A few weeks ago I started digging into the Ansible universe. One of the first things I learned was the need for a proper Ansible Development Setup. My common Ansible playbooks are focused on VMware vSphere and the ecosystem around a proper deployment workflow (IPAM, CI, DNS and so on). However, this blog post should only cover a few general topics and not specific integrations.
Ansible Control Machine
I have decided to use a simple CentOS 7 VM as Ansible Control Machine for my home lab.
Minor OS preperation and Ansible setup:
yum install -y epel-release
yum update -y
yum install -y ansible git vim htopExtra packages for the VMware related Ansible Modules:
yum install -y python-pip
pip install pyvmomi
mkdir /extras/
cd /extras/
git clone https://github.com/vmware/vsphere-automation-sdk-python.git
cd vsphere-automation-sdk-python/
pip install --upgrade --force-reinstall -r requirements.txt --extra-index-url file:///extras/vsphere-automation-sdk-python/libThe VMware related Ansible Modules leverages for the most common functions the vSphere Management SDK packages (pyVmomi). This SDK uses the vSphere SOAP API. Some functions, such as tag management, additionally require the vSphere Automation Python SDK. This SDK uses the VMware REST API.
PowerShell for some special use cases:
cd /extras/
curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo
yum install powershellBasic VIM configuration for Ansible YAML files:
au! BufNewFile,BufReadPost *.{yaml,yml} set filetype=yaml foldmethod=indent
autocmd FileType yaml setlocal ts=2 sts=2 sw=2 expandtab
set number
set cursorlineThe configuration file for the VIM editor is ~/.vimrc. There are also some VIM Ansible Plugins, like vim-ansible-
Create Ansible Vault Password File
It is very important to protect your confidential information, especial when your projects are shared via GitHub! Ansible Vault is the tool of choice to handle sensitive data such as passwords or keys in encrypted files. At this point, we only create the password file on the A
vi ~/.vault_pass.txt
-Your Password-Ansible Workstation
To complete the basic Ansible Development Setup, my client needs to be prepared for efficient use. I have decided to use Visual Studio Code with the Ansible Extension. The extension allows
Additional settings for the Ansible Extension:
"files.associations": {
"**/*.yml": "ansible"
},
"ansible.customOptions": "--vault-password-file ~/.vault_pass.txt"The ansible.customOptions will ensure that my Ansible Password File will be used to encrypt the protected files with confidential data like server names, user names, passwords
Server file for quick access to the Workstation to Control Machine connection:
[
{
"host": "10.0.2.15",
"port": 22,
"user": "root",
"password": "-Your Password-"
}
]The Server File is located at “$HOME\.ssh\servers.json”.
Ansible Project
This is just a simple Ansible project with one Playbook to demonstrate the Ansible Development Setup in action.
Project folder structure:
C:.
│ README.md
│ vmware_test_debug.yml
│
├───.vscode
│ settings.json
│
├───group_vars
│ all.yml
│
└───rolesSettings
The only Setting for the project is the Auto-Upload configuration to the Conttol Machine.
{
"ansible.fileCopyConfig": [
{
"server": "10.0.2.15",
"sourcePath": "c:\\Users\\-Your User-\\Documents\\GitHub\\Ansible-Playground/",
"targetPath": "Ansible-Playground/",
"copyOnSave": true
}
]
}The Settings.json File is located in the .vscode folder of the Working Directory.
Variables
This project only uses the default group_vars file all.yml to store all variables. The whole file is encrypted with Ansible-Vault.
With Ansible-Vault you are also able to encrypt only specific parts of a file, like a password.
Playbook
The example playbook only creates some debug messages to verify that everything works as expected.
- name: Test Debug
hosts: localhost
gather_facts: no
tasks:
- name: Output vCenter details
debug:
msg:
- "my vCenter: {{ vcenter_hostname }}"
- "my Username: {{ vcenter_username }}"
- "my Password: {{ vcenter_password }}" # Do not in Production!!Ansible Development Setup – Playbook Run
If all components of the Ansible Development Setup are configured properly, you are able to execute the Playbook from your local Workstation directly on the Ansible Control Machine.
Further Info
- Ansible Playbook Best Practices
- Ansible Technical Workshops
- Book – Ansible for DevOps
- Other Tools and Programs
Is there a way to pass extra vars directly using this method?
You can pass variable files with the –extra-vars parameter. Like I have added the password file.
Hi Markus,
I am trying to setup vscode for ansible devlopment on my windows machine.my control node rhel is on aws.i am trying to run ansible playbook in vscode using ‚run ansible remotely using ssh‘.BUt the playbook fails to run.i have set servers.json and settings.json on my windows machine but vscode doesnt seem to recognize servers.json.any advice please?
Are you able to access the RHEL System from the windows box via SSH?
Does vscode throw any error?
Hi Markus,
Yes, i can access RHEL from windows box using SSH in Putty. I get this error in VSCode
Copy c:xxxxxx/ to xx.xx.xx.xxx.
Failed to copy c:xxxxxx/ to xx.xx.xx.xxx: Error: All configured authentication methods failed
Permissions on the target are okay for the user used?
I probably can’t help you with this. You should think about opening a issue for the plugin:
https://github.com/VSChina/vscode-ansible
Thanks Marcus. I will raise issue for the plugin.
how do you run a playbook and pass additional args to the ansible-playbook, such as passing in an inventory file. I have read one should use a custom launch.json file. However it looks like ansible.customOption may be the way to go.
Also, regarding the vault…to be clear, you encrypt the file on your linux control node, and paste or copy that content into your project?
Curiously, if the vault_pass.txt itself has your password unencrypted, isn’t that security hold in itself?
Hi,
I use the ansible.customOptions option to pass the additional parameters, like the vault password file.
Yes, that is right. I encrypt the required files or values by password on the Linux box. The the password file is not the best solution from security perspective but it’s fine for my dev environment. In my case it’s more about not pushing secrets to github. Have you tried to use the – – ask-vault parameter with this extension?
Since a few months I use the Remote Development Extension instead of the ansible extension to access the Linux box
Visual Studio Code Remote Development Extension Pack
https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack