controller_instance_groups.yml

In these files we configure the instance_groups for automation controller.
Instance groups can add additional security when used correctly. When a team needs access to a sertain number of systems and nothing else, you can use instance groups. First create a executor node/pod and make sure this node can only reach the nodes this team needs access to. Then create a instance_group containing this pod/node. Then Assign this instance group to the teams in the organization and the team is confined to this instance group. In this example config, the mgt team in development has a separate instance_group assigned.
We will probably do this on each environment separately, as the hostnames differ.

variables

The api understands the folowing structure to define instance groups in rhaap: 

{
    "name": "",
    "max_concurrent_jobs": 0,
    "max_forks": 0,
    "is_container_group": false,
    "credential": null,
    "policy_instance_percentage": 0,
    "policy_instance_minimum": 0,
    "policy_instance_list": [],
    "pod_spec_override": ""
}

Below there is a very simple example for the usage of this.

group_vars/all/controller_instance_groups.yml

Here we see an empty set for all. 

---
controller_instance_groups_all: []
...

But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.

group_vars/dev/controller_instance_groups.yml

As we configure one extra instance_groups in development, this file is not an empty set.
Just as an example, we create an instance group that uses the default. 

---
controller_instance_groups_dev:
  - name: ig_mgt
    instances:
      - rhaap25.homelab
    state: present
...

Here the variable has the "_dev" extension, so the variable will not be overridden.

group_vars/prod/controller_instance_groups.yml

As we do not configure extra instance_groups in prod, this file is an empty set. 

---
controller_instance_groups_prod: []
  # No extra config exists
...

Here the variable has the "_prod" extension, so the variable will not be overridden.

When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables: - controller_instance_groups_all
- controller_instance_groups_

We will merge these 2 variables into 1: controller_instance_groups and feed this to the infra.aap_configuration.controller_instance_groups role.

Back