06 Jun

Dynamic inventory from GIT on AWX

In many deployments, people do not run the Ansible playbooks directly via command line. In the long term, it is not flexible and cannot provide proper permission granulation as well as trusted code control. So people use Ansible or its free version – AWX. Every playbook, no matter how you run it, needs an inventory definition. Sometimes you use static files with a list of hosts, another time you use the script that dynamically provides the inventory for the playbook. We call it then a dynamic inventory.

If you keep your Ansible project with all scripts and playbooks on GIT repository, you can import it to AWX. You can also maintain dynamic inventory scripts as a part of your project and use them to build AWX inventory.

The source of truth

In Enterprise IT solution you have to build your automation platform on several components. One of it is a source of truth. By this term, we usually call the central database where you keep information about your devices, their IP addresses, IP addressing plan and already assigned addresses list. It can be part of more massive incident and change management system products or a dedicated application. We call it a source of truth because it should be the only place where you always store up to date information about IT infrastructure.

You do not want to multiply information in two or more systems. Trust me; you won’t be able to keep it up to date. People will forget updating the systems at some point, and false information may lead to an outage. Yeah, imagine someone forgot to update servers list and your script just wiped out very important VMs… No, this is not what you want. So you keep the single source of truth and another system just it and update it if required.

If you are running a network where you don’t have many devices take a look at free Netbox which is simple IPAM. Enterprises are using the advanced products like ServiceNow.


Dynamic inventory

Ansible accepts static inventory files and output generated by scripts. If you use Ansible Tower or AWX, the inventory is an element that you later provide to job template. One inventory can combine multiple methods to get the required data. All you need to do is create an inventory and attach numerous sources. The source can be one of the predefined modules (Amazon EC2, OpenStack and other), custom script or file from project repository.

Enterprises usually need to place strict control of changes in code. Usually, you keep the automation projects on the GIT repository. I recommend this approach to everyone due to security and flexibility of such solution. All you need to do is maintain directories structure as per Ansible requirements. You can use GIT repository as project source in Ansible Tower or AWX. Just point to repository URL and provide credentials and AWX will pull the files and stay synced with GIT.


Inventory script from a repository

As an inventory source, you can use a file from the project. It can be either a static file or the dynamic script. To use them you need to add to the selected inventory configuration in AWX new Source and choose Sourced from a Project in the Source pull-down list. When you choose one of your projects, you will see available inventories in the Inventory File pull-down list. Static files are recognized by the AWX automatically.

The dynamic inventory scripts must fulfill two requirements. The first line of the script must be as below

#!/usr/bin/env python

Ansible does not assume that your script is Python, so you need to set it. The second requirement is that the script must have executable (+x) flag set. The tricky part is this flag must also be on GIT repository – you need to check if its set on your local copy before pushing the change. If the file is non-executable, then it will not be visible on the pull-down list. You will also see an error if you try to provide this file by its name in this field.

Setting the executable flag locally on AWX after you pull it from GIT will not help, and the file will not be on the list. Besides, this approach has little sense – every time you pull the file from a repository the executable flag will be gone.


Script reading from a local file system

The dynamic script usually requires additional configuration file that contains sensitive information like API token or username and password to the source of truth system. It is not wise to keep such files in a repository; many auditors consider this as a security violation. You can edit the inventory script and point to a file on Ansible Tower local file system or accessible from AWX container.

There is another way, but I will write about it in another post.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.