Skip to content

AWX Configuration as Code (CaC) Style and Safety

Standard patterns and safety rules for AWX operations using the ansible_role_awx_cac Configuration as Code model in Epic on Azure at Optum.

experimental
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:epic-platform-sre
awx
ansible
cac
style
safety
epic
configuration

AWX Configuration as Code (CaC) Style Guide

Overview

These rules apply to AWX operations using the ansible_role_awx_cac Configuration as Code model in Epic on Azure (Optum).

Safety-First Principles

1. Read-Only by Default

  • ALWAYS use AWX's read-only API endpoints first to inspect state
  • MUST use pb_create_awx_job_launch.yml for test runs, not direct AWX UI
  • NEVER bypass approval workflows for production changes

2. SCM-Based Workflow (Production)

  • MUST use GitHub-based approval workflow for all production changes
  • MUST submit PRs to the CaC repo with data files
  • GitHub Actions automatically runs playbooks after approval
  • CLI-based workflow is for development/testing ONLY

3. Branch Isolation

  • MUST use feature branches for testing roles and playbooks
  • MUST override branches via scm_branch in job template or launch data
  • NEVER test unreviewed code in production AWX

CaC Model Patterns

Data File Structure

MUST use YAML/JSON data files with lists of objects:

# Example: job_templates.yml
awx_job_template_list:
  - name: 'Deploy Application'
    description: 'Deploys the application using role'
    organization: 'Epic Platform'
    project: 'ohemr-ansible-playbooks'
    inventory: 'azure-hosts'
    playbook: 'deploy_app.yml'
    credentials:
      - 'Azure Service Principal'
    execution_environment: 'ansible-ee-2.15'
    scm_branch: '' # Defaults to project default
    ask_scm_branch_on_launch: true # MUST enable for flexibility
    ask_variables_on_launch: true

Connection Parameters

NEVER hardcode credentials. Pass as extra-vars:

ansible-playbook pb_create_awx_job_template.yml \
  -e controller_host=awx.example.com \
  -e controller_oauthtoken=$AWX_TOKEN \
  -e @job_templates.yml

Required Fields

FieldRuleNotes
controller_hostMUST provideAWX controller URL
AuthenticationMUST providecontroller_oauthtoken OR controller_username + controller_password
stateNEVER include in dataSet by playbook
validate_certsNEVER set to false in prodDefaults true

Playbook Inventory

Common CaC playbooks in ansible_role_awx_cac:

PlaybookPurposeData Key
pb_create_awx_job_template.ymlCreate/update job templatesawx_job_template_list
pb_create_awx_job_launch.ymlLaunch jobs with paramsawx_job_launch_list
pb_create_awx_workflow_job_template.ymlCreate workflowsawx_workflow_job_template_list
pb_create_awx_project.ymlCreate/update projectsawx_project_list
pb_create_awx_inventory.ymlCreate/update inventoriesawx_inventory_list
pb_create_awx_credential.ymlCreate/update credentialsawx_credential_list
pb_delete_awx_*.ymlDelete resourcesSame as create

Dependency Order

MUST create AWX resources in this order:

  1. Organizations (if not exists)
  2. Credential Types (custom types)
  3. Credentials (requires org, credential type)
  4. Execution Environments (requires org)
  5. Projects (requires org, optional credential)
  6. Inventories (requires org)
  7. Job Templates (requires org, project, inventory, credentials, EE)
  8. Workflow Templates (requires org, job templates)

Testing Workflows

Override Branch Testing

MUST test playbook changes without modifying job template:

# test_override.yml
awx_job_launch_list:
  - name: 'existing-job-template'
    scm_branch: 'feature/my-test-branch'
    extra_vars:
      test_mode: true
    wait: true
ansible-playbook pb_create_awx_job_launch.yml \
  -e controller_host=awx-dev.example.com \
  -e controller_oauthtoken=$DEV_TOKEN \
  -e @test_override.yml

Role Feature Branch Testing

MUST follow this process:

  1. Create feature branch in role repo: feature/fix-deployment
  2. Create feature branch in playbooks repo: feature/test-deployment-fix
  3. Update requirements.yml to reference role branch
  4. Launch job with playbooks branch override
awx_job_launch_list:
  - name: 'deploy-app-job'
    scm_branch: 'feature/test-deployment-fix' # Playbooks repo branch
    extra_vars:
      ansible_galaxy_force: true # MUST force re-download
      test_mode: true

Safety Checklists

Before Creating Job Templates

  • VERIFY project SCM URL is correct
  • CONFIRM inventory exists and contains correct hosts
  • CHECK credentials have minimal required permissions
  • ENABLE ask_scm_branch_on_launch for flexibility
  • SET ask_limit_on_launch to allow host targeting
  • USE ask_variables_on_launch for environment-specific vars

Before Launching Jobs

  • VERIFY target inventory/hosts are correct
  • CHECK scm_branch if testing feature branch
  • USE check_mode: true for dry-run first
  • SET wait: true to monitor job completion
  • REVIEW extra_vars for sensitive data (use vault/credentials instead)

