Chapter 6. Additional configurations
If you want to use automation hub to host execution environments, you must first configure the automation hub’s Application Load Balancer, which also involves trusting the self-signed certificate, update-ca-trust on the EC2 Instance.
6.1. Changing the default Ansible Automation Platform Administrator password
The default Administrator password for Ansible Automation Platform is generated randomly when Ansible Automation Platform from AWS Marketplace is deployed. Follow these steps to change the Administrator password for both automation controller and automation hub:
Procedure
Navigate to the AWS Secrets Manager console.
-
Locate and open the secret for the CloudFormation Stack with the name
<stack_name>-aap-admin-secret. - Select Retrieve secret value to view the secret value.
- Select Edit and provide an updated password value.
- Click Save.
-
Locate and open the secret for the CloudFormation Stack with the name
Change the running Ansible Automation Platform EC2 instances to use the new Administrator password.
- Navigate to the AWS EC2 Instances console.
- Identify and Terminate one automation controller instance and one automation hub instance for the CloudFormation Stack.
- Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
- The new Administrator can be used when the new automation controller and automation hub EC2 instances reach a Running instance state.
6.2. Changing the default RDS database password
The default RDS database password for Ansible Automation Platform is generated randomly when Ansible Automation Platform from AWS Marketplace is deployed. Follow these steps to change the RDS password:
Procedure
Navigate to the AWS Secrets Manager console.
-
Locate and open the secret for the CloudFormation Stack with the name
<stack_name>-aap-rds-secret. - Selecting Retrieve secret value to view the secret value.
- Select Edit and provide an updated password value.
- Click Save.
-
Locate and open the secret for the CloudFormation Stack with the name
Update the automation hub EC2 instance with the new RDS password.
- Navigate to the AWS EC2 Instances console
- Identify and connect to the automation hub instance for the CloudFormation Stack.
Install the
postgresqlpackage using# dnf install postgresql
-
View the database settings from the following file -
/etc/pulp/settings.py. Variables shown here are used in following steps. Run
$ psql -h <DB_HOST> -U awx
- When prompted for password: enter <DB_PASSWORD>
Run
$ ALTER USER awx WITH PASSWORD <UPDATED_PASSWORD>;
Change the running Ansible Automation Platform EC2 instances to use the new RDS password.
- Navigate to the AWS EC2 Instances console.
- Terminate all EC2 instances. The autoscale group restarts them.
- Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
- The new RDS can be used when the new automation controller and automation hub EC2 instances reach a Running Instance State.
To validate the RDS password has been changed:
- Identify and connect to the automation hub instance for the CloudFormation Stack.
-
View the updated database settings from the following file -
/etc/pulp/settings.py. Attempt to connect using the following sample connection string:
psql postgresql://<DB_USER>:<DB_PASSWORD>@<DB_HOST>:<DB_PORT>/<DB_NAME>
Variable definitions can be found in the settings file.
6.3. Replacing automation controller and automation hub EC2 instances SSL/TLS certificate and key
By default, EC2 instances are secured with a self-signed SSL/TLS certificate with a validity period of ten years. When the certificate expires or you want EC2 instances to use your own certificate, you are required to replace the SSL/TLS certificate and key.
Procedure
Navigate to the AWS Secrets Manager console.
-
Locate and open the secret for the CloudFormation Stack with the name
<stack_name>-pulp_cert. - Select Retrieve secret value to view the secret value.
- Select Edit and provide new SSL/TLS certificate value.
- Click Save.
-
Locate and open the secret for the CloudFormation Stack with the name
Navigate to the AWS Secrets Manager console.
-
Locate and open the secret for the CloudFormation Stack with the name
<stack_name>-pulp_key. - Select Retrieve secret value to view the secret value.
- Select Edit and provide new SSL/TLS key value.
- Click Save.
-
Locate and open the secret for the CloudFormation Stack with the name
Change the running Ansible Automation Platform EC2 instances to use the new SSL/TLS certificate and key.
