Automate everything with Ansible

Pat HarrisonSpecialist Solution Architect15th October 2019

2

WHAT IS ANSIBLE AUTOMATION?

Ansible Automation is the enterprise framework for automating across IT operations.

Ansible Engine runs Ansible Playbooks, the automation language that can perfectly describe an IT application infrastructure.

Ansible Tower allows you scale IT automation, manage complex deployments and speed productivity.

RED HAT ANSIBLE TOWEROperationalize your automation

RED HAT ANSIBLE ENGINESimple command line automation

CONTROL DELEGATION SCALE

SIMPLE POWERFUL AGENTLESS

FUELED BY AN INNOVATIVE OPEN SOURCE COMMUNITY

3

WHY ANSIBLE?

SIMPLE POWERFUL AGENTLESS

App deployment

Configuration management

Workflow orchestration

Network automation

Orchestrate the app lifecycle

Human readable automation

No special coding skills needed

Tasks executed in order

Usable by every team

Get productive quickly

Agentless architecture

Uses OpenSSH & WinRM

No agents to exploit or update

Get started immediately

More efficient & more secure

4

“This is what Ansible was written to do: Manage complex multi-tier deployments.

We don’t just stop at configuration management or application deployment. To really do orchestration, you must do all of those well AND be an outstanding workflow engine. Real world app stacks involve lots of different classes of systems all working in concert.”

Michael DeHaanAnsible project founder

THE PURPOSE OF AUTOMATION

5

500

2000

1500

1000

September 2018

November 2017

June 2017

January 2017

August 2016

April 2018

March 2016

MODULE GROWTH

6

THE MIGHTY MODULE

$ date +%x

04/10/18

$ ansible --version

2.7.0

$ ansible-doc -l | wc -l

2146

$ date +%x

16/05/19

$ ansible --version

2.8.0

$ ansible-doc -l | wc -l

2834

7

WHAT CAN YOU DO WITH ANSIBLE?

Automate the deployment and management of your entire IT footprint.

Orchestration

Do this...

Firewalls

Configuration Management

Application Deployment Provisioning Continuous Delivery Security and

Compliance

On these...

Load Balancers Applications Containers Clouds

Servers(Linux, Windows) Infrastructure Storage Network Devices

LINUX AUTOMATION

8

ansible.com/get-started

AUTOMATE EVERYTHING LINUXRed Hat Enterprise Linux, BSD,

Debian, Ubuntu and many more!

ONLY REQUIREMENTS:Python 2 (2.6 or later)

or Python 3 (3.5 or later)

150+ Linux

Modules

LINUX AUTOMATION

9

- name: ensure selinux is enforcing and targeted selinux: policy: targeted state: enforcing

- name: disable ip forwarding sysctl: name: net.ipv4.ip_forward value: 0

71%of networks are stilldriven manually via CLI

Source: Gartner, Look Beyond Network Vendors for Innovation. January 2018

ANSIBLE NETWORK AUTOMATION

ansible.com/for/networksgalaxy.ansible.com/ansible-network

1000+ NetworkModules

65+ Network

Platforms

15* Galaxy

Network Roles

*Roles developed and maintained by Ansible Network Engineering

11

12

NETWORK INTEGRATIONS

https://www.ansible.com/integrations/networks

NETWORKING - COMMON USE CASES

13

● Schedule backups ● Restore from any

timestamp● Build workflows that

rollback

Backup and Restore

● Check configuration standards

● Track configuration drift ● Enforce configuration

policy

Configuration Compliance

● Build reports● Grab software versions,

MTU, interfaces status● Audit system services and

other common config

Dynamic Documentation

✓

✓ ✓ ✓

NETWORK DEVICE REPORTING

14

https://github.com/network-automation/

FIREWALL EXAMPLE

15

- name: create checkpoint access rule

checkpoint_access_rule:

layer: Network

name: “Drop Attacker”

position: top

source: attacker

destination: Any

action: Drop

16

+ =

WINDOWS AUTOMATION

17

ansible.com/windows

1,300+ Powershell

DSC resources

100+ Windows Modules

18

Package Management

Install and uninstall MSIsEnable and disable Windows Features

Manage Windows packagesManage and install Windows updates

Configuration Management

Manage Windows ServicesEdit Windows Registry

Active Directory ManagementWindows Firewall

Re-Use

Execute PowerShellCall Windows DSC

WINDOWS AUTOMATION

WINDOWS EXAMPLE

19

---

- name: security updates and reboot

hosts: windows_servers

tasks:

- name: ensure security updates are current and reboot if needed

win_updates:

reboot: yes

categories:

- SecurityUpdates

- CriticalUpdates

CLOUD AUTOMATION

20

CLOUD AUTOMATION

21

ansible.com/cloud

30+ Cloud

Platforms

800+ Cloud

Modules

ANSIBLE FOR CLOUD

22

23

- name: create aws security group

ec2_group:

name: my_security_group

purge_rules: true

rules:

- proto: tcp

from_port: 22

to_port: 22

cidr_ip: 192.168.100.0/24

- proto: tcp

from_port: 443

to_port: 443

cidr_ip: 192.168.100.0/24

AWS EXAMPLE

24

Triage Of Suspicious Activities

Enabling programmatic access to log configurations such as

destination, verbosity, etc.

Threat Hunting

Automating alerts, correlation searches and signature

manipulation

Incident Response

Creating new security policies to whitelist, blacklist or quarantine a machine

SECURITY AUTOMATION

AUTOMATION FOR THE ENTERPRISE

WHAT IS ANSIBLE TOWER?Ansible Tower is a UI and RESTful API allowing you to scale IT automation, manage complex deployments and speed productivity.

• Role-based access control

• Deploy entire applications with push-button deployment access

• All automations are centrally logged

• Powerful workflows match your IT processes

27

CENTRALISED PLATFORM

ScaleHigh Availability Self Service Automation

28

GOVERNANCE

Role BasedAccess Control

CredentialManagement

Auditing & Logging

29

TOWER WORKFLOWS

INTEGRATIONS

31

VAULTS

Credential Plugins

Use credentials from your corporate standard password and key storage directly from Tower.

● HashiCorp Vault● CyberArk AIM● CyberArk Conjur● Microsoft Azure Key Vault

32

DevOps Tools

33

Automation CatalogCreate/Update/CloseTickets

Dynamic Inventory

34

ServiceNow

35