing that encrypted password. When using the following approach this is just a single place to change instead.

Plugin documentation

To see all available options and their meaning:

ansible-doc -t inventory sedi.openaudit.inventory

or as a human friendly Ansible-like website here

Git repo

Example structure of a git repository supporting dynamic inventory with AWX/Tower:

collections/
  requirements.yml*
roles/
  abc..
ansible.cfg
inventory.oa.yml*
playbook.yml

(*) marks mandatory files

Mandatory: collections/requirements.yml

stable version:

collections:
    - sedi.openaudit

development/testing/unstable version:

collections:
    - name: https://github.com/secure-diversITy/ansible_openaudit
      type: git
      version: dev

Optional: ansible.cfg

AWX/Tower is smart enough to figure out the right plugin when the inventory file is configured properly (see above) but if you want to add one the following is the bare minimum:

# script is used by Tower/AWX template run
# ini might be used for static hosts
# sedi.openaudit.inventory should be obvious

[inventory]
enable_plugins = sedi.openaudit.inventory, ini, script

Mandatory: inventory file

Example inventory file ( e.g. named: inventory.openaudit.yaml):

plugin: sedi.openaudit.inventory

oa_api_server: openaudit.myserver.com
oa_api_proto: https
verify_certs: False

oa_fieldsTranslate:
    cmdb_foo: 7
    myvar_for_ansible: 13
    my_other_var: 21

groups:
    edge_devices: "'edge' in inventory_hostname"
    backup_servers: inventory_hostname.startswith('backup')
    non_gigabyte_devices: cmdb_manufacturer.upper() != "GIGABYTE"

keyed_groups:
    - prefix: FAI_profile
      key: cmdb_fai_profile
    - prefix: VENDOR
      key: cmdb_manufacturer.lower()

compose:
   ansible_host: cmdb_ip

Check Host Variables for details regarding the meaning of oa_fieldsTranslate and the plugin documentation for the rest.

The above example shows 2 parts of the constructed plugin which can be used: compose and keyed_groups. Using these might be contra-productive when working with a dynamic inventory and so might not what you want. Before setting these consider to check out Group-Variables first!

If you still have the need read on about their syntax here.

AWX/Tower

Summary:

  1. Add a Credential Type
  2. Add a Credential for that new credential type
  3. Add a Project
  4. Add an Inventory & Sync
  5. Add a Template

Important note: Make sure your AWX/Tower installation uses Python 3 or select the proper ANSIBLE ENVIRONMENT

Add a Credential Type

This is required to be able to access the Open-AudIT api at all. We make use of OS environment variables here because Ansible Vault (even inline) won't work here (restriction to AWX/Tower only). This is not a security risk as long as the "Execution Environment" can be considered as safe/inaccessible by others (as AWX/Towers uses containers this is usually the case).

Input configuration

fields:
  - id: awx_oa_username
    type: string
    label: API username
  - id: awx_oa_password
    type: string
    label: API Password
    secret: true
required:
  - awx_oa_username
  - awx_oa_password

Injector configuration

env:
  OA_PASSWORD: '{{ awx_oa_password }}'
  OA_USERNAME: '{{ awx_oa_username }}'

Add a Credential

  • Name: e.g openaudit-api-credential
  • Credential Type: <your above created type>
  • Type Details: <fill in the credentials needed to access the API>

Add a Project

Note: You might need to create an access token first if the git repository is not public.

  • point to your created Git repo (see above)
  • optional but recommended: check Update Revision on Launch to keep this repo up2date or add a schedule

Add an Inventory

  • Sources: Sourced from project
  • Credential: <select the new created api credential>
  • Project: <select the new created (git) project>
  • Inventory file: <type in the dynamic openaudit inventory filename> (including path if in a sub directory)
  • optional but recommended: check Update on Launch to keep this repo up2date or add a schedule

Now: After saving click "Sync" and check the output. You might wanna set Verbosity = Debug to see the whole progress for any errors.

Add a Template

Now you can put all together and add a new template which makes use of all the above.

Clone this wiki locally