Ansible Tower

Ansible Tower is an agentless Open Source automation engine that can be used to automate software provisioning, configuration management, application deployment, and a host of other IT activities. Ansible Tower is a web-based solution that makes Ansible even easier to use for IT teams of all kinds. It is designed to be the hub for all your automation tasks and to make Ansible more useable in an Enterprise setting. Ansible Tower provides additional features not available with Ansible Core, including:

Unified graphical user interface (GUI)
Role-Based Access Controls (RBAC)
Complex execution patterns (Scheduling, workflows, survey-based execution)
External tool integration (Jenkins, etc.)
Centralized Inventory Management
Monitoring and auditing

QUICK START GUIDE

Requesting Access to an Ansible Tower Organization

Step 1: If you do not have a HARP account or an EIDM or EUA account, register for a HARP ID. For instructions on the HARP registration process, refer to the HARP page.

Step 2: Once the HARP account has been created, log into HARP and request a QualityNet Ansible Tower entitlement via a HARP User Role.

Select User Roles from the top of the page and select Request a Role.
On the Select a Program Page, select QualityNet-Ansible.
On the Select an Organization page, select your Contract name.

Don't see your organization listed?

On the Select Roles page, select QualityNet-Ansible user role (choose one)

Ansible_SO
Ansible_User
Ansible_Admin

Select the Submit button
Enter your reason for requesting the selected role in the Request Reason text field.
Select the Submit button

Step 3: The organization's Security Official reviews and approves/denies the user role request. You will be notified via email that your request has been submitted, and again when your role has been approved or denied.

Step 4:Log into Ansible Tower https://tower.hcqis.org using your HARP credentials.

Accessing Ansible Tower:

Step 1: If you do not have a HARP account or an EIDM or EUA account, register for a HARP ID. For instructions on the HARP registration process, refer to the HARP page.

Step 2: Log into Zscaler

Step 3: Log into Ansible Tower at https://tower.hcqis.org/ using your HARP credentials. Alternatively, you may also log in to the CMS.gov|IDM application portal at https://idm.cms.gov and select the Ansible Tower tile

Note: you must be connected to Zscaler before logging into Ansible Tower

Requesting a New Ansible Tower Organization

The Security Official (SO) for the organization may request Ansible Tower access on behalf of users for their contract or the user may request access for themselves.

Step 1: Log into ServiceNow at https://idm.cms.gov/ using your HARP credentials.

Step 2: Select ServiceNow after logging in.

Step 3: Locate SecDevOps Request

Type “catalog” in the Filter Navigator
Select IT Services Catalog
Select SecDevOps
Select ADO Onboarding Request
Select Ansible Tower Onboarding Request
Complete online form and select Submit.

Required Information for online form:

Name of the new Ansible Tower Organization
A brief justification for the new Ansible Tower Organization
- EX: This new Org will be used by the <Your LOB> team to subdivide major applications that are managed by different teams on our program.

For more information on Ansible Tower please refer to the Ansible Tower Confluence page. This information is continually updated.

Coming Soon

FAQs

General

What is Ansible Tower?

Ansible Tower is an agentless Open Source automation engine that can be used to automate software provisioning, configuration management, application deployment, and a host of other IT activities. Ansible Tower is a web-based solution that makes Ansible even easier to use for IT teams of all kinds.

Why don't my changes appear in Tower after being pushed to GitHub?

By default Projects in tower do not automatically pull from Git on a schedule. By default SCM updates will only occur on creation, and when manually requested. Schedules must be configured manually, which is covered in the Tower documentation.

Why doesn't my playbook appear in the dropdown during job template creation?

If your playbook does not appear in this dropdown:

Usually this is because an SCM update has not been performed, so tower has an outdated version of your git repo. See 'Why don't my changes appear in Tower after being pushed to GitHub?' .

It's also possible that there is a syntax issue with your playbook, as Tower attempts to parse the playbook before displaying it. Verify that your playbook is syntactically correct.

Why does my Jenkins pipeline fail with 'Unable to find job template'?

Usually this is caused by a lack of permissions for your service account. Your DevOps service account must have the 'execute' role for your template. You can grant this permission to the account directly, or to a team that it's a member of. Granting this permission is covered in the Tower documentation.

