Chapter 6. Additional configurations

If you want to use automation hub to host execution environments, you must first configure the automation hub’s Application Load Balancer, which also involves trusting the self-signed certificate, update-ca-trust on the EC2 Instance.

6.1. Changing the default Ansible Automation Platform Administrator password

The default Administrator password for Ansible Automation Platform is generated randomly when Ansible Automation Platform from AWS Marketplace is deployed. Follow these steps to change the Administrator password for both automation controller and automation hub:

Procedure

  1. Navigate to the AWS Secrets Manager console.

    1. Locate and open the secret for the CloudFormation Stack with the name <stack_name>-aap-admin-secret.
    2. Select Retrieve secret value to view the secret value.
    3. Select Edit and provide an updated password value.
    4. Click Save.
  2. Change the running Ansible Automation Platform EC2 instances to use the new Administrator password.

    1. Navigate to the AWS EC2 Instances console.
    2. Identify and Terminate one automation controller instance and one automation hub instance for the CloudFormation Stack.
    3. Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
  3. The new Administrator can be used when the new automation controller and automation hub EC2 instances reach a Running instance state.

6.2. Changing the default RDS database password

The default RDS database password for Ansible Automation Platform is generated randomly when Ansible Automation Platform from AWS Marketplace is deployed. Follow these steps to change the RDS password:

Procedure

  1. Navigate to the AWS Secrets Manager console.

    1. Locate and open the secret for the CloudFormation Stack with the name <stack_name>-aap-rds-secret.
    2. Selecting Retrieve secret value to view the secret value.
    3. Select Edit and provide an updated password value.
    4. Click Save.
  2. Update the automation hub EC2 instance with the new RDS password.

    1. Navigate to the AWS EC2 Instances console
    2. Identify and connect to the automation hub instance for the CloudFormation Stack.
    3. Install the postgresql package using

      # dnf install postgresql
    4. View the database settings from the following file - /etc/pulp/settings.py. Variables shown here are used in following steps.
    5. Run

      $ psql -h <DB_HOST> -U awx
      1. When prompted for password: enter <DB_PASSWORD>
    6. Run

      $ ALTER USER awx WITH PASSWORD <UPDATED_PASSWORD>;
  3. Change the running Ansible Automation Platform EC2 instances to use the new RDS password.

    1. Navigate to the AWS EC2 Instances console.
    2. Terminate all EC2 instances. The autoscale group restarts them.
    3. Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
    4. The new RDS can be used when the new automation controller and automation hub EC2 instances reach a Running Instance State.
  4. To validate the RDS password has been changed:

    1. Identify and connect to the automation hub instance for the CloudFormation Stack.
    2. View the updated database settings from the following file - /etc/pulp/settings.py.
    3. Attempt to connect using the following sample connection string:

      psql postgresql://<DB_USER>:<DB_PASSWORD>@<DB_HOST>:<DB_PORT>/<DB_NAME>

      Variable definitions can be found in the settings file.

6.3. Replacing automation controller and automation hub EC2 instances SSL/TLS certificate and key

By default, EC2 instances are secured with a self-signed SSL/TLS certificate with a validity period of ten years. When the certificate expires or you want EC2 instances to use your own certificate, you are required to replace the SSL/TLS certificate and key.

Procedure

  1. Navigate to the AWS Secrets Manager console.

    1. Locate and open the secret for the CloudFormation Stack with the name <stack_name>-pulp_cert.
    2. Select Retrieve secret value to view the secret value.
    3. Select Edit and provide new SSL/TLS certificate value.
    4. Click Save.
  2. Navigate to the AWS Secrets Manager console.

    1. Locate and open the secret for the CloudFormation Stack with the name <stack_name>-pulp_key.
    2. Select Retrieve secret value to view the secret value.
    3. Select Edit and provide new SSL/TLS key value.
    4. Click Save.
  3. Change the running Ansible Automation Platform EC2 instances to use the new SSL/TLS certificate and key.

