How can I import users and teams to grafana? - grafana

I am provisioning grafana and running it without a database. I am using Terraform and Helm to do this. I already know that I can store my dashboard files, put them in the values.yaml file for the grafana helm chart, and provision them that way.
It's good that the dashboards persist between releases, but users and teams do not. I cannot find where I can upload or store some sort of JSON file containing this information.
For more information, I am using Google Oauth.
How can I provision users and teams' information? This does not have to be helm specific. If it's some sort of volume-mount thing, that would work too.

We just use the Grafana API via Ansible (using uri module), maybe it helps you or pushes you in the right direction.
- name: create users
uri:
url: "https://{{ grafana_url }}/api/admin/users"
user: admin
password: "{{ admin_password }}"
force_basic_auth: yes
method: POST
headers:
Accept: application/json
Content-Type: application/json
body:
name: "{{ item.name }}"
email: "{{ item.email }}"
login: "{{ item.email }}"
password: "{{ pass }}"
body_format: json
with_items: "{{ admin_list }}"
Then the list is a simple yaml.
admin_list:
- name: "Mrs. X"
login: "x#gmail.com"
- name: "Ms. Y"
login: "y#gmail.com"
And on a second note, you can define users in Terraform (never used it myself).
resource "grafana_organization" "org" {
name = "Grafana Organization"
admin_user = "admin"
create_users = true
admins = [
"admin#example.com"
]
editors = [
"editor-01#example.com",
"editor-02#example.com"
]
viewers = [
"viewer-01#example.com",
"viewer-02#example.com"
]
}

Related

Ansible create kubernetes secret from file

Is it possible to create and k8s secret from a file in ansible?
Currently, I am doing it like this but it only works on the first run because if I run the playbook again it says the secret already exists
- name: generate keypair
openssh_keypair:
path: /srv/{{item.namespace}}/id_{{item.name}}_rsa
when: item.additional_keys == true
loop: "{{ containers_release }}"
- name: create private key secret for auth api
shell: kubectl -n {{ item.namespace }} create secret generic id-{{ item.name }}-rsa-priv --from-file=/srv/{{ item.namespace }}/id_authapi_rsa
when: item.additional_keys == true
loop: "{{ containers_release }}"
- name: create public key secret for {{ item.name }}
shell: kubectl -n {{ item.namespace }} create secret generic id-{{ item.name }}-rsa-pub --from-file=/srv/{{ item.namespace }}/id_{{ item.name }}_rsa.pub
when: item.additional_keys == true
loop: "{{ containers_release }}"
As I have mentioned in comment section ansible is idempotent. If the configuration is already in place, ansible makes no change after redeploying. That is why after running playbook again your are getting playbook again it say info that the secret already exists.
Take a look: create-secret-with-ansible.
You can try to use SecretHub.
See: ansible-playbook-secret.

How to create Google Kubernetes (GKE) cluster in Ansible with custom image?

I've used this pattern in the past to create a GKE and it's worked great, but now I need to define a custom image type to use.
Here's the ansible playbook i'm working with.
- name: GCE
hosts: localhost
gather_facts: no
vars_files:
- vars/default.yml
tasks:
- name: create cluster
gcp_container_cluster:
name: "{{ cluster_name }}"
initial_node_count: "{{ node_count}}"
initial_cluster_version: "{{ cluster_kubernetes_version }}"
master_auth:
username: admin
password: "{{ cloud_admin }}"
node_config:
machine_type: e2-medium
disk_size_gb: "{{ disk_size_gb }}"
location: "{{ cluster_zone}}"
project: "{{ project }}"
auth_kind: "{{ auth_kind }}"
service_account_file: "{{ service_account_file }}"
state: present
scopes: "{{ scopes }}"
register: cluster
- name: create a node pool
google.cloud.gcp_container_node_pool:
name: default-pool
autoscaling:
enabled: yes
min_node_count: "{{ node_count}}"
max_node_count: "{{ max_node_count }}"
initial_node_count: "{{ node_count }}"
cluster: "{{ cluster }}"
location: "{{ cluster_zone}}"
config:
machine_type: e2-medium
disk_size_gb: "{{ disk_size_gb }}"
project: "{{ gce_project}}"
auth_kind: serviceaccount
service_account_file: "{{ service_account_file }}"
state: presen
I'm trying to use an E2 based image with 16 cores and 70GB of RAM. The spec don't matter as much as the fact that I can't specify a 'machine type' that's already preconfigured.
Is it possible to still use ansible to create the cluster? Do I need to create a custom image type to reference?
Just to clarify, there are no errors being thrown out. defining the machine_type as e2-medium doesn't allow me to allocate the resources I need and define an instance with the resources required. I'm asking how to say use e2-medium as a base and increase the ram allocation to 70GB or if that is feasible?
IIUC, you should be able to reference your machine type as e2-custom-16-71680
i.e.:
- name: your-cluster
google.cloud.gcp_container_cluster:
...
node_config:
machine_type: e2-custom-16-71680
disk_size_gb: "{{ disk_size_gb }}"
...
The (hidden) documentation for specifying custom machine types:
https://cloud.google.com/compute/docs/instances/creating-instance-with-custom-machine-type#gcloud

Why awx don't see pip module?

