In the readme they give this option.

include_role:
name: ../..

I thought that this should be the role name that you have provided. In the case of inventory it would be inventory, host,

Hi,

I have been putting together my playbooks. and data structure. I have created my tower_auth.yml file with the necessary vars and encrypted it.

When I run the role for tower_settings everything works so I was quite happy about that. However what I am finding is that the other roles keep coming up with errors such as this:

msg: 'Failed to get token: HTTP Error 401: Unauthorized'
response: '{"detail":"Authentication credentials were not provided. To establish a login session, visit /api/login/."}'

I can understand some of the roles are not working because of a templating error (I was using lookup plugin for the first time and I suspect i wasnt using it properly), but I would have thought that the other roles would accept my login. any help would be appreciated.

The credentials role has a default var tower_credentials set. This causes the role to always be run when setting a conditional on the role as in the example playbooks.

This snippet will never be skipped.

roles:  
   - {role: credentials, when: tower_credentials is defined, tags: credentials}

I'm seeing a lot of effort on importing data into Tower with the collection but I don't see anything specific to exporting from Tower. Is this possible? And if so, how? I see no mention of exporting in the README.

@jffz has created a new tower_applications module:
ansible/awx#7845

I think it would benefit this repo to include a role utilizing this module. Expecting plenty of feedback, but I'll take a shot at contributing such a role.

Trying to add a job template using the collection but it fails when making a request to the labels API. Json for Job template:

{
  "tower_templates": [
    {
      "name": "Provision Hybrid Cloud in AWS with Tower",
      "job_type": "run",
      "inventory": "Tower Server",
      "organization": "Texas Roadracing",
      "project": "HybridCloud",
      "playbook": "test_aws_roles.yml",
      "credentials": [
          "AWS Secret Key",
          "Tower User"
      ],
      "verbosity": 1,
      "extra_vars": {
      },
      "survey_enabled": "no",
      "become_enabled": "yes",
      "allow_simultaneous": "yes",
      "scm_branch": "dev",
      "labels": "HybridCloud",
      "state": "present"
    }
  ]
}

All items in the JSON are successfully created using other roles in the collection. However when attempting to add the Job Template it fails and I don't understand why a request to labels for the HybridCloud project is being made.
"msg": "Request to /api/v2/labels/?name=HybridCloud returned 0 items, expected 1"

failed: [localhost] (item={'name': 'Provision Hybrid Cloud in AWS with Tower', 'job_type': 'run', 'inventory': 'Tower Server', 'organization': 'Texas Roadracing', 'project': 'HybridCloud', 'playbook': 'test_aws_roles.yml', 'credentials': ['AWS Secret Key', 'Tower User'], 'verbosity': 1, 'extra_vars': {}, 'survey_enabled': 'no', 'become_enabled': 'yes', 'allow_simultaneous': 'yes', 'scm_branch': 'dev', 'labels': 'HybridCloud', 'state': 'present'}) => {
    "ansible_loop_var": "tower_templates_item",
    "changed": false,
    "invocation": {
        "module_args": {
            "allow_simultaneous": true,
            "ask_credential_on_launch": null,
            "ask_diff_mode_on_launch": false,
            "ask_inventory_on_launch": null,
            "ask_job_type_on_launch": null,
            "ask_limit_on_launch": false,
            "ask_scm_branch_on_launch": null,
            "ask_skip_tags_on_launch": false,
            "ask_tags_on_launch": false,
            "ask_variables_on_launch": false,
            "ask_verbosity_on_launch": false,
            "become_enabled": true,
            "credential": "",
            "credentials": [
                "AWS Secret Key",
                "Tower User"
            ],
            "custom_virtualenv": null,
            "description": "",
            "diff_mode": false,
            "extra_vars": {},
            "force_handlers": false,
            "forks": 0,
            "host_config_key": null,
            "inventory": "Tower Server",
            "job_slice_count": 1,
            "job_tags": "",
            "job_type": "run",
            "labels": [
                "HybridCloud"
            ],
            "limit": "",
            "name": "Provision Hybrid Cloud in AWS with Tower",
            "new_name": null,
            "notification_templates_error": [],
            "notification_templates_started": [],
            "notification_templates_success": [],
            "organization": "Texas Roadracing",
            "playbook": "test_aws_roles.yml",
            "project": "HybridCloud",
            "scm_branch": "dev",
            "skip_tags": "",
            "start_at_task": "",
            "state": "present",
            "survey_enabled": false,
            "survey_spec": null,
            "timeout": 0,
            "tower_config_file": null,
            "tower_host": "tower.texasroadracing.com",
            "tower_oauthtoken": "",
            "tower_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "tower_username": "admin",
            "use_fact_cache": false,
            "validate_certs": false,
            "vault_credential": "",
            "verbosity": 1,
            "webhook_credential": null,
            "webhook_service": null
        }
    },
    "msg": "Request to /api/v2/labels/?name=HybridCloud returned 0 items, expected 1",
    "query": {
        "name": "HybridCloud"
    },
    "response": {
        "json": {
            "count": 0,
            "next": null,
            "previous": null,
            "results": []
        },
        "status_code": 200
    },
    "total_results": 0,
    "tower_templates_item": {
        "allow_simultaneous": "yes",
        "become_enabled": "yes",
        "credentials": [
            "AWS Secret Key",
            "Tower User"
        ],
        "extra_vars": {},
        "inventory": "Tower Server",
        "job_type": "run",
        "labels": "HybridCloud",
        "name": "Provision Hybrid Cloud in AWS with Tower",
        "organization": "Texas Roadracing",
        "playbook": "test_aws_roles.yml",
        "project": "HybridCloud",
        "scm_branch": "dev",
        "state": "present",
        "survey_enabled": "no",
        "verbosity": 1
    }
}

