controller_settings.yml
In these files we configure the settings for automation controller.
we will probably do this on each environment separately, as the hostnames differ.
Variables
The variables that can occupy the controller settings are as follows:
system settings
{
"ACTIVITY_STREAM_ENABLED": true,
"ACTIVITY_STREAM_ENABLED_FOR_INVENTORY_SYNC": false,
"ORG_ADMINS_CAN_SEE_ALL_USERS": false,
"MANAGE_ORGANIZATION_AUTH": false,
"TOWER_URL_BASE": "https://rhaap25.homelab",
"PROXY_IP_ALLOWED_LIST": [],
"CSRF_TRUSTED_ORIGINS": [],
"REDHAT_USERNAME": "",
"REDHAT_PASSWORD": "",
"SUBSCRIPTIONS_CLIENT_ID": "",
"SUBSCRIPTIONS_CLIENT_SECRET": "",
"DEFAULT_EXECUTION_ENVIRONMENT": null,
"CUSTOM_VENV_PATHS": [],
"INSIGHTS_TRACKING_STATE": true,
"AUTOMATION_ANALYTICS_LAST_GATHER": null,
"AUTOMATION_ANALYTICS_LAST_ENTRIES": "",
"AUTOMATION_ANALYTICS_GATHER_INTERVAL": 14400,
"UI_NEXT": true,
"CLEANUP_HOST_METRICS_LAST_TS": "2025-07-10T16:36:36.071470Z",
"HOST_METRIC_SUMMARY_TASK_LAST_TS": "2025-07-30T16:06:37.096073Z"
}
These can be found in the rhaap 2.5 api:
https://{your_aap_server}/api/controller/v2/settings/system/
job settings
{
"AD_HOC_COMMANDS": [
"command",
"shell",
"yum",
"apt",
"apt_key",
"apt_repository",
"apt_rpm",
"service",
"group",
"user",
"mount",
"ping",
"selinux",
"setup",
"win_ping",
"win_service",
"win_updates",
"win_group",
"win_user"
],
"ALLOW_JINJA_IN_EXTRA_VARS": "template",
"AWX_ISOLATION_SHOW_PATHS": [
"/etc/pki/ca-trust:/etc/pki/ca-trust:O",
"/usr/share/pki:/usr/share/pki:O"
],
"AWX_TASK_ENV": {},
"AWX_RUNNER_KEEPALIVE_SECONDS": 0,
"GALAXY_TASK_ENV": {
"GIT_SSH_COMMAND": "ssh -o StrictHostKeyChecking=no",
"ANSIBLE_FORCE_COLOR": "false"
},
"PROJECT_UPDATE_VVV": false,
"AWX_ROLES_ENABLED": true,
"AWX_COLLECTIONS_ENABLED": true,
"AWX_SHOW_PLAYBOOK_LINKS": false,
"AWX_MOUNT_ISOLATED_PATHS_ON_K8S": false,
"GALAXY_IGNORE_CERTS": true,
"STDOUT_MAX_BYTES_DISPLAY": 1048576,
"EVENT_STDOUT_MAX_BYTES_DISPLAY": 1024,
"MAX_WEBSOCKET_EVENT_RATE": 30,
"SCHEDULE_MAX_JOBS": 10,
"AWX_ANSIBLE_CALLBACK_PLUGINS": [],
"DEFAULT_JOB_TIMEOUT": 0,
"DEFAULT_JOB_IDLE_TIMEOUT": 0,
"DEFAULT_INVENTORY_UPDATE_TIMEOUT": 0,
"DEFAULT_PROJECT_UPDATE_TIMEOUT": 0,
"ANSIBLE_FACT_CACHE_TIMEOUT": 0,
"MAX_FORKS": 200
}
logging settings
{
"LOG_AGGREGATOR_HOST": null,
"LOG_AGGREGATOR_PORT": null,
"LOG_AGGREGATOR_TYPE": null,
"LOG_AGGREGATOR_USERNAME": "",
"LOG_AGGREGATOR_PASSWORD": "",
"LOG_AGGREGATOR_LOGGERS": [
"awx",
"activity_stream",
"job_events",
"system_tracking",
"broadcast_websocket",
"job_lifecycle"
],
"LOG_AGGREGATOR_INDIVIDUAL_FACTS": false,
"LOG_AGGREGATOR_ENABLED": false,
"LOG_AGGREGATOR_TOWER_UUID": "",
"LOG_AGGREGATOR_PROTOCOL": "https",
"LOG_AGGREGATOR_TCP_TIMEOUT": 5,
"LOG_AGGREGATOR_VERIFY_CERT": true,
"LOG_AGGREGATOR_LEVEL": "INFO",
"LOG_AGGREGATOR_ACTION_QUEUE_SIZE": 131072,
"LOG_AGGREGATOR_ACTION_MAX_DISK_USAGE_GB": 1,
"LOG_AGGREGATOR_MAX_DISK_USAGE_PATH": "/var/lib/awx",
"LOG_AGGREGATOR_RSYSLOGD_DEBUG": false,
"API_400_ERROR_LOG_FORMAT": "status {status_code} received by user {user_name} attempting to access {url_path} from {remote_addr}"
}
troubleshooting settings
{
"AWX_CLEANUP_PATHS": true,
"AWX_REQUEST_PROFILE": false,
"RECEPTOR_RELEASE_WORK": true,
"RECEPTOR_KEEP_WORK_ON_ERROR": false
}
Al lost of these settings are set default and will stay that way, but if you ever need to change one, you can find them here.
group_vars/all/controller_settings.yml
Here we see a set for all, in which we set some defaults.
---
controller_settings_all:
- name: ACTIVITY_STREAM_ENABLED
value: true
- name: ACTIVITY_STREAM_ENABLED_FOR_INVENTORY_SYNC
value: false
- name: AUTOMATION_ANALYTICS_GATHER_INTERVAL
value: 14400
- name: AUTOMATION_ANALYTICS_LAST_ENTRIES
value: ''
- name: DEFAULT_EXECUTION_ENVIRONMENT
value: null
- name: INSIGHTS_TRACKING_STATE
value: true
- name: GALAXY_IGNORE_CERTS
value: true
- name: ORG_ADMIN_CAN_SEE_ALL_USERS
value: false
- name: MANAGE_ORGANIZATION_AUTH
value: false
...
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/controller_settings.yml
As we do not configure extra settings in development, this file is an empty set.
(We use the containerized setup version, so we want to set just one item here).
---
controller_settings_dev:
- name: TOWER_URL_BASE
value: 'https://{your_aap_dev_server}'
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/controller_settings.yml
As we do just one setting in prod that is for unique to this environment:
---
controller_settings_prod:
- name: TOWER_URL_BASE
value: 'https://{your_aap_production_server}'
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- controller_settings_all
- controller_settings_
We will merge these 2 variables into 1: controller_settings and feed this to the infra.aap_configuration.controller_settings role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the controller vars
ansible.builtin.set_fact:
controller_settings: >
{{ controller_settings_all |
community.general.lists_mergeby(vars['controller_settings_' + branch_name],
'name', recursive=true, list_merge='append') }}
This results in the controller_settings variable the collection needs.