I use AWX 8.0.0.0. Have job on my SCM, that job connect to GCP and create instance. When i run this job under console like ansible-playbook job.yml its done fine. But when i run it from web UI i get error
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Please install the google-auth library"}
So it oblivious mean that i don't have this library. But I install it by
pip install google-auth and it work fine when I run it from console. This is my playbook:
- name: Create jenkins vm
hosts: localhost
connection: local
gather_facts: no
vars:
service_account_email: ansible#secret-app.iam.gserviceaccount.com
credentials_file: /etc/conf/awx/awx.json
project_id: geocitizen-app
machine_type: f1-micro
machine_name: jenkins-node-1
image: https://www.googleapis.com/compute/v1/projects/centos-cloud/global/images/centos-7-v20191014
zone: europe-north1-a
tasks:
- name: Launch instances
gcp_compute_instance:
auth_kind: serviceaccount
name: "{{ machine_name }}"
machine_type: "{{ machine_type }}"
#service_account_email: "{{ service_account_email }}"
service_account_file: "{{ credentials_file }}"
project: "{{ project_id }}"
zone: "{{ zone }}"
network_interfaces:
- network:
access_configs:
- name: External NAT
type: ONE_TO_ONE_NAT
disks:
- auto_delete: 'true'
boot: 'true'
initialize_params:
source_image: "{{ image }}"
What I am doing wrong?
So the problem was that I was looking on my host machine. I install AWX via docker so I need to look in my docker container.

How to identify the hosts in my playbook from a variable file?

on my hosts file, I have like 10 different groups that each has devices in it. each customer deployment, should go to a specific region and I want to specify that in a customer config file.
In my playbook, I tried to use a variable in front of hosts and my plan was to specify the hosts group in the config file.
master_playbook.yml
hosts: "{{ target_region }}"
vars:
custom_config_file: "./app_deployment/customer_config_files/xx_app_prod.yml"
xx_app_prod.yml
customer: test1
env: prod
app_port: 25073
target_region: dev
Error message I get:
ERROR! The field 'hosts' has an invalid value, which includes an undefined variable. The error was: 'target_region' is undefined
To determine a HOST(who is not the running host) in which groups he is in u have to use a little helper:
Create a script:
#!/usr/bin/env ansible-playbook
#call like: ./showgroups -i develop -l jessie.fritz.box
- hosts: all
gather_facts: no
tasks:
- name: show the groups the host(s) are in
debug:
msg: "{{group_names}}"
After that u can run a Playbook Like:
- name: "get group memberships of host"
shell: "{{ role_path }}/files/scripts/show_groups -i {{ fullinventorypath }} -l {{ hostname }}"
register: groups
- name: "create empty list of group memberships"
set_fact:
memberships: []
- name: "fill list"
set_fact:
memberships: "{{ memberships + item }}"
with_items: groups.stdout.lines

Creating credential using Ansible Tower REST API

In my Ansible Tower, I have a custom credential by the name of Token wherein we store atoken so that using this credential we do not have to log in and can use this credential in various jobs.
Below are the fields required -
Name:
Credential Type: (where we select this custom credential type)
API Token Value: (where the token is entered and is also denoted as
an extra variable my_token)
Below is the yml file I am using to do the needful -
—-
Required info
tasks:
- name: Create credential
uri:
url: “https://ans........../api/v1/credentials/“
method: “POST”
kind: SecureCloud
name: Token
body:
extra_vars:
my_token: “{ key }”
body_format: json
I am confused as to how to enter the field values Name and Credential Types in the above playbook. Do I also require any other field(s) while doing so? Also is the url in the uri module correct?
There are two ways of creating a custom credential (I prefer the second one):
First Option: Your Approach - URI Module
- name: Create Custom Credential
uri:
url: "https://endpoint/api/v2/credentials/"
method: POST
user: admin
password: password
headers:
Content-Type: "application/json"
body: '{"name":"myfirsttoken","description":"","organization":34,"credential_type":34,"inputs":{"token":"MyToken"}}'
force_basic_auth: true
validate_certs: false
status_code: 200, 201
no_log: false
But, be careful because this is not idempotent and you should do a GET Credentials First with the method: GET, register your results and find your credential in your register.json.results variable.
Second Option: My Preferred Approach - tower-cli
You can do exactly the same, easier and idempotent with:
- name: Add Custom Credential
command: tower-cli credential create --name="{{ item }}" --credential-type "{{ credential_type }}" --inputs "{'token':'123456'}" -h endpoint -u admin -p password --organization Default
no_log: true
with_items:
- MyCustomToken
You will get something like:
== ============= ===============
id name credential_type
== ============= ===============
46 MyCustomToken 34
== ============= ===============
The cool stuff is that you can fully automate your tokens and even autogenerate them with:
token: "{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits') }}"
And then:
---
- name: Create Custom Credential Token
hosts: localhost
connection: local
gather_facts: false
vars:
token: "{{ lookup('password', '/dev/null length=20 chars=ascii_letters,digits') }}"
credential_type: MyCustom
tasks:
- name: Create Credential Type
tower_credential_type:
name: "{{ credential_type }}"
description: Custom Credentials type
kind: cloud
inputs: {"fields":[{"secret":true,"type":"string","id":"token","label":"token"}],"required":["token"]}
state: present
tower_verify_ssl: false
tower_host: endpoint
tower_username: admin
tower_password: password
- name: Add Custom Credential
command: tower-cli credential create --name="{{ item }}" --credential-type "{{ credential_type }}" --inputs "{'token':'{{ token }}'}" -h endpoint -u admin -p password --organization Default
no_log: true
with_items:
- MyCustomToken