search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.04k stars 3.42k forks source link

awx.awx collection 19.2.2 using credential module to add a tower/controller credential #10582

Closed IPvSean closed 2 years ago

IPvSean commented 3 years ago

Please confirm the following

Summary

awx.awx 19.2.2 credential module (i.e. awx.awx.credential) will not function on Ansible Tower (only works on Automation controller. It would be ideal if we could support both kind: tower and kind: controller

If you install latest and greatest collection all your tower modules will fail when they do this particular scenario

AWX version

latest tower

Installation method

kubernetes

Modifications

no

Ansible version

➜ provisioner git:(gh-pages) ✗ ansible --version ansible [core 2.11.2] config file = /Users/sean/Documents/GitHub/IPvSean/workshops/provisioner/ansible.cfg configured module search path = ['/Users/sean/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.9/site-packages/ansible ansible collection location = /Users/sean/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.9.4 (default, Apr 5 2021, 01:50:46) [Clang 12.0.0 (clang-1200.0.32.29)] jinja version = 3.0.1 libyaml = True

Operating system

macOS Big Sur version 11.4

Web browser

No response

Steps to reproduce

- name: add tower credential into ansible tower
  awx.awx.credential:
    name: "Tower Credential"
    kind: "{{ controller_or_tower }}"
    organization: Default
    tower_username: admin
    tower_password: "{{ admin_password }}"
    tower_host: "https://{{ ansible_host }}"
    tower_verify_ssl: false
    inputs:
      host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}"
      username: admin
      password: "{{ admin_password }}"

Expected results

pass credential type with pass (work)

Actual results

if you put kind: controller (while the endpoint is tower) 

fatal: [student1-ansible-1]: FAILED! => {"changed": false, "msg": "Request to /api/v2/credential_types/?name=Red+Hat+Ansible+Automation+Platform returned 0 items, expected 1", "query": {"name": "Red Hat Ansible Automation Platform"}, "response": {"json": {"count": 0, "next": null, "previous": null, "results": []}, "status_code": 200}, "total_results": 0}

if you put kind: tower (while the endpoint is tower):

fatal: [student1-ansible-1]: FAILED! => {"changed": false, "msg": "value of kind must be one of: aws, controller, gce, azure_rm, openstack, satellite6, rhv, vmware, aim, conjur, hashivault_kv, hashivault_ssh, azure_kv, insights, kubernetes_bearer_token, net, scm, ssh, github_token, gitlab_token, vault, got: tower"}

Additional information

been using internal Red Hat #awx_collection slack

AlanCoding commented 3 years ago

The intent is that credential type name would be used, like credential_type: Red Hat Ansible Automation Platform.

This kind field is not actually a field, it aliases to other things, and I honestly don't know what that processing layer looks like.

https://github.com/ansible/awx/blob/bc8e19b51dbb9066318ae49faac3edef4a60ca71/awx_collection/plugins/modules/credential.py#L77-L81

Granted, we have not yet removed it, and I know there is a lot of sticky use out there. So if there's something we did for kind=tower, then I'm okay to do the same for kind=controller for the moment.

IPvSean commented 3 years ago

How do you know the exact credential_type, I don't see that documented?

i.e. what you just said-> credential_type: Red Hat Ansible Automation Platform.

The documentation seems weak here-> image

AlanCoding commented 3 years ago

The module is complicated to use because the credential type API design is complicated. The philosophy of the collection is to align as closely as possible to the API so that people don't have to learn the same thing twice to use them.

The default behavior for related objects (see credential_type) is by name. If you look at /api/v2/credential_types/, you can see the name field for each credential type.

@IPvSean I find myself unable to reproduce now.

---
- hosts: localhost
  gather_facts: false
  connection: local
  collections:
    - awx.awx
  tasks:
    - name: add the default organization
      awx.awx.organization:
        name: Default

    - name: add tower credential into ansible tower
      awx.awx.credential:
        name: "Sean Tower Credential"
        kind: controller
        organization: Default
        inputs:
          host: "https://localhost:8043/"
          username: admin
          password: "p4ssword"

This playbook seems to work correctly.

