Opa policy configuration in ansible tower

Hi Team,

We are trying to implement opa policy for the ansible tower , we could see any settings available in ansible tower for opa integration. we are not looking at conftest as it requires to update the policy in every playbook . We want to control all playbooks from ansible tower via opa.

Any suggestion is greately help to our requirement.
Thanks a lot in advance.


That’s an interesting question. I don’t believe there is any direct integration with opa or any policy as code frameworks.

Two ways I can think of you could integrate it into your process flow though.

  1. Using a ci/cd pipeline as part of your project repository. For example using github actions or gitlab ci, you can setup a job to run opa on merge requests to your active branch.

  2. Write a callback plugin to run opa. This could run opa at the start of your playbook execution, failing the job if the opa policy fails. This may be a great fit if you want to evaluate it at runtime to consider outside information. It may not be a great fit if you only need it to run for changes to your playbook/roles since it would add to your execution time. There may be other plugins I haven’t come accross yet as well, something you could integrate at project sync time.

In any case, i’m curious to see what others thoughts are on this as well. Certainly an interesting use case, and something I would also find valuable.

Some background for those like me who didn’t know, “OPA” is Open Policy Agent.

Also, I found this blog post from July '22 informative:
Using Red Hat Ansible Automation Platform to Enable a Policy as Code Solution