A Newsletter for the Ansible Developer Community Issue #80, 2022-11-04 (Past Issues)
Welcome to The Bullhorn, our newsletter for the Ansible developer community. If you have any questions or content you’d like to share, you're welcome to chat with us in the Ansible Social room on Matrix, and mention newsbot to have your news item tagged for review for the next weekly issue!
One of the most popular platform integrations available to Ansible Automation Platform subscribers in Ansible automation hub is the Red Hat Ansible Certified Content Collection for ServiceNow ITSM. This collection helps you create new automation workflows faster based on ServiceNow ITSM while establishing a single source of truth in the ServiceNow configuration management database (CMDB). You can help free teams from hours of manual effort and have greater data integrity within your ServiceNow ITSM instance.
For ServiceNow users, we've launched a new native ServiceNow application, the API for Red Hat Ansible Automation Platform Certified Content Collection, available exclusively through the ServiceNow store to enhance and support the integration between the two platforms.
The API for Red Hat Ansible Automation Platform Certified Content Collection integrates Ansible's certified content with your ServiceNow instance. Prior to the launch of ServiceNow's Rome API, Ansible users could download the Red Hat Ansible Certified Content Collection for ServiceNow ITSM from the Ansible automation hub and directly manage ServiceNow resources using their REST API.
With the release of Rome, the REST API no longer provided all of the support needed to automate ServiceNow using Ansible. To remedy this problem, Red Hat and our partner, XLAB, developed this new API to enhance and restore that functionality.
While the need to develop the Ansible API for ServiceNow ITSM was a result of the release of Rome, it's also compatible with ServiceNow ITSM San Diego and Tokyo.
Using both the API and the Certified Content Collection for ServiceNow ITSM, you can:
To get started:
In a cloud model, the security of the environment and compliance becomes the responsibility of both the end users and the cloud provider. This is what we call the shared responsibility model in which every part of the cloud, including the hardware, data, configurations, access rights, and operating system, are protected. Depending on the local legislation and the origin of the data that is handled (for instance laws like HIPAA, the GDPR in Europe, or the Californian CCPA), you may have to enforce strict rules on your environment and log events for audit purposes. AWS CloudTrail will help you to achieve this goal. The service can collect and record any kind of information coming from your environment and store or send the events to a destination for audit. In addition to security and compliance, this service helps keep track of resource consumption.
Ansible's CloudTrail module is used to leverage the various features of the CloudTrail service to monitor and audit user activities and API calls in the AWS environment. A trail is a configuration that lets us describe an event filter and decide where the matching entries should be sent. The recent 5.0.0 release of the Amazon.aws collection comes with a new Cloudtrail module. This module helps create, configure, and delete a trail. The final destination of a trail can be an S3 bucket or a CloudWatch log. We have also paired the cloudtrail module with a cloudtrail_info module, which helps collect the information of all or a specific trail.
In this blog post, we are going to take a few configuration use cases and show how Ansible's CloudTrail module can be used to automate the same.
To download the amazon.aws collection, you can download it from
Unless a trail is used for a specific activity in a specific region, it is the best practice to enable CloudTrail for all regions. By doing so, we maximize the visibility of the AWS environment so there is no weakness (unmonitored region) that can be exploited by an attacker. This will also make sure that we receive the event history for any new region that AWS will launch in the future.
- name: create multi-region trail amazon.aws.cloudtrail: state: present name: myCloudTrail s3_bucket_name: mylogbucket region: us-east-1 is_multi_region_trail: true tags: environment: dev
The cloudtrail_info module can be used to get all the information about a particular trail or all the trails present. If a trail name is not provided as input to this module, this module will get the information of all trails, including shadow trails, by default. The shadow trails can be skipped by setting [include_shadow_trails] to [False].