IPvSean commented 3 years ago

try to run that on Tower not controller (e.g. controller cred on tower)

AlanCoding commented 3 years ago

Oh alright, now I understand. Can you tell me if https://github.com/ansible/awx/pull/10596 will fix this for you?

I see that kind=tower gives an error from the collection itself

TASK [add tower credential into ansible tower] ***************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "value of kind must be one of: aws, controller, gce, azure_rm, openstack, satellite6, rhv, vmware, aim, conjur, hashivault_kv, hashivault_ssh, azure_kv, insights, kubernetes_bearer_token, net, scm, ssh, github_token, gitlab_token, vault, got: tower"}

and I see no harm letting this fallback to an error from the server

TASK [add tower credential into ansible tower] ***************************************************************************************************************************
[DEPRECATION WARNING]: The kind parameter has been deprecated, please use credential_type instead. This feature will be removed from awx.awx in version 4.0.0. 
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Request to api/v2/credential_types/?name=Ansible+Tower returned 0 items, expected 1", "query": {"name": "Ansible Tower"}, "response": {"json": {"count": 0, "next": null, "previous": null, "results": []}, "status_code": 200}, "total_results": 0}

This would be the experience for newer versions (updated server, updated collection), but with old playbooks.

@fosterseth @beeankha That may not be clear enough, and maybe we could consider adding another warning telling them more specifically that this is a playbook-breaking change. I would even issue that warning irrelevant of version.

shanemcd commented 3 years ago

@IPvSean when you get a chance can you test that PR from Alan?

wenottingham commented 3 years ago

prod @IPvSean

IPvSean commented 3 years ago

sorry me and @AlanCoding were talking on slack

I am also hitting this odd warning now-> image

with this task->

    - name: create restore job template
      ansible.controller.job_template:
        name: "Network Automation - Restore"
        job_type: "run"
        inventory: "{{ restore_inventory|default('Network Inventory') }}"
        project: "{{ restore_project|default('Network Toolkit') }}"
        playbook: "{{ restores_playbook|default('playbooks/network_restore.yml') }}"
        credential: "{{ restore_credential|default('Network Credential') }}"
        survey_enabled: true
        survey_spec: "{{ lookup('template', '{{ playbook_dir }}/../network_setup/templates/backup.j2') }}"
        validate_certs: no
      run_once: true

with the credential...(original ticket) this seems to work with controller->

    - name: Add controller credential
      awx.awx.credential:
        name: "AAP controller credential"
        organization: "Default"
        kind: controller
        controller_config_file: "{{ playbook_dir }}/../controller.cfg"
        inputs:
          host: "controller"
          password: "ansible123!"
          username: "admin"
          verify_ssl: false

I can only get this work to get kind ....

is there an example of how I am supposed to use-> credential_type because I cannot get that working

shanemcd commented 3 years ago

@IPvSean It seems like this was fixed in https://github.com/ansible/awx/pull/10826. We had an error when publishing the latest collection to Galaxy, but that bug was fixed via https://github.com/ansible/awx/pull/10888. So the fixed version of the collection should get updated the next time we release AWX. In the meantime, can you install the collection from git?

IPvSean commented 3 years ago

got it

On Tue, Aug 17, 2021 at 1:55 PM Shane McDonald @.***> wrote:

@IPvSean https://github.com/IPvSean It seems like this was fixed in

10826 https://github.com/ansible/awx/pull/10826. We had an error when

publishing the latest collection to Galaxy, but that bug was fixed via

10888 https://github.com/ansible/awx/pull/10888. So the fixed version

of the collection should get updated the next time we release AWX. In the meantime, can you install the collection from git?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ansible/awx/issues/10582#issuecomment-900512063, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABR4DUGZXSMOEOMYIJGAHD3T5KPA3ANCNFSM47XJGPQQ .

Zokormazo commented 2 years ago

working as expected