Reminder for collection owners: please update your collections with appropriate changelogs by Monday, September 7. See Generating Changelogs for a collection for details on using the Ansible-provided tool. You can also link directly to your own changelogs or release notes by adding the link to an issue here by that same date.

The AWX collection has changed the name of tower_notification to tower_notification_template.

The same change should be made in this repo. (notifications role should become notification_templates role)

What is the difference and/or value add of this collection over the following other existing collections?

• ansibe.tower collection
• awx.awx collection

Tower Settings should add the settings option and use it to send all the settings in one task without a loop. This will speed up the process of the role.

- name: Set all the LDAP Auth Bind Params
  tower_settings:
    settings:
      AUTH_LDAP_BIND_PASSWORD: "password"
      AUTH_LDAP_USER_ATTR_MAP:
        email: "mail"
        first_name: "givenName"
        last_name: "surname"

Authentication requirements

Linting requirements

Hi,

I dont know if this is the right place to put this. But I was using the tower_credential to create a machine credential with a ssh private key.

I worked out that the input that I need to use is ssh_key_data to enter in a private key.

I have a private key and I have tested it connectivity to a remote machine from a normal linux box.

I have created the credential object through the GUI and can successfully connect.

However when I tried to enter in the private key verbatim into the ssh_key_data from this role it says there are templating errors.

I suspect that I am entering it incorrectly so I am wondering what is the correct way to enter in ssh_key_data through the role.

Appreciate if this is not in the right place. I appreciate any help. This collection has been great.

Tower workflow nodes have options that are not included in our role, like inventory and scm, we need to add those in for use.

Hi team.

We have a good set of Ansible Tower roles in infra-ansible that relies on the Tower API rather than Ansible modules such as awx. We believe this is beneficial in many cases as it is very light weight and require very few dependencies. In the spirit of collaboration, we would like contribute these roles into this repo for re-use, but wondering how we could do this as there are many overlapping roles. The options as I see it are:

1. Combine roles with existing ones here and use an inventory flag to indicate if API should be used v.s. non-API
2. Keep a separate set of "API roles" - perhaps under roles/api-based/<role>
3. Anything else?

Any guidance and preference?

CC @tonykay @tylerauerbeck @pabrahamsson @paulbarfuss

The users role has a default var tower_user_accounts set. This causes the role to always be run when setting a conditional on the role as in the example playbooks.

This snippet will never be skipped.

roles:  
    - {role: users, when: tower_user_accounts is defined, tags: users}

I didn't fully document all possibilities in PR #117 because I never used the role, it's rather complex and I wasn't sure how to document it properly. Someone with more experience might take this issue, else I'll do it once I need the role 😏

There is a documentation error for job templates.