# Gather information about the multi-region trail - amazon.aws.cloudtrail_info: trail_names: - arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail include_shadow_trails: False register: trail_info trail_info : "trail_list": [ { "has_custom_event_selectors": false, "has_insight_selectors": false, "home_region": "us-east-1", "include_global_service_events": true, "is_logging": true, "is_multi_region_trail": true, "is_organization_trail": false, "latest_delivery_attempt_succeeded": "", "latest_delivery_attempt_time": "", "latest_notification_attempt_succeeded": "", "latest_notification_attempt_time": "", "log_file_validation_enabled": false, "name": "myCloudTrail", "resource_id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail", "s3_bucket_name": "mylogbucket", "start_logging_time": "2022-09-29T11:41:41.752000-04:00", "tags": {"environment": "dev"}, "time_logging_started": "2022-09-29T15:41:41Z", "time_logging_stopped": "", "trail_arn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail" } ]
For this use case, we will manage the access given to the S3 buckets where the trail logs are stored. As mentioned earlier, shared responsibility includes sharing the security of the resources as well. S3 buckets are prone to incorrect configurations and are the major source of data leaks. S3 buckets configured with public access allow anyone on the internet to access the data. Ansible's s3_bucket module can be used to set CloudTrail's S3 bucket permissions and policies. This S3 bucket can be passed to the CloudTrail module, which will be used as the destination for the trail-generated logs.
- amazon.aws.s3_bucket: name: mys3bucket state: present public_access: block_public_acls: true ignore_public_acls: true block_public_policy: false restrict_public_buckets: false - name: Create trail with secured s3 bucket amazon.aws.cloudtrail: state: present name: myCloudTrail s3_bucket_name: mys3bucket region: us-east-1 tags: environment: dev
CloudTrail logs are collected to verify the compliance and security of the AWS environment. It is always possible that an attacker can gain access and tamper with these logs to obscure their presence. By enabling log file validation, a digital signature of the log file is generated, which is used to check if the log files are valid and not tampered with.
- name: create a trail with log file validation amazon.aws.cloudtrail: state: present name: myCloudTrail s3_bucket_name: mylogbucket region: us-east-1 log_file_validation_enabled: true tags: environment: dev # Gather information about the trail - amazon.aws.cloudtrail_info: trail_names: - arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail include_shadow_trails: False register: trail_info trail_info : "trail_list": [ { "has_custom_event_selectors": false, "has_insight_selectors": false, "home_region": "us-east-1", "include_global_service_events": true, "is_logging": true, "is_multi_region_trail": fail, "is_organization_trail": false, "latest_delivery_attempt_succeeded": "", "latest_delivery_attempt_time": "", "latest_notification_attempt_succeeded": "", "latest_notification_attempt_time": "", "log_file_validation_enabled": true, "name": "myCloudTrail", "resource_id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail", "s3_bucket_name": "mylogbucket", "start_logging_time": "2022-09-29T11:41:41.752000-04:00", "tags": {"environment": "dev"}, "time_logging_started": "2022-09-29T15:41:41Z", "time_logging_stopped": "", "trail_arn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail" } ]
By default, the S3 buckets are protected by an A[mazon server-side encryption method and Amazon S3-managed encryption keys. To add an extra layer of security, you can use the AWS Key Management Service. This is directly manageable and helps protect the log files from any attacker's survey of the environment.
- name: Create an LMS key using lookup for policy JSON amazon.aws.kms_key: alias: my-kms-key policy: "{{ lookup('template', 'kms_iam_policy_template.json.j2') }}" state: present register: kms_key_for_logs - name: Create a CloudTrail with kms_key for encryption amazon.aws.cloudtrail: state: present name: myCloudTrail s3_bucket_name: mylogbucket kms_key_id: "{{ kms_key_for_logs.key_id }}"
Similar to the use cases mentioned above, many parameters allow the CloudTrail logs to be secure, compliant, and manageable. To get more information on how to configure CloudTrail and get the configuration information of an existing trail, please refer to amazon.aws.cloudtrail and amazon.aws.cloudtrail_info.
Now you can see four awesome use cases for Red Hat Ansible Automation Platform and CloudTrail and how they can easily and seamlessly work together to accomplish cloud automation tasks. If you want more blogs on Ansible and AWS, please let us know!
