From f466fca3e65f5bd4708d9588efd0e183d3606219 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Wed, 7 Aug 2024 22:27:31 +0200
Subject: [PATCH] chore(ansible): improve notes for awx setup on eks

---
 knowledge base/ansible.md                    | 106 +++++++++++++++++++
 knowledge base/awx.md                        |   2 +-
 knowledge base/cloud computing/aws/README.md |  90 ++++++++++++++++
 knowledge base/cloud computing/aws/eks.md    |  19 +++-
 knowledge base/slack.md                      |   2 +
 snippets/ansible/tasks.yml                   |  25 ++++-
 snippets/aws/commands.fish                   |   2 +
 7 files changed, 241 insertions(+), 5 deletions(-)

diff --git a/knowledge base/ansible.md b/knowledge base/ansible.md
index b857aad..ccd267d 100644
--- a/knowledge base/ansible.md	
+++ b/knowledge base/ansible.md	
@@ -18,6 +18,7 @@
    1. [Assign roles](#assign-roles)
    1. [Role dependencies](#role-dependencies)
 1. [Create custom filter plugins](#create-custom-filter-plugins)
+1. [Execution environments](#execution-environments)
 1. [Troubleshooting](#troubleshooting)
     1. [Print all known variables](#print-all-known-variables)
     1. [Force notified handlers to run at a specific point](#force-notified-handlers-to-run-at-a-specific-point)
@@ -555,6 +556,107 @@ collections:
 
 See [Creating your own Ansible filter plugins].
 
+## Execution environments
+
+Container images that can be used as Ansible control nodes.
+
+Ansible Builder aids in the creation of Ansible Execution Environments.<br/>
+Refer [Introduction to Ansible Builder] for how to build one.
+
+Builders' `build` command defaults to using:
+
+- `execution-environment.yml` or `execution-environment.yaml` as the definition file.
+- `$PWD/context` as the directory to use for the build context.
+
+<details>
+  <summary><code>execution-environment.yml</code> example</summary>
+
+Refer [Execution environment definition].
+
+```yaml
+---
+version: 3
+
+build_arg_defaults:
+  ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: '--pre'
+
+dependencies:
+  ansible_core:
+    package_pip: ansible-core==2.14.4
+  ansible_runner:
+    package_pip: ansible-runner
+  galaxy: requirements.yml
+  python:
+    - six
+    - psutil
+  system: bindep.txt
+  exclude:
+    python:
+      - docker
+    system:
+      - python3-Cython
+
+images:
+  base_image:
+    name: docker.io/redhat/ubi9:latest
+    # Other available base images:
+    #   - quay.io/rockylinux/rockylinux:9
+    #   - quay.io/centos/centos:stream9
+    #   - registry.fedoraproject.org/fedora:38
+    #   - registry.redhat.io/ansible-automation-platform-23/ee-minimal-rhel8:latest
+    #     (needs an account)
+
+# Custom package manager path for the RHEL based images
+# options:
+#   package_manager_path: /usr/bin/microdnf
+
+additional_build_files:
+  - src: files/ansible.cfg
+    dest: configs
+
+additional_build_steps:
+  prepend_base:
+    - RUN echo This is a prepend base command!
+    # Enable Non-default stream before packages provided by it can be installed. (optional)
+    # - RUN $PKGMGR module enable postgresql:15 -y
+    # - RUN $PKGMGR install -y postgresql
+  prepend_galaxy:
+    - COPY _build/configs/ansible.cfg /etc/ansible/ansible.cfg
+
+  prepend_final: |
+    RUN whoami
+    RUN cat /etc/os-release
+  append_final:
+    - RUN echo This is a post-install command!
+    - RUN ls -la /etc
+```
+
+</details>
+
+<details>
+  <summary><code>requirements.yml</code> example</summary>
+
+```yaml
+---
+collections:
+  - redhat.openshift
+```
+
+</details>
+
+<details>
+  <summary>Commands example</summary>
+
+```sh
+pip install 'ansible-builder'
+ansible-builder build --container-runtime 'docker' -t 'example-ee:latest' -f 'definition.yml'
+ansible-runner -p 'test_play.yml' --container-image 'example-ee:latest'
+ansible-navigator run 'test_play.yml' -i 'localhost,' --execution-environment-image 'example-ee:latest' \
+  --mode 'stdout' --pull-policy 'missing' --container-options='--user=0'
+```
+
+</details>
+
 ## Troubleshooting
 