In the table describing the variables the documentation indicates to define the data structure as job_templates. But in the actual JSON example it's just templates. And looking at the task it appears you're looking for tower_templates.

https://github.com/sean-m-sullivan/tower_configuration/tree/master/roles/license

Readme.md is generic, needs to be updated to our standards

Just spotted that the Lint pipeline has started failing due to a change in a dependency. This will need resolving

> Run sudo apt install software-properties-common

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
software-properties-common is already the newest version (0.98.9.3).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Hit:4 https://storage.googleapis.com/bazel-apt stable InRelease
Get:5 http://dl.google.com/linux/chrome/deb stable InRelease [1811 B]
Ign:6 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 InRelease
Get:8 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 Release [5384 B]
Hit:9 https://packages.microsoft.com/repos/azure-cli focal InRelease
Hit:11 https://download.mono-project.com/repo/ubuntu stable-focal InRelease
Get:12 https://packages.microsoft.com/ubuntu/20.04/prod focal InRelease [10.5 kB]
Hit:10 https://cli-assets.heroku.com/apt ./ InRelease
Get:13 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 Release.gpg [801 B]
Get:14 https://packages.cloud.google.com/apt cloud-sdk InRelease [6739 B]
Get:15 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Ign:16 http://ppa.launchpad.net/ansible/ansible/ubuntu focal InRelease
Hit:7 https://packages.cloud.google.com/apt kubernetes-xenial InRelease
Hit:17 https://apt.postgresql.org/pub/repos/apt focal-pgdg InRelease
Hit:19 http://ppa.launchpad.net/apt-fast/stable/ubuntu focal InRelease
Ign:20 https://dl.bintray.com/sbt/debian  InRelease
Get:21 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease [1634 B]
Hit:22 https://dl.yarnpkg.com/debian stable InRelease
Hit:23 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease
Get:24 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [807 kB]
Get:25 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [11.8 kB]
Hit:18 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease
Get:26 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [740 kB]
Get:27 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [15.6 kB]
Hit:28 http://ppa.launchpad.net/hvr/ghc/ubuntu focal InRelease
Hit:29 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease
Get:30 https://dl.bintray.com/sbt/debian  Release [815 B]
Get:31 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages [1084 B]
Err:32 http://ppa.launchpad.net/ansible/ansible/ubuntu focal Release
  404  Not Found [IP: 91.189.95.85 80]
Get:33 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages [54.0 kB]
Get:34 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4/multiverse arm64 Packages [6835 B]
Get:35 https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4/multiverse amd64 Packages [8483 B]
Get:36 https://packages.cloud.google.com/apt cloud-sdk/main amd64 Packages [159 kB]
Get:37 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  Packages [12.1 kB]
Reading package lists...
E: The repository 'http://ppa.launchpad.net/ansible/ansible/ubuntu focal Release' does not have a Release file.
Error: Process completed with exit code 100.

Update Readme.md to be more descriptive of the project. This is important for our galaxy release as its what put on the page in galaxy to inform about the collection.

As the subject says, it's solely at the OS level and IMHO doesn't really fit in the scope of this collection.

Following the example of tower_workflow, update the other roles that are in https://github.com/redhat-cop/tower_configuration/tree/master/playbooks/tower_configs_export_model to use the both data models

current models needed to be consumed:
credential_types_export.yml
credentials_export.yml
inventory_export.yml
inventory_sources_export.yml
job_templates_export.yml
notifications_templates_export.yml
projects_export.yml
teams_export.yml
users_export.yml

The default values for e.g. tower_username and tower_oauthtoken as defined in the roles in this collection are empty strings, which causes an empty string to be passed to the various awx.awx modules instead of null. This results in requiring that e.g. tower_oauthtoken is explicitly defined somewhere in Ansible rather than inheriting its value from the appropriate env.

Now that we've removed kind as its depreciated, lets remove the other related depreciated arguments.

Tower Labels Role to be created

Neither in the awx.awx collection nor in this collection have I seen how to create an inventory script.

Are you all aware of the new requirement to associate an "Ansible Galaxy / Automation Hub API Token" credential type with an organization now in order for Tower to successfully install Roles / Collections?

https://docs.ansible.com/ansible-tower/latest/html/userguide/projects.html#using-collections-in-tower

It appears there is a default "Ansible Galaxy" credential that is created when a person installs Tower. But it needs to be associated with an Organization before projects will use it. Without it, project sync will not install roles or collections. And I see no option for the Organization role to associate the Ansible Galaxy credentials with the Organizations that are created or updated.

The awx.awx.tower_credential module has deprecated the parameter kind in favor or credential_type.

In roles/credentials/tasks/main.yml:9, this parameter is still provided to tower_credential, along the credential_type parameter.

