azure

Azure-related repository

View the Project on GitHub groovy-sky/azure

Let’s build a tower (part 2)

Introduction

One of the main AWX features is “Role-based access” option(which should be familiar if you worked before with Azure RM). It can be configured to centrally use OAuth2, SAML, RADIUS, or even LDAP. For our environment we will configure Azure AD OAuth2 authentication. For doing that, we will need to create new Azure user and register Azure AD application.

Create Azure AD user for accessing AWX

There is misunderstanding in Azure AD about what type account should/could be used in different cases. Which is why the easiest way to avoid it - create new account with a default domain name.

User creation requires admin rights

To check what is default domain please follow instructions below: Azure domain name

Now we can create new user, using default domain (which should end with ‘.onmicrosoft.com’ or ‘.emea.microsoftonline.com’): New Azure AD user

Azure AD application registration

Any application that wants to use the capabilities of Azure AD must first be registered in an Azure AD tenant. Please, be aware, and during registration use ‘http://yourdomain/sso/complete/azuread-oauth2/’ (not https://) for a ‘Sign-on URL’: Azure AD app registration

For a new created application generate secret key and copy application id and application key: Azure AD app secret

Configure AWX

In AWX update the system settings - ‘BASE URL’ (to the AWX address) and ‘REMOTE HOST HEADERS’ (add parameter ‘HTTP_X_FORWARDED_FOR’): System configuration

Fill required parameters using Azure AD application id and secret: AWX Azure Authentication

Test new authentication method

Now we can try to access AWX using Azure user. To be sure that some credentials wasn’t cached I suggest using Firefox in private-mode: AWX Azure login

Clean and update the Organization

As an official documentation says - “an Organization is a logical collection of Users, Teams, Projects, and Inventories, and is the highest level in the Tower object hierarchy.”

AWX hierarchy

Also, from the same document - “If you are using Ansible Tower with a Self-Support level license (formerly called Basic), you must use the default Organization. Do not delete it and try to add a new Organization, or you will break your Tower setup. Only two Tower license types (Enterprise: Standard or Enterprise: Premium) have the ability to add new Organizations beyond the default.”

Which is why we don’t remove/create an organization and just update existing one(please use whatever organization name is preferable for you): AWX configuration

To eliminate disarray let’s clean-up created by default environment: AWX configuration

Assign user to the Organization

Now then we have ensured that Azure authorization works, we can grant rights to our new user: AWX assign user to an organization

Create your first project

From now on we will use Azure’s user to engage with AWX. For a test purposes let’s create new project using an official example playbook:

New project creation Job execution results

Useful documentation

References

Let’s build a tower (part 1)

Let’s build a tower (part 2)

Let’s build a tower (part 3)

Let’s build a tower (part 4)