 ### Print all known variables
@@ -865,6 +967,7 @@ Solution: use a version of `ansible-core` lower than 2.17.
 - [Mitogen for Ansible]
 - [Debugging tasks]
 - [AWX]
+- [Introduction to Ansible Builder]
 
 ### Sources
 
@@ -901,6 +1004,7 @@ Solution: use a version of `ansible-core` lower than 2.17.
 - [Looping over lists inside of a dict]
 - [Newer versions of Ansible don't work with RHEL 8]
 - [Running your Ansible playbooks in parallel and other strategies]
+- [Execution environment definition]
 
 <!--
   Reference
@@ -925,8 +1029,10 @@ Solution: use a version of `ansible-core` lower than 2.17.
 [configuration]: https://docs.ansible.com/ansible/latest/reference_appendices/config.html
 [debugging tasks]: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_debugger.html
 [developing and testing ansible roles with molecule and podman - part 1]: https://www.ansible.com/blog/developing-and-testing-ansible-roles-with-molecule-and-podman-part-1/
+[execution environment definition]: https://ansible.readthedocs.io/projects/builder/en/stable/definition/
 [galaxy  sivel.toiletwater]: https://galaxy.ansible.com/ui/repo/published/sivel/toiletwater/
 [galaxy]: https://galaxy.ansible.com/
+[introduction to ansible builder]: https://www.ansible.com/blog/introduction-to-ansible-builder/
 [roles]: https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html
 [setup module source code]: https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/setup.py
 [setup module]: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/setup_module.html
diff --git a/knowledge base/awx.md b/knowledge base/awx.md
index ab8e002..2aed883 100644
--- a/knowledge base/awx.md	
+++ b/knowledge base/awx.md	
@@ -633,7 +633,7 @@ Refer [AWX API Reference] and [How to use AWX REST API to execute jobs].
 [awx's repository]: https://github.com/ansible/awx/
 [basic install]: https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/basic-install.html
 [helm install on existing cluster]: https://ansible.readthedocs.io/projects/awx-operator/en/latest/installation/helm-install-on-existing-cluster.html
-[installer role's defaults]: https://github.com/ansible/awx-operator/blob/ffba1b4712a0b03f1faedfa70e3a9ef0d443e4a6/roles/installer/defaults/main.yml
+[installer role's defaults]: https://github.com/ansible/awx-operator/blob/devel/roles/installer/defaults/main.yml
 [iterating on the installer without deploying the operator]: https://ansible.readthedocs.io/projects/awx-operator/en/latest/troubleshooting/debugging.html#iterating-on-the-installer-without-deploying-the-operator
 [operator's documentation]: https://ansible.readthedocs.io/projects/awx-operator/en/latest/
 [operator's repository]: https://github.com/ansible/awx-operator/
diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index ebe8f08..71ff6f6 100644
--- a/knowledge base/cloud computing/aws/README.md	
+++ b/knowledge base/cloud computing/aws/README.md	
@@ -16,6 +16,8 @@
 1. [Resource constraints](#resource-constraints)
 1. [Access control](#access-control)
    1. [IAM policies](#iam-policies)
+   1. [Assume Roles](#assume-roles)
+      1. [Require MFA for assuming Roles](#require-mfa-for-assuming-roles)
 1. [Further readings](#further-readings)
    1. [Sources](#sources)
 
@@ -311,6 +313,94 @@ Examples:
 
