Change specific variables on AWX(ansible) in ansible.cfg

0
votes

We are use AWX for configuration managment and our team has a lot of playbooks and 4 enviroment scopes (DEV, QA, STAGING, PRODUCTION). In our playbooks we are use some specific variable in ansible.cfg that allows us send notifications. 

[some_section]
some_var = https://some-dev-url/service/job_complete?

On dev env he looks like example above, on qa, we add qa in link, on prod, we add prod in link etc. When we push code beetwen branches example: dev -> qa, we always have a confilct, because link in ansible.cfg doesnt match. What we are doing now, is the always change this link when we merged something. What im trying to do, is the pass with ansible extra vars(in ansible.cfg) this link, when playbook runs, but unforthunatly, i dont have a success. The only thing that happened was I pulled the variable out of the config, but I do not know what to do next.

    - name: SOME LINK
      debug:
      msg: "{{ lookup('ini', 'some_var section=some_section file=ansible.cfg') }}"

      OK: "msg": "https://some-dev-url/service/job_complete?"

It only occurs to rewrite the config somehow with a bash script when the playbook is started. If someone has a solution, please) (by the way, we tried to use git ignore on this file, it doesn’t work)

1
gitansibleansible-awx

1 Answers

0
votes

As per Ansible manuals it is important to have environment specific inventories. You can associate this variable at inventory level rather than at job level. Here are my suggestions -
1. Make environment specific inventories - It is important to not change the state of a node part of any other environment, thus, helps to avoid surprises at runtime. https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#example-one-inventory-per-environment.
2. Move env. specific info. out of playbooks into inventories - You can setup up env. specific variables at your inventory level along with magic variables. Magic variables are known to Ansible. For example -
ansible_connection, ansible_user, ansible_ssh_pass. Ansible understands ok, it has to login to machine over ssh using ansible_user, ansible_ssh_pass.
This way you don't have to mention credentials at AWX Job Template and happily leave the machine credentials option empty at template level. https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html#magic.
3. Variables and vault - Notice the credentials section contains values as variable. Obviously, we do not want to expose any credentials as plaintext. therefore, it is important to follow Ansible best practise to let Ansible finds the variables in the unencrypted file and all sensitive variables come from the encrypted file. https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#variables-and-vaults.
I maintain a variable file i.e. config file along with vault to get rendered at runtime in playbooks. You can create a subdirectory say vars and map the variables mentioned as value in inventory variables to a vars/var.yml file. vars.yml can have key defined as - 

ssh_secret_dev: "{{ vault_secret_pass }}"   
ssh_user_dev: username

And encrypted vault file can have the final value - 

vault_secret_pass: very_secret_password

Why the big dance? Why not just define everything in vault and connect inventory variable with vault? This provides an extra layer of security where you can map secure credentials in variable file and extra confidential in vault. Obviously vault will be encrypted, so you need to mention vault credentials at Job template level. The credential section at Job Template level will only contain vault credentials.
4. Select prompt at launch for Inventory at Job Template level - As we are making WorkFlows environment specific not Job Templates, therefore, we can mention Inventory at WorkFlow level and select prompt on launch option at Job Template level to allow Inventory apply to all Job Templates that have prompt on launch option.
5. Edit Playbooks to load those two variable files (vault.yml and vars.yml). 

- hosts: localhost
  vars_files:
    - ./vars/vault.yml
    - ./vars/vars.yml
  gather_facts: no
  no_log: true
  tasks:
     - .....some tasks......

You can also make use of any variable you defined at inventory (which is not special ansible variables) and use them in your playbooks whose values can be picked from variable files.