- Navigate to the AWS EC2 Instances console.
- Identify and terminate all automation controller and automation hub instances for the CloudFormation Stack.
- Wait for the automation controller and automation hub Auto Scaling Groups to create new EC2 instances.
- The new certificate is in use when the new automation controller and automation hub EC2 instances reach a Running instance state.
6.4. Securing the connection between automation hub and automation controller
The following procedure describes how to secure the automation hub load balancer
Prerequisites
- Ensure you are using openssl v3 or later.
Procedure
Generate the automation hub certificate with the following command:
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout hub_key.pem -out hub_cert.pem -sha256 -days 365 -addext "subjectAltName = DNS:<HUB_DNS_NAME>"
where
HUB_DNS_NAMEis the DNS name of the hub loadbalancer. Certificates can also be requested or imported into AWS.- In the Amazon Web Services UI, navigate to Amazon Certificate Manager. Ensure you are in the correct region.
- Click Import to start the import of the generated certificate.
-
Paste the contents of
hub_cert.peminto the Certificate body field. -
Paste the contents of
hub_key.peminto the Certificate private key field. - Click Next
- Optional: Add any additional tags you require.
- Click Next.
- Click Import.
Updating the automation hub internal Load Balancer Listener
Procedure
- In the Amazon Web Services UI, navigate to EC2 Load Balancers. Ensure you are in the correct region.
- Select the internal load balancer for automation hub.
- Click the Listeners tab.
- Click Add listener.
-
Select HTTPS for the protocol, and ensure the port is
443. -
Select Forward for the default actions, and ensure the target group is
automation hubinstance group. - Select Secure listener settings > Default SSL/TLS certificate and ensure that From ACM is selected.
- Select your imported ACM certificate.
- Click Add.
Updating the load balancer security group
Procedure
- In the Amazon Web Services UI, navigate to EC2 Security Groups. Ensure you are in the correct region.
- Select the automation hub ALB Security group.
- Select the Inbound rules tab and click Edit inbound rules.
-
Add a rule of Type:
HTTPS, with Source:Anywhere-IPv4. - Delete the old HTTP rule and click Save rules.
6.5. Securing the controller load balancer
The following procedure describes how to secure the automation controller load balancer.
Prereqisites
- Ensure you are using openssl 3 or later
Procedure
Generate the automation controller certificate with the following command:
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout controller_key.pem -out controller_cert.pem -sha256 -days 365 -addext "subjectAltName = DNS:<CONTROLLER_DNS_NAME>"
where
CONTROLLER_DNS_NAMEis the DNS name of the controller load balancer. Certificates can also be requested or imported into AWS.- In the Amazon Web Services UI, navigate to ACM. Ensure you are in the correct region.
- Click Import to start the import of the generated certificate.
-
Paste the contents of
controller_cert.peminto the Certificate body field. -
Paste the contents of
controller_key.peminto the Certificate private key field. - Click Next
- Optional: Add any additional tags you require.
- Click Next.
- Click Import.
Updating the automation controller internal load balancer listener
Procedure
- In the Amazon Web Services UI, navigate to EC2 Load Balancers. Ensure you are in the correct region.
- Select the internal load balancer for automation controller.
- Click the Listeners tab.
- Click Add listener.
-
Select HTTPS for the protocol, and ensure the port is
443. -
Select Forward for the default actions, and ensure the target group is
automation controllerinstance group. - Select Secure listener settings > Default SSL/TLS certificate and ensure that From ACM is selected.
- Select your imported ACM certificate.
- Click Add.
Updating the load balancer security group
Procedure
- In the Amazon Web Services UI, navigate to EC2 Security Groups. Ensure you are in the correct region.
- Select the automation controller ALB Security group.
- Select the Inbound rules tab and click Edit inbound rules.
-
Add a rule of Type:
HTTPS, with Source:Anywhere-IPv4. - Delete the old HTTP rule and click Save rules.