 </details>
 
+### Assume Roles
+
+Refer [Introduction to AWS IAM AssumeRole].
+
+Users, Roles and Services can assume Roles as long as:
+
+1. The User, Role or Service that is trying to assume the end Role has assigned policies that would allow them to.
+
+   ```json
+   {
+       "Version": "2012-10-17",
+       "Statement": [
+           {
+               "Sid": "AllowMeToAssumeThoseRoles",
+               "Effect": "Allow",
+               "Action": "sts:AssumeRole",
+               "Resource": [
+                   "arn:aws:iam::012345678901:role/EksAdminRole",
+                   "arn:aws:iam::987654321098:role/EcsAuditorRole"
+               ]
+           }
+       ]
+   }
+   ```
+
+1. The **end** Role's Trust Relationships allow the entity in the point above to assume it.
+
+   ```json
+   {
+       "Version": "2012-10-17",
+       "Statement": [
+           …,
+           {
+               "Effect": "Allow",
+               "Principal": {
+                   "AWS": "arn:aws:iam::012345678901:user/halJordan"
+               },
+               "Action": "sts:AssumeRole"
+           }
+       ]
+   }
+   ```
+
+Allowed entities can assume Roles using the [STS AssumeRole API][assumerole api reference]:
+
+```sh
+aws sts assume-role --output 'yaml' \
+  --role-arn "arn:aws:iam::012345678901:role/EksAdminRole" \
+  --role-session-name "lookAt-halJordan-sheIsThe-EksAdminRole-now"
+```
+
+```yaml
+AssumedRoleUser:
+  Arn: arn:aws:sts::012345678901:assumed-role/EksAdminRole/AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
+  AssumedRoleId: AROA2HKHF0123456789OA:AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
+Credentials:
+  AccessKeyId: ASIA2HKHF012345ABCDE
+  Expiration: '2024-08-06T10:29:15+00:00'
+  SecretAccessKey: C2SGbkwmfHWzf44DX6IQQirg5XCGwpLX0Ai++Qkq
+  SessionToken: IQoJb3jPZ2luX2VjEAIaCWV1LXdlc3QtMSJHMEUCIQCGEihh9rBi1cL8ebhQVdcKl8Svzm5VCIC/ebCdxpORiA…
+```
+
+#### Require MFA for assuming Roles
+
+Add the `"Bool": {"aws:MultiFactorAuthPresent": true}` condition to the Role's trust relationships:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "AWS": "arn:aws:iam::012345678901:user/halJordan"
+        },
+        "Action": "sts:AssumeRole",
+        "Condition": {
+            "Bool": {
+                "aws:MultiFactorAuthPresent": true
+            }
+        }
+    }]
+}
+```
+
+When requiring MFA with AssumeRole, identities need to pass values for the SerialNumber and TokenCode parameters.<br/>
+SerialNumbers identify the users' hardware or virtual MFA devices, TokenCodes are the time-based one-time password
+(TOTP) value that devices produce.
+
 ## Further readings
 
 - [EC2]
diff --git a/knowledge base/cloud computing/aws/eks.md b/knowledge base/cloud computing/aws/eks.md
index 7d4e053..73e4521 100644
--- a/knowledge base/cloud computing/aws/eks.md	
+++ b/knowledge base/cloud computing/aws/eks.md	
@@ -101,6 +101,9 @@ aws eks associate-access-policy --cluster-name 'DeepThought' \
 # Connect to clusters.
 aws eks update-kubeconfig --name 'DeepThought' && kubectl cluster-info
 aws eks --region 'eu-west-1' update-kubeconfig --name 'DeepThought' --profile 'dev-user' && kubectl cluster-info
+aws eks update-kubeconfig \
+  --region 'eu-west-1' --name 'DeepThought' --role-arn 'arn:aws:iam::012345678901:role/AssumedRole' \
+&& kubectl cluster-info
 
 
 # Create EC2 node groups.
@@ -130,11 +133,17 @@ aws eks describe-addon-configuration --addon-name 'aws-ebs-csi-driver' --addon-v
 
 </details>
 
-<!-- Uncomment if needed
 <details>
   <summary>Real world use cases</summary>
+
+```sh
+# Connect to clusters.
+aws eks --region 'eu-west-1' update-kubeconfig --name 'DeepThought'
+aws eks … update-kubeconfig --name 'DeepThought' --profile 'dev-user'
+aws eks … update-kubeconfig --name 'DeepThought' --role-arn 'arn:aws:iam::012345678901:role/EksAdminRole'
+```
+
 </details>
--->
 
 ## Requirements
 
@@ -1089,7 +1098,7 @@ Requirements:
   Specifically, subnets must have the specific, appropriate tags.<br/>
   Those are actively looked for by the controller, and will miserably fail if they are not present.
 
