Programable Survey feature in AWX

This is one of the must thumbs up and frequently requested feature in the AWX project and recently when I attended Ansible Fest 2024 6 people came up to me and ask me about this feature.

At this point I do not know what is involve in implementing this feature but lets design it together!

6 Likes

this is something someone at Fest brought up to me for what they use as a workaround to AWX not having fancy forms

I have not used it yet, maybe there’s something we can learn about from this project

Open Source++

1 Like

We allow the user to fill in a URL in the Multiple-Choice answer types as a single option. The file will be fetched before building the UI for the survey and will populate the multiple choices. If there is a problem with the file the field should be the provided default or blank if there is none.

Just one workaround solution:

Ansible forms: https://ansibleforms.com/
:smile:

3 Likes

have you all used it @tanganellilore?

we are looking at it now in the meeting.

1 Like

one issue I could see with ansibleforms is currently I know many people use surveys to pass passwords into the automation and it would show in plain text if sent from the API as extra vars vs how the survey password option currently somewhat obfuscates the passwords at least if not securely manage it similar to credentials.

during today (May 14) community meeting @AlanCoding mention we want to add something around encrypted extra_vars to signal that encrypt it in database and do not show it on API [tech debt] Remove the `survey_passwords` field by AlanCoding · Pull Request #13091 · ansible/awx · GitHub this is the PR that he referenced

1 Like

I am struggling with ansible forms specifically with passwords. Since they are clear text in the api and a survey does “$encrypted$”

But other than that ansible forms is awsome! The feature to query a rest api (netbox in my case) changes AWX into datacenter wizard tool.

@tanganellilore would u be able to demo ansibleform on our next community meeting?

this is something we talked about on our last community meeting see my comment Programable Survey feature in AWX - #7 by TheRealHaoLiu

as for “query generic rest api to get options” is this something ansibleform able to do?

Difficult to me because we are on new product launch in our company and we are very busy.

I will chato you if i can do it.

1 Like

Yes
this an example where I query netbox (ibm property now :wink: ) to select a tenant in a drop down.
You can later use this in another rest api call

- name: Tenant
  type: enum
  expression:
    fn.fnRestJwtSecure('get','https://xxxx/api/tenancy/tenants/','','credential_name ','[.results[]]','','','Token'
    )
  columns:
    - name
  noOutput: false
  outputObject: true
  group: Vm Settings

some fields later

expression: fn.fnRestJwtSecure('get',
        'https://xxxx/api/ipam/prefixes?tenant_id=$(Tenant.id)
1 Like

Maybe I am missing something but looking at the PR I think I stumbled on feature I did not know the existence of.

Am I correct that extra_data is not shown in the logging and can be used for passwords?

Currently it doesn’t know and it will be logged and recorded in DB in plan text

Has anyone gotten AnsibleForms to work with AAP’s automation controller?

What is not working (I only have AWX) but it is just a form wizard create that sends an api launch request to AWX/AAP. So I don’t see why it should not work?

1 Like

I have collected from #20 and linked issues what people want to do with surveys but cannot currently do:

1 Like

Hi, I’m the developer of AnsibleForms.
What is your struggle with passwords ?

If you are using AWX, you can inject credentials from there.
AnsibleForms can also inject credentials, but that feature was meant if you run ansible locally. Don’t have AnsibleForms inject credentials which will indeed be then sent as extravars to AWX. AnsibleForms allows you to dynamically add credentials in AWX, if that would be needed.

1 Like

If you are using AWX, you can inject credentials from there.

Yes but I don’t want the hassle of doing that.

AnsibleForms can also inject credentials, but that feature was meant if you run ansible locally.
Don’t have AnsibleForms inject credentials which will indeed be then sent as extravars to AWX.

Yes because it will be logged in the api and such.

AnsibleForms allows you to dynamically add credentials in AWX, if that would be needed.

Yeah but what if it is a credential that is personal to you? I don’t want the awx admin to be able to use my password, token … even if it is unknown and encrypted. It can be used in other playbooks by the admin.

The issue is that awx does not have a “sensitive extra vars”.

Use cases:
I need to do some stuff with a named account, import a certificate or just some ad-hoc stuff where I don’t want the hassle of creating a credential first.

In terraform/tofu you can mark a variable sensitive and in all logging that variable is changed to " "

The funny part is that in the “AWX survey” you CAN mark a input field as “password”

  • Password: Responses are treated as sensitive information, much like an actual password is treated. You can set the minimum and maximum length (in characters) for this answer."

https://docs.ansible.com/ansible-tower/latest/html/userguide/job_templates.html

I solved part of my problem of having ansible forms asking for a password ID and then use that in my playbook tot securely retrieve the password via an api call. But that is technical the same as just defining it in an awx credential0

And last but not least:

I <3 ansible forms!