Workflow in Ansible Tower:
1. We need to create a second Ansible Tower superuser, normal users or any required users. Example: USER1, USER2 or ADMIN1.
2. We can create a Team (Example: OPS & DEV) and need to add the required user to those Team.
3. We need to create the static Inventory named UAT & PROD (we can create a dynamic inventory as well).
4. We can create a group DEV in the UAT
5. We need to add the hosts (Server2 & Server3) to the group DEV in the UAT Inventory. And the host (Server1) can be added in the PROD Inventory directly (if don’t have any groups)
6. We need to create all the required credentials, to authenticate to remote systems for various purposes. Here we have created sudo Machine credentials for logins to the Inventory hosts, and the git-scm Source Control (or SCM) credentials for the remote version control system such as Git.
7. We have created the http-git Project which gets Ansible materials from a Git repository using the git-scm SCM credential configured. And also have created the apps Project which gets Ansible materials from the local directories (Example: /var/lib/awx/projects/apps)
8. Now, We need to create a Job Templates (apps-tp & http), and have to be defined with an Inventory (UAT or PROD), Project (apps or http-git), and Machine Credential (sudo) accordingly.
9. Now, Ready to launching the Jobs Templates, and we can found the outputs & results under the jobs Tabs.
Here are the list of resources in the Ansible Tower:
Projects: In Ansible Tower, a project represents a collection of related Ansible playbooks.
Inventories: Inventories in Ansible Tower contain a collection of hosts to be managed.
Templates: The template resource defines the parameters which are to be used for the execution of an Ansible playbook by Ansible Tower.
Jobs: A job represents Tower's execution of an Ansible playbook against an inventory of hosts.
User: A User is someone who has access to Tower with associated permissions and credentials.
Team: A Team is a subdivision of an organization with associated users, projects, credentials, and permissions.
Credentials: Credentials is used for the remote systems authentication for various purposes like: when launching Jobs against machines, synchronizing with inventory sources, and importing project content from a version control system like Git)
Workflow Templates: A workflow job template links together a sequence of disparate job templates that accomplishes the task of tracking the full set of jobs that were part of the release process as a single unit.
Notifications: A Notifier is an instance of a Notification type (Email, Slack, Webhook, etc.) with a name, description, and a defined configuration.
Here are the types of users that can manage the Ansible Tower resources:
System Administrator (Superuser): Has unrestricted access to perform any action within the entire Tower installation and has read-write permission on all objects in all Organizations on the Tower.
System Auditor: Has a special singleton role, which has read-only access to the entire Tower installation.
Normal User: Has no special roles assigned initially, and starts with extremely limited access.
Role-based Access Control (RBAC):
There are some addition Roles available for the User to grant permissions to view, use, or change additional Ansible Tower objects or resource:
- Admin: The a
dmin role grants Users include deletion and modification of the Credential, as well as the ability to use the Credential in a Tower resources.
- Use: The
use role grants Users the ability to use some of the Tower resources (Credential) in other Tower resources (Job Template).
- Read: The
read role grants Users the ability to view the details of a Tower resources.
- Update: The
update role grants Users the ability to update the details of a Tower resources.
Only for the Organization resources:
- Admin: The
Admin role on a User gains the ability to manage all aspects of that Organization, including reading and changing the Organization, and adding and removing Users and Teams from the Organization.
- Auditor: The
Auditor role on a User gains read-only access to the Organization.
- Member: The
Member role on a User gains read permission to the Organization. The Organization
Member role only provides a User the ability to view the list of Users who are members of the Organization and their assigned Organization roles.
Only for the Inventories resources:
- Ad-hoc: The
ad-hoc role grants Users the ability to run ad hoc commands against inventories
Only for the Job Templates resources:
- Execute: The
execute role grants Users the ability to run (execute) a Tower resources (Job Template).
Hope this post will help you to get the overall picture & understand of the Ansible Tower