A Newsletter for the Ansible Developer Community Issue #79, 2022-10-28 (Past Issues)
Welcome to The Bullhorn, our newsletter for the Ansible developer community. If you have any questions or content you’d like to share, you're welcome to chat with us in the Ansible Social room on Matrix, and mention newsbot to have your news item tagged for review for the next weekly issue!
At AnsibleFest 2022, the power of automation was on full display. Through sessions, workshops, labs and more, we explored how to transform enterprise and industry through automation. There were a lot of exciting announcements made on both days, and in case you missed it, we are going to dive into what is new!
We are thrilled to also announce a new AWS Marketplace offering, Red Hat Ansible Automation Platform. By offering Ansible Automation Platform as a pre-integrated service that can be quickly deployed from cloud marketplaces, we are meeting our customers where they are, while giving them the flexibility to deliver any application, anywhere, without additional overhead or complexity. Whether you are automating your hybrid cloud or multi-cloud environments, Ansible Automation Platform acts as a single platform. This platform provides consistency, visibility, and control to help you manage these environments at scale. Ansible is the IT automation "glue" for bringing your cloud, network, bare-metal and cloud-native infrastructure together. This provides the functionality to coordinate and manage across hybrid cloud environments in a simple and efficient way. Interested in learning more? Check out the press release.
Ansible Automation Platform provides a framework for building and operating IT automation at scale. What this means for edge, much like the data center, is that users across an entire organization can create, share, and manage automation. They can develop and apply guidelines for using automation within individual groups. They can write tasks that use existing knowledge so they can be leveraged by nonIT staff, allowing end-to-end automation to be deployed. Ansible Automation Platform uses containerization to package, distribute, and execute automation across environments securely via automation execution environments. This enables organizations to rapidly and consistently extend IT services to the edge, while maintaining a focus on security. This helps organizations to simplify capacity scaling, increase resiliency, and improve consistency. Learn more about automation at the edge here.
Event-Driven Ansible is a new capability that we're making available to the entire Ansible open source community in developer preview. With Event-Driven Ansible, you can eliminate low-level tasks from the day-to-day routine so you have more time to focus on innovations. This means a happier, more productive, and more engaged team. It is fast, accurate, and will free you (and your teams) to work on the things you WANT to be doing, without being dragged down by all the things you HAVE to do. Event--Driven Ansible will support a range of use cases, and here are few good ones to get started with:
We are excited about the future of automation and what is possible with Event-Driven Ansible.
Project Wisdom is a Red Hat initiative, developed in close collaboration with IBM Research, to give Ansible artificial intelligence superpowers. The first goal is to bring together automation novices and Ansible experts while enabling new automators to drastically reduce the challenge of learning and mastering Ansible. The first capability we are using AI for is content generation. The AI models we use underneath Project Wisdom are able to generate Ansible Playbooks or roles that are both syntactically correct and functional. You can also head to redhat.com/wisdom for more information on how to get involved.
Ansible Automation Platform 2 is built to enable a trusted automation supply chain. In the upcoming Ansible Automation Platform 2.3 release, digital signing will be supported for containers, playbooks and collections. We're also excited to introduce Ansible validated content, which complements the existing ecosystem of Red Hat Ansible Certified Content Collections. Ansible validated content helps your teams to start automating faster by following a trusted, expert-led, opinionated path for performing operations and tasks on both Red Hat and third party platforms. Initially, Ansible validated content will be pre-loaded into private automation hub.
We are so fortunate that we are a part of one of the largest, most vibrant open source project communities in the world. So while the landscape may be shifting around us, Ansible continues to push forward and evolve with the times. Ansible is celebrating its 10th anniversary this year! Within our expansive community, the new Working Groups focus on expanding the Ansible ecosystem with the development of Ansible Content Collections. First spun up by our team last year, Matrix has made a huge difference in our ability to connect and engage with the Ansible community. So far we've spun up 32 unique chat rooms, with 4200+ members and nearly 80k messages sent in the past 6 months. Matrix's ability to bridge with IRC gave us a strong foundation upon which to build. Join the Working Groups and become a part of the conversation: https://matrix.to/#/#social:ansible.com
