Ansible Tower / AWX and project using roles/requirements.yml

[ajf...@gmail.com]

Hi all,

I'm trying to figure out a development strategy for my team and how we produce our Ansible output.

We are using Ansible Tower (v3.3.1 but moving to v3.4.1 shortly) and an instance of Github Enterprise to hold our repositories.

I am trying to come up with a workable way of keeping our playbooks and roles separate. My current process is to make one github repo per role, so that anyone on the team can use / contribute to them directly.

I then wished to create a repo that contains all the playbooks, and a roles/requirements.yml, into which we would append new roles to as and when they are needed by any of the playbooks.

This playbooks repo is then loaded into Tower as a project, giving us a single project to source our playbooks from when creating job templates.

Initially, I was hoping I could make sub-directories for the playbooks, so they have their own unique requirements.yml file to stop Tower needing to pull down everything, but it doesn't appear to allow for this. Going with a top-level roles/requirements.yml is workable, but there is a problem I am yet to figure out how to resolve cleanly.

If I need to make an update to a role, perhaps a task needs changing, but the playbook repo is unaffected, I do not see a way of having Tower re-sync from github all the roles, unless I use the Delete on Update project setting. This bothers me because it seems inefficient having to remove all the local files and then download everything from git again, instead of just having git check what's different in the repositories specified in the requirements file.

My questions would be:

1. Is there a way to have a project trigger the git / ansible-galaxy check without using the Delete on Update option?

2. Is there a better way of achieving the role / playbook split in Tower than I've envisioned above? Our current way is one project per similar set of playbooks, so doing a Delete on Update isn't too big of an issue as we're only re-syncing one set of roles and not the whole lot. This works, but it makes the Projects library start to get quite cluttered.

[Matthew Hein]

We have been operating using a similar model (single project with single roles/requirements.yml file and multiple individual role repositories referenced in requirements.yml) for at least year without any issues. Prior to Tower 3.3.x, the task to pull down roles in requirements.yml always ran with the –force argument, achieving what you outlined in question #1.

When we migrated from 3.2.5 to 3.3.2, we noticed this changed contradictory to what documentation says (https://docs.ansible.com/ansible-tower/latest/html/userguide/projects.html#ansible-galaxy-support). I opened a support case with Red Hat (02295355) and worked with them on this for several days. 

My workaround while working with support to get this functional back is the following was in /var/lib/awx/venv/awx/lib/python2.7/site-packages/awx/playbooks modified the galaxy play in project_update.yml to have the --force:

      - name: fetch galaxy roles from requirements.yml

        command: ansible-galaxy install -r requirements.yml -p {{project_path|quote}}/roles/ --force

        args:

          chdir: "{{project_path|quote}}/roles"

        register: galaxy_result

        when: doesRequirementsExist.stat.exists and scm_result is undefined

        changed_when: "'was installed successfully' in galaxy_result.stdout"

Note we only run a single instance of Tower, so this workaround has not be tested on clustered instances. 

Red Hat support suggested to use the project_update.yml file from Tower 3.2.8 (last 3.2.x release) or add the –force to project_update.yml since this behavior is from legacy Tower and for the time being will not be changed.

It would be nice if this functionality was brought back or at least made a flag/option.