Why is my job sitting in 'pending' state?

There are 2 common reasons for a job to sit in 'pending' state:

Blocked awaiting an SCM update. If a project is configured to 'update on launch', then jobs will remain in pending state until the SCM update is completed.
Blocked by a concurrent job. If a job template is configured without 'enable concurrent execution', executions of the template that share an inventory will block.

My job failed due to an SCM update failure. How do I find the SCM Update logs?

SCM updates execute as a distinct job type 'project_update', and can be searched for from the job screen using 'type:project_update' as a parameter.

The simplest way to find the job relevant to your failed job is to view your job, and click the 'view project sync results' link:

My Ansible playbook is returning an error that is unclear

Ansible errors can sometimes be cryptic, especially for those unfamiliar with Python. The most common issues are syntactical, so start with the syntax checking FAQ item. For more complex issues, often the simplest route is to rely on the troubleshooting work already done by others. The Ansible GitHub Issues page includes years of troubleshooting discussions, with examples of errors received and their solutions. Often searching for your error there will result in several similar examples, with explanations and solutions.

Where can I find quality sample code?

Github is full of publically available Ansible roles and playbooks, and is a great place to start when looking for relevant examples.

Jeff Geerling has written a good book on Ansible, and he provides all of the code samples for free on github.

For examples of how to use a specific module, the most reliable source is always the official documentation.

Which module should I use to execute shell commands?

There are three modules that can be used to interact with a target and simulate human input. Links to documentation for each, as well as notes on use-cases:

Command
- Given command is passed directly into Popen on the target, with no shell . Ex. 'date' is run directly.
- Shell functions like redirection, variable substitution, etc will not function
- No profiles (ex. bashrc, .profile) will be loaded
- Python required on target, command executed as a child process of Ansible's python interpreter.
Shell
- Not actually a distinct module. Uses 'command' under the covers, but prepends a shell executable to your commands. Ex: 'date' becomes '/bin/sh date' .
- Shell functions are available
- Profiles will be loaded based on shell configuration
- Python required on target, shell executed as a child process of Ansible's python interpreter.
Raw
- Module is implemented entirely server-side, nothing is done on the target other than execution.
- Command is passed into Ansible's SSH connection directly, without passing through Python.
- Profiles and shell configuration can be configured based on the command provided.
- Can be used to install Python prior to other modules
- Can be used to workaround Python bugs on unsupported or out-of-date systems (Solaris legacy)

It's generally recommended to work 'down' through these options as dictated by your requirements. Ideally Ansible code should be target agnostic and idempotent, and that gets more difficult with Shell and especially Raw.

Access

What are the requirements for requesting access?

All users requesting Ansible Tower access must first have access to ServiceNow. For instructions on the process, refer to the ServiceNow handout.

All users requesting Ansible Tower access must first have access to Zscaler. For instructions on the process, refer to the Zscaler handout.

How do I log into Ansible Tower?

Step 1: If you did not have an Active Directory (AD) account previously, you will have an AD account provisioned for you. After your request has been approved, you will receive an email or phone call from the HIDS Windows team with details on your Active Directory (AD) account and VIP installation instructions.

If you haven't received your account details and instructions within 24 hours, please contact the QualityNet Service Desk at 1-866-288-8914 or ServiceCenterSOS@cms.hhs.gov.

Step 2: Log into Ansible Tower at https://tower.hcqis.org/ using your AD credentials.

You must be connected to Zscaler before logging into Ansible Tower

Need Help ?

If you need help or assistance please contact the HIDS DevOps team. They can be reached via the following methods:

CCSQ Support Central: Provides you with multi-program support to submit a new ticket, and track the status of an existing case, incident, or request. No login required. https://cmsqualitysupport.servicenowservices.com/ccsq_support_central

Service Center: For technical assistance with any account related issues, please contact the Service Center at:

Phone: (866) 288-8914 (TRS:711)

Slack: #help-service-center-sos

Email: ServiceCenterSOS@cms.hhs.gov

DevOps Slack channel at #hids-clouddevops-support
Visit the HIDS SecDevOps Support page.