Azure CLI Deployment of Ansible Automation Platform on Microsoft Azure

Red Hat Ansible Automation Platform on Microsoft Azure can be deployed directly through the Azure Marketplace GUI as well as other Azure Marketplace deployment models. If you have a need to automate deployment, or configure deployment options programmatically such as deploying to a different Azure region, then you may use this deployment model.

The outcome of this process is a single az CLI command to deploy a managed application.

Prerequisites

It is important to understand the networking settings used in this process as well. There is a separate KB article that covers all of the information needed to plan the CIDR blocks and IP addresses used in the configuration parameters of this article.

Script Variables

Collecting Unpublished Variables

Some variables that are required for the CLI deployment are not retrievable from the CLI at this time. You must collect these variables from the Azure Portal prior to running the CLI command. This process is only required once, but the AZURE_PLAN_VERSION variable changes over time, so you will want to account for that when more than a few days passes between your CLI deployments.

Note: The following process follows the same steps as preparing a Azure Marketplace UI deployment, but stops short of actually deploying via the Azure Marketplace.

1. Navigate to the Azure Marketplace and select Red Hat Ansible Automation Platform. Be sure to select the proper offer based on your buying location; the publisher for EMEA countries is different than others.
2. Select the plan that you ultimately wish to deploy.
3. Press the "Create" button.
4. Fill out the form fields on the "Basics" tab. These can be arbitrary since you won't actually be deploying through the UI.
5. Click "Next: Networking".
6. Click "Next: Review + create". Again, no need to set these values since you aren't actually deploying.
7. Click the "Download a template for automation" link.

You may download this file for reference, but the important key pairs are in the "plan" section of the file.

"plan": {
 "name": "rh-aap-azure400pub-b2",
 "product": "rhaapomsa",
 "publisher": "redhat",
 "version": "1.5.1"
}

Note: The version of the managed application is incremented regularly. It is important to check for the latest version of the managed application to ensure that the deployment succeeds. Using any version other than the latest is unsupported.

These values will map to environment variables in later steps.

Setting Script Environment Variables

The script in this example uses environment variables to set items within the final az command. These environment variables are, effectively, the same input options that are exposed via the Azure Marketplace UI in the Azure portal. Using the CLI allows you to set some options, such as the Azure deployment region, more granularly than the Azure Marketplace UI does.

Deployment

Accepting the Offer Terms

Just like deploying the managed application through the Azure Portal, you must accept the terms of service before you can install the managed application. This process must be performed once per offer/plan that you intend to install. Otherwise, you will receive and error like the following:

(ResourcePurchaseValidationFailed) User failed validation to purchase resources. Error message: 'You have not accepted the legal terms on this subscription: '\' for this plan. Before the subscription can be used, you need to accept the legal terms of the image. To read and accept legal terms, use the Azure CLI commands described at https://go.microsoft.com/fwlink/?linkid=2110637 or the PowerShell commands available at https://go.microsoft.com/fwlink/?linkid=862451.

To accept the offer terms from the CLI, you can run the following:

export AZURE_PUBLISHER="redhat";
export AZURE_OFFER="rhaapomsa";
export AZURE_PLAN="rh-aap-azure400pub-b2";
az vm image terms accept \
--offer $AZURE_OFFER \
--plan $AZURE_PLAN \
--publisher $AZURE_PUBLISHER

Deploying the Managed Application

Once you have planned collected and planned the deployment variables, you may run the az CLI command with the variables to deploy the managed application. The initial command will take about 10 minutes to run and then it will output information about the deployment. To monitor the deployment beyond this state, copy the deploymentEngineUrl value into your web browser and login with the administrator password that you setup for the deployment. The deployment engine will provide details regarding the state of the deployment.

