Chapter 12. Technical Notes
Ansible Automation Platform from AWS Marketplace is a self-managed deployment. The following are technical notes regarding the Ansible Automation Platform from AWS Marketplace deployment.
12.1. Add and Remove Tags
Tags are custom fields that you assign to an AWS resource to help organize and identify your instances. Ansible Automation Platform from AWS Marketplace supports stack-level tagging during stack deployment time. A stack-level tag, when applied to the stack itself, is also applied to all tag supported components that make up the stack.
Using the add or remove labels playbooks only updates the tags for the individual components of a stack and not the tag applied to the stack itself. Stack-level tags are never modified after deployment.
The aws_remove_labels playbook only supports removing a single AWS tag at a time. The parameter aws_labels is a single key to remove. To remove multiple keys, run the command multiple times.
12.2. Ansible on Clouds Ops Container
Having a deployment with the same name in multiple regions will break the functionality of the add extension node, remove extension node and backup stack playbooks found in the Ansible on Clouds Ops Container. To ensure these playbooks function as expected, please ensure that Ansible Automation Platform from AWS Marketplace deployments are uniquely named across all regions.
12.3. Backup and Restore
-
The
aws_rds_db_snapshot_arnoptional parameter which allowed customers to specify a specific AWS RDS Snapshot to use for restoring their deployment is no longer supported. The restore process no longer uses AWS RDS Snapshots to restore a deployment and instead relies on the backup files generated by the Ansible on Clouds Ops Container backup playbook. The Ansible on Clouds Ops Container restore playbook does not use any provided RDS snapshot passed as a parameter. A restored Ansible Automation Platform from AWS Marketplace deployment does not maintain all secrets from the original Ansible Automation Platform from AWS Marketplace deployment. If using your own certificates, they must be reset after a restore.
Secrets that are maintained:
-
<stack_name>-aap-admin-secret -
<stack_name>-aap-secret-key
Secrets that are NOT maintained:
-
<stack_name>-aap-rds-secret -
<stack_name>-database_fields_symmetric_key -
<stack_name>-container_auth_private_key_pem -
<stack_name>-container_auth_public_key_pem -
<stack_name>-pulp_cert -
<stack_name>-pulp_key
-
The Ansible on Clouds Ops Container restore playbook fails when attempting to restore a secret starting with
-. If the restore operation is failing, on your deployment please ensure the secret<stack_name>-database_fields_symmetric_keydoes not start with a-. Follow the steps below to check for this case and update the secret appropriately.Find the backup you are passing to the restore playbook on S3.
-
The
aws_backup_nameparameter you passed to the restore playbook is the backup we are trying to locate and it should be a folder inside of an S3 bucket -
The
aws_s3_bucketparameter you passed to the restore playbook should be the bucket which contains the backup we are trying to locate
-
The
-
After locating the backup, navigate inside of the backup folder and download the
secrets.jsonfile. -
In your downloaded
secrets.jsonfile, find the value of<stack_name>-database_fields_symmetric_key. If<stack_name>-database_fields_symmetric_keydoes not begin with a-, you do not need to do anything else; your restore operation is not failing due to this issue. If<stack_name>-database_fields_symmetric_keydoes begin with a-, edit the downloadedsecrets.jsonfile and replace the-with any alphanumeric character. -
After replacing the
-with an alphanumeric character, navigate back to backup folder in the S3 console and click Upload. -
Drag and drop the updated
secrets.jsonfile into the file upload box on the S3 console webpage and click Upload. -
You have successfully updated the
secrets.jsonfile for a backup. Using this backup for a restore operation should now allow you to successfully create a restored deployment.
- Cross-region backup and restore operations are not supported in this release. This means that a backed up deployment in one region can only be restored in to that same region.
- If a deployment is created inside of an existing VPC, this VPC must exist for backup and restore operations to function. A backed up deployment cannot be restored if the VPC containing this deployment is deleted.
12.4. Add and Remove Extension Nodes
-
On rare occasions, the Anisble on Clouds Ops Container remove extension node playbook can fail with the message
Waited too long for old instances to terminate. Run the playbook again to resolve the issue. - When removing extension nodes using the Ansible-on-Clouds ops playbook, ensure you have provided the correct autoscaling group name and launch template name. Providing incorrect autoscaling group and launch template names results in some orphaned resources.
12.5. Command generator - Linux files owned by root
On Linux, any file or directory created by the command generator is owned by root:root by default. To change the ownership of the files and directories, you can run the sudo chmod command after the files are created:
# Change the owner of the command_generator_data directory recursively $ sudo chown -R $USER:$USER command_generator_data/ # Check the permissions $ ls -la command_generator_data/
The command generator currently expects to use the Docker CLI in the daemon mode. The default Docker installation does not have User namespace mapping for Discretionary access control (DAC). So, for any file created by root from the container will also be owned by root on the host if the file is located in a shared volume.
You can learn more about the Linux namespaces, including the User namespace at the article The 7 most used Linux namespaces.
12.6. Upgrade note
Upgrading Ansible Automation Platform to 2.4.20230630 updates the protocol of the listeners attached to the internal load balancers from HTTP to HTTPs. To update the listener protocol, the listener must be deleted and recreated properly. For this operation to succeed there must not have been an added resource dependancy on the listener. If there is a resource dependancy on the listener, this halts the upgrade, and the dependancy must be manually removed for the upgrade to succeed. When the upgrade has suceeded, the dependant resource can be recreated. You must revalidate any additional added networking configurations after upgrade.
12.7. Ansible Automation Platform Controller API
API endpoints for Controller must contain a trailing slash in order for requests to go through. Automatic trailing slash redirects are not supported in this current offering of Ansible Automation Platform from AWS Marketplace. For example a request such as <controller_base_url>/api/v2/metrics times out while <controller_base_url>/api/v2/metrics/ goes through.
12.8. Command generator - AWS Credentials File
The command generator only supports the AWS credentials file with a default profile name.
Example of a supported AWS credentials file:
[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Example of an unsupported AWS credentials file:
[something_else] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY