Getting Started with Ansible Works (AWX)

Hi readers, if you got here, it means you know a little bit about Ansible core. I suspect you also know about the community version of its enterprise offer Ansible Tower, called Ansible Works(AWX). Today, I will show you how I got it installed.

I personally have gotten to the point where I need to delegate work concerning configuration management and making sure that by doing so I don’t shoot myself in the foot. I believe Ansible Works AWX helps put necessary controls for any sysadmin or automation engineer to open up for help from team members.

Considering Ansible Works AWX will be your configuration management GUI, you might want to agree with your team on how you expose this over the net. It’s just an understatement saying it could be dangerous. You can use firewall to lock the port to your office public IP, or use a client certifiate system, or install in a private network and access via ssh tunnelling or via VPN.

Without further ado, let’s get into the essence of this post. One article that greatly inspired me is how to install Ansible Works AWX from howtoforge . I will be using AWS as a cloud provider on the following:

  • Server: Ubuntu bionic (EC2 t2.medium)
  • Database: PostgreSQL (RDS db.t2.small )

Below will be what we will be doing:

  • Create an EC2 instance
  • Install git
  • Install pyenv
  • Install python 3 with pyenv
  • Install Ansible Core
  • Install Docker
  • Install nvm, nodejs, npm
  • Install Nginx
  • Install PostgreSQL client
  • Create an RDS Postgre instance
  • Configure the Postgre for use by AWX
  • Download AWX source from git and configure
  • Prepare for some customization if any
  • Modify AWX ansible template or task to take into account the customization
  • Install Ansible Works AWX
  • Configure Nginx

Creating an EC2 Instance

There are so many articles all over the net about that I think it’s ok for those not too familiar with it to go read on. You can refer to this one from guru99 for example.

Installing git

In case your Ubuntu distribution doesn’t come with git preinstalled you can use the command below to get it done

Installing pyenv

It has become a habit for me not to tie a specific version of anything, be it python, node, or java to my machine. With experience, using a form of version manager seems to provide a little more freedom on configuration. So for python, we will use pyenv

If you follow the instruction on their GitHub page and execute the pyenv doctor code you should have the output below:

In case you face any error about: “not acceptable C compiler found”, you could install the following packages and run the pyenv doctor again.

Installing Python 3 with pyenv

At the time of writing python 3.8.1 is available so we will use that one.

Once that’s done we can set up the system to use the pyenv python instead of the stock version.

Installing Ansible Core

I prefer installing python from pip as it allows me to move to a different ansible version from a different version of python.

Installing Docker

We will install docker driver via pip as well

Installing nvm,nodejs,npm

Faithful to our principle, we will install nvm in order to install nodejs and npm. We can use the instruction from the nvm github page.

Installing Nginx

We will use Nginx as a reverse proxy in order to put either an SSL certificate in front of the AWX or have other constraints like requesting for client certificate etc. The purpose for me using Nginx is to use SSL and only open port 443 locked to my office public IPs

Installing Postgres client

We need to install a client on our EC2 instance in order to create a database and a user to use. From our check on RDS, we will be using PostgreSQL 11 so it makes sense to install a compatible client, thus postgresql-client-11.

Creating RDS PostgreSQL instance

Here as well, I will refer you to an online tutorial. I will be using

  • Postgre version 11
  • AZ mode
  • DB name: awx_db

I found this article from towardsdatascience site. It explains the creation process step by step. Though you can stop at the point where connection is made to the DB via psycopg2 library as I will not use that. But feel free to follow that if that works for you.

Configuring the Postgres instance

During this step, we will create a DB user for the AWX app with the necessary privileges. Do not forget to allow the EC2 security group inside the Postgres security for the port 5432 or the post you have chosen for your rds instance.

let’s connect to the rds instance from the ec2 terminal:

Downloading AWX from git

We will create a directory at /opt/awx to hold the git files of AWX, then git clone it inside.

The installer folder holds a set of files with this current version at the time of writing this blog post.

Preparing for customization

Indeed, I have a number of customization I would like to explain here

  • My git repository where all the ansible core playbooks and roles are, is configured to request a client certificate challenge before granting access. Thus any app or person should configure that client and key certificates before usage.
  • Each project uses a different ssh key for configuration purposes, limiting a key compromise if any, to specific projects as opposed to everything. I need to mount those files so AWX gets them using environment variables

Now back to my local machine, I will need to copy the cert and key files to the EC2.

We will use one big folder to keep all the customization files. We will create an AWX_CONFIG as a base directory where we will keep the gitconfig. HOME folder for a directory, I refer to inside my playbook as home and GITKEYS where we will keep the .crt and .key files for my git access.

Now let’s got back to the EC2 to continue the configuration of the customization

In nano editor, if you need this customization, make sure it looks like the following.

[http “https://mygit.com”] this limits the client ssl configuration to only the git with domain name mygit.com. If you don’t have that restriction, the client ssl configuration will apply to all git including github, gitlab.com and your call will fail.

Modifying AWX installer files for customization

Inventory file configuration

Before editing the inventory file, you need to have generated a random “password” to be used as secret_key in AWX.

I already have pwgen a nice utility tool on my local machine, so I will use that.

The inventory file is in /opt/awx/installer

Let’s edit the inventory file now. Change the following

  • host_port from 80 to 8080
  • host_port_ssl from 443 to 8443
  • uncomment pg_hostname and replace it with your rds Postgres URL
  • change the pg_username value to awx_p
  • change the pg_password value to the one you created for awx_p
  • change the pg_port if you a different one
  • change the rabbitmq_password value
  • change the rabbitmq_erlang_cookie value as well
  • change the admin_user value to the one you wish to use to login to AWX via its web GUI
  • change the admin_password to the one you can remember
  • use the random key we created for the secret_key

Editing the template file to include changes

From the installer folder lets’ look for the ansible template file: roles/local_docker/templates/docker-compose.yml.j2

Inside that file look for the section task: and edit the volumes: and environment: section

Installing AWX

From the /opt/awx/installer folder, let run the following

Let’s verify our setup after some time of the ansible-playbook execution

This means if you open your security group on port 8080 you should be able to hit the UI of AWX on http://yourEIP:8080

Configuring Nginx

Once again the purpose of Nginx here for me is to have a reverse proxy handling all the SSL concerns etc. So I will be configuring Nginx accordingly. I will be using a purchased SSL certificate. feel free to use a letsencrypt certificate.

Open /etc/nginx/nginx.conf and add the following block

open /etc/nginx/sites-available/ssl_awx.mydomain.com.conf and add the following block to it

After saving the configuration you need to enabled it

After that, you can login at your domain https://awx.mydomain.com

AWX via http after login

Leave a Comment

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.