"controller_roles" role in "infra.aap_configuration" adds but does not remove roles

I have been playing with the “controller_roles” role in the “infra.aap_configuration” collection (GitHub - redhat-cop/infra.aap_configuration: A collection of roles to manage Ansible Automation Platform 2.5+ with code & Ansible Galaxy) to associate roles with teams. It does a nice job to add them. I’m wondering how to remove a role when it’s removed from the data structure. Any ideas?

Hi @iamroddo

Try using state: absent. Based on the awx.awx./ansible.controller module doc (which I believe underpins the infra.aap_controller collection/roles), that will remove the role if present. It mentioned users but I’d be curious if that also works on teams.


controller - Red Hat Ecosystem Catalog

Best regards,

Joe

Thanks @iwt-cmd for the response. I was hoping that there’d be a mechanism like that in awx.awx and ansible.controller with the export module to determine the difference between the data structure or desired state and the actual state of the controller for roles.

I think I’m following, more of a declarative approach rather than imperative? If that’s the case, the object_diff role may be worth looking into ( Ansible Galaxy - infra.controller_configuration). I haven’t used it but appears to apply a git-based config to the AAP controller and deletes objects not in the config. I don’t have an AAP-based sandbox with the new API to test it though (insert “Real men test in production” meme here).

There is also a controller_export_diff module that seems to be more of a reporting option but could probably also be exported and used for create/delete tasks. Ansible Galaxy - infra.controller_configuration

We’re moving into more of the Config as Code realm and the new AAP 2.5 paradigm so curious to see what you find.

Best regards,

Joe

Thanks for the response @iwt-cmd and sorry the delayed response.

I’m working to get my head around the various sets of collections that had similar function. I certainly want to be in config as code, I have been using infra.controller_configuration.controller_export_diff to make a diff for projects, job_template etc, but there was no role support.

I see that Ansible Galaxy - infra.controller_configuration doesn’t support AAP above 2.4 and the collection that is referred to, for AAP 2.5+ redhat-cop/infra.aap_configuration doesn’t have the same structure of roles/modules. I’m wondering how to deal with data model conversation, assuming I get something with object_diff working.

Is this the sort of thing that could be discussed at the AAP Config as Code monthly meeting?

I have a test AAP instance which has an org called “Org 1” and a team called “Team 1” which has the role “project_admin”. I have defined this via the GUI and also a data model as below.

---
# host_vars/aap-test/roles.yml
role_list:
  - team: 'Team 1'
    organizations:
      - 'Org 1'
    role: project_admin

I have a tasks using the role infra.controller_configuration.object_diff which I expect to find no diff between the data model and the configuration as below.

- name: 'Get role diff'
  ansible.builtin.include_role:
    name: 'infra.controller_configuration.object_diff'
  vars:
    controller_configuration_object_diff_tasks:
      - name: roles
        var: role_list
        tags: roles

However the output of the var controller_roles includes that below.

- organizations:
  - Org 1
  role: project_admin
  state: absent
  team: Team 1

This suggests that the task is not picking up the contents of the variable role_list, perhaps because I haven’t got the structure right. Any suggestions on how I can fix this?