An exported credential with awxkit 17.0.0 looks as follows:

tower_credentials:
- credential_type:
    kind: cloud
    name: '[DEMO] Demo Credential Type'
    type: credential_type
  description: ''
  inputs:
    demo_username: admin
  name: '[DEMO] Demo Credential'
  natural_key:
    credential_type:
      kind: cloud
      name: '[DEMO] Demo Credential Type'
      type: credential_type
    name: '[DEMO] Demo Credential'
    organization:
      name: Default
      type: organization
    type: credential
  organization:
    name: Default
    type: organization

Importing such credential will break since kind will have the value cloud, which is not authorized in tower_credential.py from awx.awx.

By simply removing roles/credentials/tasks/main.yml:9 and passing only credential_type (line 8 of the same file), the import for credentials of cloud or external types is correctly working.

Since kind is deprecared in awx.awx.tower_credential, perhaps it should be removed in the role.

utilize docker-compose to stand up tower/awx infra

I checked at least to 3.6.4 but Tower Notifications should use notification_configuration instead of Depreciated: server, nickname, targets, etc. This may break things for users, or we can leave the depreciated items in there. Will bring up for discussion.

The tower export dual data model should be done when this rewrite happens, as it uses this structure as well.

Two problems here:

1. When the changelog PR is raised automatically, it gets labelled which should kick off the auto merge action. It does not.
2. The auto-merge action fails because it requires an approval

We can proceed with this in two ways:

1. we try to work out the cause of the action not starting on initial labelling (by removing the label and re-adding it does start the action). We then need to find a way of auto-approving the PR as well.
2. We just raise the one of the maintainers can just approve and merge it manually.

Is there an option to have tower_group? I can submit a PR for this feature that follows the setup you have

Tested with awxkit 17.0.0

(very similar to #144 , but this time for project update).

When exporting a project using awx export --projects , the generated YAML file is as follows:

- allow_override: true
  credential:
    credential_type:
      kind: scm
      name: Source Control
      type: credential_type
    name: git.net-courrier - source control
    organization:
      name: CSM SI
      type: organization
    type: credential
[...]

The code in roles/project_update/tasks/main.yml#L6 to update the project is not able to directly use this YAML and will break with the following error:

"msg": "Request to /api/v2/organizations/?name=%7B%27type%27%3A+%27organization%27%2C+%27name%27%3A+%27CSM+SI%27%7D returned 0 items, expected 1"

A very simple fix would be to change line 6 from:

organization:       "{{ __project_update_update_item.organization | default(omit, true) }}"

to:

organization:       "{{ __project_update_update_item.organization.name | default(__project_update_update_item.organization | default(omit, true)) }}"

Cheers

Modify your JSON or YAML definition of a workflow to set the workflow state to absent. Then execute tower_configuration.workflow_job_template. The play will fail because the task will still execute add_workflows_schema.yml even though the workflow was removed from Tower.

The tower_credential_input_sources role has a default var tower_credential_input_sources set as an example. This causes the role to always be run when setting a conditional on the role as in the example playbooks.

This snippet will never be skipped.

roles:  
   - {role: credential_input_sources, when: tower_credential_input_sources is defined, tags: credential_input_sources}

Been going through this collection and reached the final hurdle of my existing section which is credential types.

In my previous role I put everything into a json file and read in through the vars. However this was using the old tower-custom-credential role.

I've looked at the example of the yaml format that you have provided and translated what i have in json to yaml as close i can.
The gist i have created can be found here.
I copied it from this example. It does work in the previous role because they used json.

When i run with the yaml data structure format I get the error message:
fatal: [localhost]: FAILED! =>
msg: '''tower'' is undefined'

I can only surmise that it is balking at the injectors part... with the secret key. it is seeing the var. I would be grateful for any help/guidance given

Thanking you in advance.

A new module, tower_inventory_source_update, was created to allow update of inventory sources. A new role should be created to wrap this module.

For example https://github.com/redhat-cop/tower_configuration/tree/devel/roles/credentials

consider clarifying the data structure format to ensure the end user realizes they need to pass a list of dictionaries

https://github.com/redhat-cop/tower_configuration/blob/d917601bfc076a038fbdba6d56ae11f2ed8293f2/roles/credentials/tasks/main.yml#L10

When creating credentials a deprecation warning displayed:

[DEPRECATION WARNING]: The kind parameter has been deprecated, please use credential_type instead. This feature will be removed in version 
ansible.tower:4.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

The credentials role needs to be updated to replace the kind key.

View https://github.com/redhat-cop/tower_configuration/blob/devel/roles/workflow_job_templates/tasks/main.yml

The task name is "Create workflow" however this isn't always appropriate since the user can set the state to absent. Maybe change the task name to something like "Manage Workflows" instead.