The following is a full example of setting the environment variables and running the Azure CLI commands.

export ANSIBLE_ACCESS_MODE="private"
export AZURE_DEPLOYMENT_SUBSCRIPTION=""
export AZURE_APP_DEPLOYMENT_RESOURCE_GROUP=""
export AZURE_APP_NAME="ansible-$ANSIBLE_ACCESS_MODE-deployment"
export AZURE_MANAGED_APP_RESOURCES_GROUP="mrg-$AZURE_APP_NAME"
export AZURE_REGION="eastus"
export AZURE_PUBLISHER="redhat"
export AZURE_OFFER="rhaapomsa"
export AZURE_PLAN="rh-aap-azure400pub-b2"
export AZURE_PLAN_VERSION="1.5.1"
export ANSIBLE_ADMIN_PASSWORD=""
export VNET_CIDR="10.100.1.0/24"
export CLUSTER_CIDR="10.100.1.0/26"
export APP_GW_CIDR="10.100.1.64/28"
export PRIVATE_LINK_CIDR="10.100.1.96/28"
export DATABASE_CIDR="10.100.1.80/28"
export SERVICE_CIDR="10.101.0.0/26"
export DNS_SERVICE_IP="10.101.0.3"
export POD_CIDR="10.254.0.0/20"
export DISASTER_RECOVERY=true
az managedapp create \
-g $AZURE_APP_DEPLOYMENT_RESOURCE_GROUP \
-n $AZURE_APP_NAME \
-l $AZURE_REGION \
--kind MarketPlace \
-m "/subscriptions/$AZURE_DEPLOYMENT_SUBSCRIPTION/resourceGroups/$AZURE_MANAGED_APP_RESOURCES_GROUP" \
--plan-name $AZURE_PLAN \
--plan-version $AZURE_PLAN_VERSION \
--plan-product $AZURE_OFFER \
--plan-publisher $AZURE_PUBLISHER \
--parameters "{\"adminPassword\":{\"value\":\"$ANSIBLE_ADMIN_PASSWORD\"},\"crossTenantRoleAssignment\":{\"value\":true},\"disasterRecovery\":{\"value\":$DISASTER_RECOVERY},\"location\":{\"value\":\"$AZURE_REGION\"},\"access\":{\"value\":\"$ANSIBLE_ACCESS_MODE\"},\"vnetConfig\":{\"value\":{\"name\":\"vnet01\",\"resourceGroup\":\"$AZURE_MANAGED_APP_RESOURCES_GROUP\",\"addressPrefixes\":[\"$VNET_CIDR\"],\"addressPrefix\":\"$VNET_CIDR\",\"newOrExisting\":\"new\",\"subnets\":{\"aks\":{\"name\":\"cluster\",\"addressPrefix\":\"$CLUSTER_CIDR\"},\"appgw\":{\"name\":\"appgw\",\"addressPrefix\":\"$APP_GW_CIDR\"},\"plink\":{\"name\":\"private_link\",\"addressPrefix\":\"$PRIVATE_LINK_CIDR\"},\"postgres\":{\"name\":\"database\",\"addressPrefix\":\"$DATABASE_CIDR\"}}}},\"dnsServiceIP\":{\"value\":\"$DNS_SERVICE_IP\"},\"podCidr\":{\"value\":\"$POD_CIDR\"},\"serviceCidr\":{\"value\":\"$SERVICE_CIDR\"},\"tagsByResource\":{\"value\":{\"Microsoft.Network/applicationGateways\":{\"deployment\":\"cli\"},\"Microsoft.DBforPostgreSQL/flexibleServers\":{\"deployment\":\"cli\"},\"Microsoft.Resources/deploymentScripts\":{\"deployment\":\"cli\"},\"Microsoft.Network/dnsZones\":{\"deployment\":\"cli\"},\"Microsoft.KeyVault/vaults\":{\"deployment\":\"cli\"},\"Microsoft.ContainerService/managedClusters\":{\"deployment\":\"cli\"},\"Microsoft.OperationalInsights/workspaces\":{\"deployment\":\"cli\"},\"Microsoft.Solutions/applications\":{\"deployment\":\"cli\"},\"Microsoft.ManagedIdentity/userAssignedIdentities\":{\"deployment\":\"cli\"},\"Microsoft.Network/privateDnsZones/virtualNetworkLinks\":{\"deployment\":\"cli\"},\"Microsoft.Resources/resourceGroups\":{\"deployment\":\"cli\"},\"Microsoft.Network/privateDnsZones\":{\"deployment\":\"cli\"},\"Microsoft.Network/privateEndpoints\":{\"deployment\":\"cli\"},\"Microsoft.OperationsManagement/solutions\":{\"deployment\":\"cli\"},\"Microsoft.Storage/storageAccounts\":{\"deployment\":\"cli\"},\"Microsoft.Network/virtualNetworks\":{\"deployment\":\"cli\"}}}}"