Before Production Deployment

  • VERIFY all changes tested in dev environment
  • CONFIRM PR approved by team members
  • CHECK job template has proper approval workflows
  • DOCUMENT rollback plan
  • CONFIGURE monitoring/alerting

Common Pitfalls

❌ NEVER DO

Anti-PatternRisk
Hardcode controller credentialsSecurity breach
Use personal credentials for automationAudit failure
Test unreviewed code in productionOutage risk
Create job templates without ask_*_on_launchNo flexibility
Launch jobs without wait: trueLose error visibility
Store sensitive data in extra_varsSecurity exposure
Bypass GitHub approval workflowCompliance violation

✅ ALWAYS DO

Best PracticeBenefit
Use OAuth tokens or service accountsProper audit trail
Store tokens in environment variables or vaultSecurity
Test in dev → qa → prod progressionSafe rollout
Enable ask_*_on_launch for flexibilityEasy testing
Use limit to target specific hostsSafe testing
Store secrets in AWX credentialsSecure
Use SCM-based workflow for productionGovernance
Document data file schemas in commentsMaintainability

Examples

Create Job Template with All Options

awx_job_template_list:
  - name: 'deploy-epic-app-prod'
    description: 'Production deployment of Epic application'
    organization: 'Epic Platform'
    project: 'ohemr-ansible-playbooks'
    playbook: 'deploy_epic_app.yml'
    inventory: 'azure-prod-hosts'

    # Credentials
    credentials:
      - 'Azure Prod Service Principal'
      - 'Epic App Secrets'

    # Execution environment
    execution_environment: 'ansible-ee-2.15-azure'

    # Launch options - MUST enable for flexibility
    ask_scm_branch_on_launch: true
    ask_limit_on_launch: true
    ask_variables_on_launch: true
    ask_tags_on_launch: true

    # Job behavior
    job_type: 'run' # or "check"
    verbosity: 1
    timeout: 1800

    # Concurrency
    allow_simultaneous: false

Launch Job with Override Branch

awx_job_launch_list:
  - name: 'deploy-epic-app-prod'
    scm_branch: 'feature/hotfix-deployment'
    limit: 'app-server-01' # Target single host
    extra_vars:
      deployment_type: 'rolling'
      max_fail_percentage: 10
    wait: true
    timeout: 1800

Create Workflow Template

awx_workflow_job_template_list:
  - name: 'epic-app-full-deployment'
    description: 'Complete Epic app deployment with pre/post checks'
    organization: 'Epic Platform'

    workflow_nodes:
      - identifier: 'pre-check'
        unified_job_template: 'health-check-pre'
        all_parents_must_converge: false

      - identifier: 'deploy-db'
        unified_job_template: 'deploy-database'
        all_parents_must_converge: true
        success_nodes:
          - 'deploy-app'
        failure_nodes:
          - 'rollback-db'

      - identifier: 'deploy-app'
        unified_job_template: 'deploy-epic-app-prod'
        all_parents_must_converge: true
        success_nodes:
          - 'post-check'
        failure_nodes:
          - 'rollback-app'

      - identifier: 'post-check'
        unified_job_template: 'health-check-post'

Troubleshooting

IssueCauseSolution
Job template won't launchProject not syncedCheck project sync status
Override branch not workingask_scm_branch_on_launch disabledEnable on job template
Role not using feature branchWrong requirements.ymlCheck playbook branch
Credentials invalidToken expiredRefresh OAuth token

References

Related Assets

AWX Job Template Creation Assistant

experimental

Guide through creating a new AWX job template using the ansible_role_awx_cac CaC model, including all required fields and best practices.

claude
codex
vscode
awx
job-template
cac
epic
ansible

Owner: epic-platform-sre

AWX Role Feature Branch Testing Assistant

experimental

Guide coordinated testing of Ansible role changes using feature branches in both the role repo and playbooks repo, following Epic on Azure patterns.

claude
codex
vscode
awx
ansible
role-testing
feature-branch
cac
+1

Owner: epic-platform-sre

Ansible Development & AWX Operations Assistant (Optum)

experimental

Complete Ansible development lifecycle assistant for Epic on Azure - create playbooks and roles locally, manage requirements.yml versions, test workflows, and deploy in AWX with CaC patterns.

vscode
awx
ansible
cac
ops
epic
+1

Owner: epic-platform-sre

Ansible Playbook Creation Assistant

experimental

Interactive guide for creating new Ansible playbooks that execute in AWX, following Epic on Azure patterns for role integration, vault secrets, and testing workflows.

claude
codex
vscode
ansible
playbook
creation
epic
awx
+1

Owner: epic-platform-sre

AWX Override Branch Testing Assistant

experimental

Guide testing a playbook change using AWX's scm_branch override without modifying the job template, following Epic on Azure safety patterns.

claude
codex
vscode
awx
testing
branch-override
cac
epic

Owner: epic-platform-sre

AWX Operations Troubleshooting Assistant

experimental

Diagnostic and resolution guide for common AWX job failures, credential issues, project sync problems, and operational errors in Epic on Azure.

claude
codex
vscode
awx
ansible
troubleshooting
debugging
epic
+1

Owner: epic-platform-sre