-Procedure:
+Installation:
 
 1. Create a IAM policy using the `/docs/install/iam_policy.json` file in the
    [controller's repository][aws load balancer controller repository].
@@ -1125,6 +1134,9 @@ Procedure:
 
    </details>
 
+Ingresses annotations will configure the load balancers they create.<br/>
+Refer [Ingress annotations][aws load balancer controller ingress annotations] for the full list.
+
 ### EBS CSI driver
 
 #### EBS CSI driver as aws-managed add-on
@@ -1432,6 +1444,7 @@ helm upgrade -i --repo 'https://aws.github.io/eks-charts' \
 
 <!-- Others -->
 [amazon elastic block store (ebs) csi driver]: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/README.md
+[aws load balancer controller ingress annotations]: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md
 [aws load balancer controller repository]: https://github.com/kubernetes-sigs/aws-load-balancer-controller
 [enable ebs gp3 for eks by default]: https://geko.cloud/en/aws-enable-ebs-gp3-for-eks-by-default/
 [external-snapshotter]: https://github.com/kubernetes-csi/external-snapshotter
diff --git a/knowledge base/slack.md b/knowledge base/slack.md
index 178b6fd..0cda7a6 100644
--- a/knowledge base/slack.md	
+++ b/knowledge base/slack.md	
@@ -65,6 +65,7 @@ Check out [slackmojis] for some common reactions.
 ### Sources
 
 - [Slackmojis]
+- [Slack Notifications for Ansible Tower (AWX)]
 
 <!--
   Reference
@@ -79,4 +80,5 @@ Check out [slackmojis] for some common reactions.
 [website]: https://slack.com/
 
 <!-- Others -->
+[slack notifications for ansible tower (awx)]: https://mpolinowski.github.io/docs/DevOps/Ansible/2021-04-30-ansible-tower-slack-notifications/2021-04-30/
 [slackmojis]: https://slackmojis.com/
diff --git a/snippets/ansible/tasks.yml b/snippets/ansible/tasks.yml
index 7ca3a34..2eeb99c 100644
--- a/snippets/ansible/tasks.yml
+++ b/snippets/ansible/tasks.yml
@@ -189,6 +189,15 @@
 
 - name: Manipulate dictionaries
   block:
+    - name: Add keys to dictionaries
+      set_fact:
+        organization: "{{ organization | combine({ 'name': 'ExampleOrg' }) }}"
+    - name: Sort keys in dictionaries
+      set_fact:
+        organization: "{{ organization | dictsort }}"
+    - name: Pretty print dictionaries
+      set_fact:
+        organization: "{{ organization | to_nice_json }}"
     - name: Merge dictionaries
       vars:
         dict_1:
@@ -215,7 +224,7 @@
             })
           }}
       with_items: "{{ db_extensions_query.results }}"
-    - name:
+    - name: FIXME
       vars:
         db_extensions:
           sales:
@@ -418,3 +427,17 @@
               text:
                 type: mrkdwn
                 text: This is a *_fancy_* message
+
+- name: AWX
+  environment:
+    CONTROLLER_HOST: https://awx.example.org/
+    CONTROLLER_VERIFY_SSL: false
+    CONTROLLER_USERNAME: admin
+    CONTROLLER_PASSWORD: somethingSecret
+  block:
+    - name: Export all data from existing instances
+      # At the time of writing: applications, credential_types, credentials, execution_environments, inventory,
+      # inventory_sources, job_templates, notification_templates, organizations, projects, schedules, teams, and users.
+      awx.awx.export:
+        all: true
+      register: awx_export_output
diff --git a/snippets/aws/commands.fish b/snippets/aws/commands.fish
index 21c189f..5779dc4 100644
--- a/snippets/aws/commands.fish
+++ b/snippets/aws/commands.fish
@@ -125,7 +125,9 @@ aws kms decrypt --ciphertext-blob 'fileb://ciphertext.dat'
 aws kms decrypt --ciphertext-blob 'fileb://ciphertext.dat' --query 'Plaintext' --output 'text' \
 | base64 --decode
 
+aws eks --region 'eu-west-1' update-kubeconfig --name 'oneForAll'
 aws eks --region 'eu-west-1' update-kubeconfig --name 'oneForAll' --profile 'dev-user'
+aws eks --region 'eu-west-1' update-kubeconfig --name 'oneForAll' --role-arn 'arn:aws:iam::012345678901:role/AssumedRole'
 
 # Create OIDC providers for EKS clusters
 # 1. Get the OIDC issuer ID for existing EKS clusters