Ansible automation platform gotchas

Ansible Execution environments come with the big promise that this allows developers to run the same environment (python, OS, …) as would be the case on Ansible Automation Platform.

Unfortunately, that is not yet the case.

I’ve ran into a couple of problems myself during the migration from plain ansible-playbook with Tower to ansible-navigator with AAP.

Collections

A nice feature in Tower and Ansible Automation platform is that collections and roles are installed automatically, with the proper collections/requirements.yml and/or roles/requirements.yml file.

This is not the case in ansible-navigator.

The suggestion in the docs is to use ansible galaxy from your host-system, and place the collections in the project directory (see https://ansible-navigator.readthedocs.io/en/latest/faq/#where-should-ansible-collections-be-placed-when-using-an-execution-environment). Alternatively, you can prepackage the collections you want in a custom image, but then you are in a situation where you may still override the collection at runtime on Tower, and not so in ansible-navigator…

Both approaches seems a bit awkward.

This command should give the same result in ansible-navigator, as what happens in AAP.

ansible-galaxy collections install -r collections/requirements -p ./collections

Ansible.cfg - inventories in Tower and AAP

So this is not strictly related to AAP, since I also ran into the problem on Tower.

During preparation for the reorganization of my playbooks , to move to AAP, I felt I needed an ansible.cfg file in the root directory of my project, to set some configuration settings. This ansible.cfg file is applied to all situations:

• using ansible-playbook
• using ansible-navigator (with or without execution environment)
• using Tower
• using AAP (with execution environment)

I added this line, with the idea that this would make my life easier. How wrong I was!

[inventory]
enable_plugins = auto, yaml, ini

While that works fine with ansible-playbook and ansible-navigator, I got this error on Tower and AAP:

[WARNING]:  * Failed to parse /tmp/awx_1074824_r0tjwkf9/inventory with yaml
plugin: We were unable to read either as JSON nor YAML, these are the errors we
got from each: JSON: Expecting value: line 1 column 1 (char 0)  Syntax Error
while loading YAML.   found character that cannot start any token  The error
appears to be in '/tmp/awx_1074824_r0tjwkf9/inventory': line 3, column 14490,
but may be elsewhere in the file depending on the exact syntax problem.  The
offending line appears to be:  # -*- coding: utf-8 -*- print('{"all": {"vars":

It literally took me 2 days to realize what was happening - I couldn’t find anything on the internet. The ` -- coding: utf-8 --` shebang should have pointed me in the right direction in hindsight ….

So I removed the enable_plugins line again, and all was well.

The reason is that AAP and ansible-navigator don’t process inventories the same way - in ansible-navigator, it uses the inventory file I am using but on Tower and AAP, there is probably a script that retrieves the inventory information from Tower/AAP !

Vaults

One big drawback of ansible-navigator with an execution environment, is that prompts and interactions are not possible. I didn’t immediately realize this was true for vaults as well !

So on AAP, there’s a process that gets passed the Vault credential from the configuration , and everything works fine. However, running this locally with ansible-navigator, no such solution exists, and we’re confined to using workarounds …

The documentation proposes 2 solutions : https://ansible-navigator.readthedocs.io/en/latest/faq/#how-can-i-use-a-vault-password-with-ansible-navigator.

I use this approach (using the –vault-id parameter):

I create a vault_password.sh file in the root project/playbook directory and make it executable:

#!/bin/sh
# THIS FILE SHOULD BE TRUSTED
echo ${ANSIBLE_VAULT_PASSWORD}

Then, I set the actual Vault password I want to use in the environment variable. The HISTCONTROL environment variable is set to ignoreboth, to NOT put commands preceded by a space ( ) in the command history.

export HISTCONTROL=ignoreboth
 export ANSIBLE_VAULT_PASSWORD=test

Since ansible-navigator passes all environment variables to the execution environment, this will also be available in the container image.

The --vault-id parameter can then be used to retrieve the vault password.

ansible-navigator run playbook.yml -i inventory/inventory1/ --vault-id "vault_password.sh"

This also works with an actual vault-id, for instance DEV:

ansible-navigator run playbook.yml -i inventory/inventory1/ --vault-id "DEV@vault_password.sh"

And this also works with good old ansible-playbook:

ansible-playbook playbook.yml -i inventory/inventory1/ --vault-id "DEV@vault_password.sh"

Again, in AAP, this just works (with vault credentials from AAP).