Ansible playbooks to deploy StackStorm: BWC, ChatOps and more

May 15, 2017 by Eugen

Ansible Playbooks v0.7.0 to deploy StackStorm: bwc, st2chatops and more

As you may know, previously we announced availability of Ansible production-friendly playbooks to install & configure StackStorm for cases when our demo bash installer wasn’t sufficient.

With the new release github.com/StackStorm/ansible-st2 v0.7.0 you can do even more!

This version includes new bwc and st2chatops roles, features like passing settings to st2.conf, enhancements to use custom SSL certificate for st2web, more documentation use-cases, some breaking changes and of course, bug fixes.

ChatOps

StackStorm ChatOps is rocking, but it wasn’t available as a playbook. Now you can configure ChatOps via Ansible with the new st2chatops role. Thanks to stormer Anirudh Rekhi, you can do this:

  - name: Install st2chatops with "slack" hubot adapter
    role: st2chatops
    vars:
      st2chatops_version: latest
      st2chatops_hubot_adapter: slack
      st2chatops_config:
        HUBOT_SLACK_TOKEN: xoxb-CHANGE-ME-PLEASE

^^ So slick!

StackStorm Enterprise (BWC)

Our own Lakshmi Kannan has a serious case of FOMO, and didn’t want to miss the fun others were having with Ansible. So he created a new bwc role.

Here is an example to customize Brocade Workflow Composer (BWC) with LDAP auth backend and RBAC configuration to allow/restrict/limit different StackStorm functionality to specific users.

That’s the power of StackStorm Enterprise:

- name: Install StackStorm Enterprise
  hosts: all
  roles:
    - name: Install and configure StackStorm Enterprise (BWC)
      role: bwc
      vars:
        bwc_repo: enterprise
        bwc_license: CHANGE-ME-PLEASE
        bwc_version: latest
        # Configure LDAP backend
        # See: https://bwc-docs.brocade.com/authentication.html#ldap
        bwc_ldap:
          backend_kwargs:
            bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net"
            bind_password: "foobar123"
            base_ou: "dc=example,dc=net"
            group_dns:
              - "CN=stormers,OU=groups,DC=example,DC=net"
            host: identity.example.net
            port: 389
            id_attr: "samAccountName"
        # Configure RBAC
        # See: https://bwc-docs.brocade.com/rbac.html
        bwc_rbac:
          # Define BWC roles and permissions
          # https://bwc-docs.brocade.com/rbac.html#defining-roles-and-permission-grants
          roles:
            - name: core_local_only
              description: "This role has access only to action core.local in pack 'core'"
              enabled: true
              permission_grants:
                - resource_uid: "action:core:local"
                  permission_types:
                    - action_execute
                    - action_view
                - permission_types:
                  - runner_type_list
          # Assign roles to specific users
          # https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments
          assignments:
            - name: test_user
              roles:
                - core_local_only
            - name: stanley
              roles:
                - admin
            - name: chuck_norris
              roles:
                - system_admin

Massive thing for our enterprise customers. Community users, you can request a trial license here and try it now!

Configure st2.conf & mistral.conf settings

With the new st2_config var it’s possible to adjust any st2.conf configuration setting by passing a dict of values to the st2 role, like this:

  - name: Install st2, configure with external MongoDB and RabbitMQ
    role: st2
    vars:
      # https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample
      st2_config:
        auth:
          enable: True
        database:
          host: st2-remote-mongo-node
          port: 27017
          db_name: st2
          username: st2
          password: random-password123
        messaging:
          url: amqp://st2:[email protected]:5672/

The Mistral role var st2mistral_config works in the same way.

Super helpful long-waited feature!

This will be especially beneficial for those wanting to configure StackStorm with external services like RabbitMQ, MongoDB. We’ll focus on HA-friendly deployments more in next releases, see for example: ansible-st2/issues/17.

Custom certificate for st2web

By default we generate a self-signed certificate for nginx in st2web role. That’s good just to try it out, but doesn’t work well in real-world production deployments.

If you have a custom, signed SSL certificate, you can pass it now:

  - name: Configure st2web with custom certificate
    role: st2web
    vars:
      st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}"
      st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"

One more step forward to production-friendly configurations.

Installing behind a proxy

If you are installing from behind a proxy, you can use the environment variables http_proxy, https_proxy, and no_proxy in the playbook. They will be passed through during the execution.

Thanks John Hogenmiller for sharing his discoveries and providing the documentation example:

---
- name: Install st2 behind a proxy
  hosts: all
  environment:
    http_proxy: http://proxy.example.net:8080
    https_proxy: https://proxy.example.net:8080
    no_proxy: 127.0.0.1,localhost
  roles:
    - st2

Community

I would like to additionally thank our power user Hiroyasu OHYAMA who contributed really nice feature requests and fixes for this release. Shout out to everyone in our growing Slack community for asking questions, helping others, committing Pull Requests.

If you are aware of using Ansible with StackStorm, here is the full ansible-st2 v0.7.0 CHANGELOG.