    1. Navigate to the AWS EC2 Instances console.
    2. Identify and terminate all automation controller and automation hub instances for the CloudFormation Stack.
    3. Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
  4. The new certificate is in use when the new automation controller and automation hub EC2 instances reach a Running instance state.

6.4. Securing the connection between automation hub and automation controller

The following procedure describes how to secure the automation hub load balancer

Prerequisites

  • Ensure you are using openssl v3 or later.

Procedure

  1. Generate the automation hub certificate with the following command:

    $ openssl req -x509 -nodes -newkey rsa:4096 -keyout hub_key.pem -out hub_cert.pem -sha256 -days 365 -addext "subjectAltName = DNS:<HUB_DNS_NAME>"

    where HUB_DNS_NAME is the DNS name of the hub loadbalancer. Certificates can also be requested or imported into AWS.

  2. In the Amazon Web Services UI, navigate to Amazon Certificate Manager. Ensure you are in the correct region.
  3. Click Import to start the import of the generated certificate.
  4. Paste the contents of hub_cert.pem into the Certificate body field.
  5. Paste the contents of hub_key.pem into the Certificate private key field.
  6. Click Next
  7. Optional: Add any additional tags you require.
  8. Click Next.
  9. Click Import.

Updating the automation hub internal Load Balancer Listener

Procedure

  1. In the Amazon Web Services UI, navigate to EC2 Load Balancers. Ensure you are in the correct region.
  2. Select the internal load balancer for automation hub.
  3. Click the Listeners tab.
  4. Click Add listener.
  5. Select HTTPS for the protocol, and ensure the port is 443.
  6. Select Forward for the default actions, and ensure the target group is automation hub instance group.
  7. Select Secure listener settings > Default SSL/TLS certificate and ensure that From ACM is selected.
  8. Select your imported ACM certificate.
  9. Click Add.

Updating the load balancer security group

Procedure

  1. In the Amazon Web Services UI, navigate to EC2 Security Groups. Ensure you are in the correct region.
  2. Select the automation hub ALB Security group.
  3. Select the Inbound rules tab and click Edit inbound rules.
  4. Add a rule of Type: HTTPS, with Source: Anywhere-IPv4.
  5. Delete the old HTTP rule and click Save rules.

6.5. Securing the controller load balancer

The following procedure describes how to secure the automation controller load balancer.

Prereqisites

  • Ensure you are using openssl 3 or later

Procedure

  1. Generate the automation controller certificate with the following command:

    $ openssl req -x509 -nodes -newkey rsa:4096 -keyout controller_key.pem -out controller_cert.pem -sha256 -days 365 -addext "subjectAltName = DNS:<CONTROLLER_DNS_NAME>"

    where CONTROLLER_DNS_NAME is the DNS name of the controller load balancer. Certificates can also be requested or imported into AWS.

  2. In the Amazon Web Services UI, navigate to ACM. Ensure you are in the correct region.
  3. Click Import to start the import of the generated certificate.
  4. Paste the contents of controller_cert.pem into the Certificate body field.
  5. Paste the contents of controller_key.pem into the Certificate private key field.
  6. Click Next
  7. Optional: Add any additional tags you require.
  8. Click Next.
  9. Click Import.

Updating the automation controller internal load balancer listener

Procedure

  1. In the Amazon Web Services UI, navigate to EC2 Load Balancers. Ensure you are in the correct region.
  2. Select the internal load balancer for automation controller.
  3. Click the Listeners tab.
  4. Click Add listener.
  5. Select HTTPS for the protocol, and ensure the port is 443.
  6. Select Forward for the default actions, and ensure the target group is automation controller instance group.
  7. Select Secure listener settings > Default SSL/TLS certificate and ensure that From ACM is selected.
  8. Select your imported ACM certificate.
  9. Click Add.

Updating the load balancer security group

Procedure

  1. In the Amazon Web Services UI, navigate to EC2 Security Groups. Ensure you are in the correct region.
  2. Select the automation controller ALB Security group.
  3. Select the Inbound rules tab and click Edit inbound rules.
  4. Add a rule of Type: HTTPS, with Source: Anywhere-IPv4.
  5. Delete the old HTTP rule and click Save rules.