Hi there,

In the documentation for Custom Credential Type it mentions something about the formatting of jinja and the injectors. Here is a sample of my injector for a custom credential that I am testing out as per the example.

https://gist.github.com/weiyentan/a1dbf3e384fa19d239083bc7415b18d1

What I am finding is that when I am running the code on AWX ...v12 I am seeing it in the custom credential type like this:

https://gist.github.com/weiyentan/8210e56c09c9e6ace37ea954293a354b

Any help or clarity would be most welcome. Many thanks on this great collection.

I wasn't aware but you can define a search list for collections in roles. That means that we should be able to remove the explicit awx.awx in all roles by adding something like the following to meta/main.yml:

collections:
- ansible.tower
- awx.awx

(assuming we want ansible.tower to be the default, and entries are ignored if they're not installed). That would make reuse in an enterprise context much easier.

What do you think?

It has been proposed to change the name of the collection.
automate_tower_genie_collections

Some people don't like the name genie, others think its too long
An example of other collection names are:
community.kubernetes , where community is the galaxy designator.

Perhaps automate_tower ?

Keep in mind we would be using this in the namespace of the role for vars.
tower_genie_credentials_secure_logging

Here is a list of roles that need fixed and what needs added.

1. Credentials

• update_secrets

2. Inventory Source

• enabled_var
• enabled_value
• host_filter

3. license

• change from licence to manifest

4. users

• update_secrets

5. workflows - job nodes

• identifier needs format fixed with extra space.

The following role needs to be created:

• instance_group

The projects role has a default var tower_projects set. This causes the role to always be run when setting a conditional on the role as in the example playbooks.

This snippet will never be skipped.

roles:  
   - {role: projects, when: tower_projects is defined, tags: projects}

As we go forwards and begin to get more input from the community, it will be good to have a template for PRs and a contributing guideline as this is best practice.

There are examples in other CoP repos we can steal make use of.

Tested with awxkit 17.0.0

When exporting a project using awx export --projects , the generated YAML file is as follows:

- allow_override: true
  credential:
    credential_type:
      kind: scm
      name: Source Control
      type: credential_type
    name: git.net-courrier - source control
    organization:
      name: CSM SI
      type: organization
    type: credential
[...]

The code in roles/projects/tasks/main.yml#L11 to import the project is not able to directly use this YAML and will break with the following error:

"msg": "Request to /api/v2/credentials/?name=%7B%27credential_type%27%3A+%7B%27kind%27%3A+%27scm%27%2C+%27name%27%3A+%27Source+Control%27%2C+%27type%27%3A+%27credential_type%27%7D%2C+%27name%27%3A+%27git.net-courrier+-+source+control%27%2C+%27organization%27%3A+%7B%27name%27%3A+%27CSM+SI%27%2C+%27type%27%3A+%27organization%27%7D%2C+%27type%27%3A+%27credential%27%7D returned 0 items, expected 1",

A very simple fix would be to change line 11 from:

"scm_credential:                 "{{ tower_projects_item.scm_credential | default(tower_projects_item.credential | default(omit)) }}""

to:

"scm_credential:                 "{{ tower_projects_item.scm_credential | default(tower_projects_item.credential.name | default(omit)) }}""

Making thus very easy to export/import directly.

Came up in the discussion around #132, should empty strings (i.e. "") be omitted (or use the default value) when passed to modules in some or all cases?

As a consumer of this collection, there's a couple of spots where I think an intentional empty string is a "valid" value (e.g. descriptions), but most of the time I suspect an empty string will be unintentional, especially when used for credentials or connection info.

I've been trying to run ansible-lint locally before I push my commits but it proved more difficult than I thought. The only way to fix the issue I could find and it's not really a solution was:

1. temporarily remove ansible.cfg so that it uses the standard collection directory (ansible-galaxy collection install awx.awx did also the trick and installed under collections)
2. I could get the check to work only by setting the exclude_paths list to absolute paths in .github/workflow-config/.ansiblelint.yml:

-# exclude_paths:
-#  - roles/master_role_example/
+exclude_paths:
+- /home/myuser/[...development path...]/redhat_cop/tower_configuration/roles/master_role_example/

at the end calling then ansible-lint -v --show-relpath -c .github/workflow-config/.ansiblelint.yml worked.

I can live with the first point but perhaps we should document a bit somewhere how to test locally, and for the 2nd point, we could update the .ansiblelint.yml file to use the absolute path as in the pipeline, or is not an issue in the pipeline?