AWX & Tower #
Menjalankan Ansible dari command line bekerja baik untuk satu orang. Tapi saat tim tumbuh, muncul tantangan baru: siapa yang boleh menjalankan playbook apa ke lingkungan mana? Bagaimana history semua eksekusi dicatat? Bagaimana non-engineer bisa memicu deployment tanpa akses ke terminal? AWX (versi open source) dan Ansible Tower (versi enterprise) menjawab semua ini — mereka adalah platform web untuk mengelola, menjadwalkan, dan mengontrol akses ke Ansible.
AWX vs Ansible Tower #
AWX (Open Source):
✓ Gratis, open source
✓ Semua fitur inti tersedia
✓ Update lebih sering (tapi bisa breaking)
✗ Tidak ada support resmi
✗ Upgrade bisa lebih kompleks
Ansible Tower / Automation Controller (Red Hat):
✓ Support resmi dari Red Hat
✓ Stabilitas dan siklus rilis yang predictable
✓ Integrasi dengan Red Hat ecosystem
✗ Berbayar (per node atau subscription)
✗ Update lebih lambat
AWX adalah upstream dari Tower — fitur yang sama, tapi AWX lebih cutting-edge dan Tower lebih stabil.
Konsep Utama AWX #
Organization → Wadah tertinggi, berisi semua resource
│
├── Credential → SSH key, vault password, cloud credentials
├── Inventory → Static atau dynamic inventory
├── Project → Repository Git yang berisi playbook
└── Job Template → Kombinasi: Inventory + Project + Playbook + Credential
│
└── Job → Satu eksekusi Job Template (hasil aktual)
Workflow Template → Menghubungkan beberapa Job Template dalam alur:
JT: Validate → JT: Deploy Staging → (success) → JT: Deploy Production
→ (failure) → JT: Notify Failure
Mengotomasi Konfigurasi AWX dengan Ansible #
AWX sendiri bisa dikonfigurasi dengan Ansible menggunakan collection awx.awx:
ansible-galaxy collection install awx.awx
pip install awxkit
# playbooks/configure-awx.yml
---
- name: Konfigurasi AWX untuk project infrastruktur
hosts: localhost
vars:
awx_host: "https://awx.company.internal"
tasks:
# 1. Buat Organization
- name: Buat organization
awx.awx.organization:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Platform Engineering"
description: "Team Platform Engineering"
state: present
# 2. Buat Credential untuk SSH
- name: Buat credential SSH untuk production
awx.awx.credential:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Production SSH Key"
organization: "Platform Engineering"
credential_type: "Machine"
inputs:
ssh_key_data: "{{ vault_production_ssh_key }}"
username: ansible-deploy
state: present
no_log: true
# 3. Buat Credential untuk Vault
- name: Buat credential Ansible Vault
awx.awx.credential:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Ansible Vault Password"
organization: "Platform Engineering"
credential_type: "Vault"
inputs:
vault_password: "{{ vault_ansible_vault_password }}"
state: present
no_log: true
# 4. Buat Project (link ke Git repository)
- name: Buat project dari Git repository
awx.awx.project:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Infrastructure Playbooks"
organization: "Platform Engineering"
scm_type: git
scm_url: "https://github.com/company/ansible-infra.git"
scm_branch: main
scm_update_on_launch: true # Selalu pull terbaru sebelum run
state: present
# 5. Buat Inventory
- name: Buat inventory production
awx.awx.inventory:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Production Inventory"
organization: "Platform Engineering"
state: present
# 6. Buat Job Template
- name: Buat Job Template untuk deployment
awx.awx.job_template:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Deploy — Production"
organization: "Platform Engineering"
job_type: run
inventory: "Production Inventory"
project: "Infrastructure Playbooks"
playbook: "playbooks/deploy.yml"
credentials:
- "Production SSH Key"
- "Ansible Vault Password"
survey_enabled: true # Aktifkan form input sebelum run
survey_spec:
description: "Parameter deployment"
name: "Deploy Parameters"
spec:
- variable: version
question_name: "Versi yang akan di-deploy"
question_description: "Contoh: 2.1.0"
required: true
type: text
- variable: confirm
question_name: "Konfirmasi deploy ke production"
required: true
type: multiplechoice
choices: "yes\nno"
default: "no"
state: present
Webhook: Trigger Job dari Sistem Eksternal #
AWX mendukung webhook — job bisa dipicu oleh push ke GitHub/GitLab atau oleh sistem CI/CD lain:
# Aktifkan webhook di Job Template
- name: Aktifkan webhook di Job Template
awx.awx.job_template:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Deploy — Staging"
webhook_service: github # atau gitlab
webhook_credential: "GitHub Webhook Token"
state: present
# Di GitHub Actions — trigger AWX via webhook
- name: Trigger AWX deployment
run: |
curl -X POST \
-H "Content-Type: application/json" \
-H "X-GitHub-Event: push" \
https://awx.company.internal/api/v2/job_templates/42/github/ \
-d '{"ref": "refs/heads/main"}'
RBAC: Kontrol Akses Berbasis Peran #
# Berikan akses ke user tertentu
- name: Beri akses Execute ke Job Template untuk tim developer
awx.awx.role:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
user: john.doe
role: execute
job_templates:
- "Deploy — Staging" # Developer bisa deploy ke staging
state: present
# Developer TIDAK punya akses ke production Job Template
# Hanya SRE yang bisa menjalankan Deploy — Production
- name: Beri akses penuh ke tim SRE
awx.awx.role:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
team: SRE
role: admin
organizations:
- "Platform Engineering"
state: present
Workflow Template #
Workflow menghubungkan beberapa Job Template dengan kondisi sukses/gagal:
- name: Buat Workflow deployment lengkap
awx.awx.workflow_job_template:
controller_host: "{{ awx_host }}"
controller_oauthtoken: "{{ vault_awx_token }}"
name: "Full Deployment Pipeline"
organization: "Platform Engineering"
schema:
- identifier: validate
unified_job_template: "Validate Playbook"
related:
success_nodes:
- identifier: deploy_staging
failure_nodes:
- identifier: notify_failure
- identifier: deploy_staging
unified_job_template: "Deploy — Staging"
related:
success_nodes:
- identifier: integration_test
failure_nodes:
- identifier: notify_failure
- identifier: integration_test
unified_job_template: "Integration Tests"
related:
success_nodes:
- identifier: deploy_production
failure_nodes:
- identifier: notify_failure
- identifier: deploy_production
unified_job_template: "Deploy — Production"
related:
failure_nodes:
- identifier: notify_failure
- identifier: notify_failure
unified_job_template: "Notify Failure"
state: present
Ringkasan #
- AWX/Tower memberikan UI web, RBAC, history eksekusi, dan scheduling — cocok saat tim tumbuh dan kontrol akses menjadi penting.
- Konfigurasi AWX sendiri dengan Ansible menggunakan
awx.awxcollection — infrastructure as code berlaku juga untuk platform Ansible.- Job Template adalah unit eksekusi utama: kombinasi inventory + project + playbook + credential. Survey memungkinkan input parameter sebelum run.
- Workflow Template menghubungkan Job Template dengan kondisi sukses/gagal — membangun pipeline deployment yang kompleks tanpa kode tambahan.
- Webhook memungkinkan Job Template dipicu oleh push GitHub/GitLab — integrasi alami dengan CI/CD pipeline.
- RBAC memungkinkan developer mengakses Job Template staging tapi tidak production — separation of concern yang penting untuk keamanan operasional.
← Sebelumnya: Strategy & Serial Berikutnya: Pipeline Design →