IPA Client Provisioning
This is a configuration template (i.e. an Ansible Playbook) to customize your environment in the European Weather Cloud (EWC).
The template is designed to:
-
Provision an instance via Terraform, with your specified Linux distribution and desired flavor (a.k.a VM plan):
- If a
terraform.tfstatestate file is not found under the user-defined directory, attempts to create the instance from scratch
OR
- if
terraform.tfstatefile is found, leverages Terraform's out-of-the-box functionality to update the instance referenced on it
- If a
-
Configure the existing or newly provisioned instance to connect to an IPA server running on the same subnet, such that it:
- Is remotely accessible via public key or password to centrally managed LDAP users
- Is able to leverage DNS resolution and discover other private hosts or public addresses
After successful provisioning, you can take advantage of Terraform built-in
functionality to safely modify or delete the instance. You'll find the definition of your
instance in main.tf, and its current state in terraform.tfstate, under the user-defined
tf_project_path directory.
To learn the basics about managing infrastructure with Terraform, checkout the official documentation examples.
Prerequisites
💡 Versions listed correspond to minimal prerequisites.
To successfully run this playbook, the following packages should be available in your work environment:
| Name | Version | License | Home URL |
|---|---|---|---|
| git | 2.0 | GPLv2 | https://git-scm.com/downloads |
| python | 3.9 | PSF | https://www.python.org/downloads |
| ansible | 2.15 | GPLv3+ | https://pypi.org/project/ansible |
| terraform | 0.14 | BSL | https://developer.hashicorp.com/terraform/install |
Usage
1. Download Ansible dependencies
💡 By default, Ansible Roles are installed under the
~/.ansible/rolesdirectory within your working environment.
Download the correct version of the Ansible dependencies, if you haven't done so already:
ansible-galaxy role install -r requirements.yml
2. Configure and apply the template
2.1. Interactive Mode
By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:
ansible-playbook ipa-client-provisioning.yml
2.2. Non-Interactive Mode
💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.
You can also run in non-interactive mode by passing the
--extra-vars or -e flag, followed by a map of key-value pairs; one for
each and every available input (see inputs section below). For example:
ansible-playbook \
-e '{
"ewc_provider": "eumetsat",
"tf_project_path": "~/iac/ipa-client-1",
"app_name": "ipa",
"instance_name": "client",
"instance_index": 1,
"flavor_name": "eo2.medium",
"image_name": "ubuntu-22.04-20250204105649",
"public_keypair_name": "john-claudy-publickey",
"private_keypair_path": "~/.ssh/id_rsa",
"private_network_name": "private",
"security_group_name": "ipa",
"instance_has_fip": "no",
"ipa_domain": "eumetsat.sandbox.ewc",
"ipa_server_hostname": "ipa-server-1",
"ipa_admin_username": "iapadmin",
"ipa_admin_password": "my-secret-password"
}' \
ipa-client-provisioning.yml
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ewc_provider | your target EWC provider. Must match that the provider of your OpenStack application credentials. Valid input values are ecmwf or eumetsat. |
string |
n/a | yes |
| tf_project_path | path to terraform working directory. Example: ~/iac/ipa-client-1 |
string |
n/a | yes |
| app_name | application name, used as prefix in the full instance name. Example: ipa |
string |
n/a | yes |
| instance_name | name of the instance, used in the full instance name. Example: client |
string |
n/a | yes |
| instance_index | index or identifier for the instance, used as suffix in the full instance name. Example: 1 |
number |
n/a | yes |
| flavor_name | name the flavor to use for the instance. To learn about available options, checkout the official EWC VM plans documentation | string |
n/a | yes |
| image_name | name of the image to use for the instance. For complete information on available options, see the official EWC Images documentation.⚠️ Only Ubuntu 22.04 and RockyLinux 8.10 VM images are currently supported. This is due to constrains imposed by the required ewc-ansible-role-ipa-client-enroll Ansible Role. Example: ubuntu-22.04-20250204105649 |
string |
n/a | yes |
| public_keypair_name | name of public keypair (stored in OpenStack) to be copied into the instance for remote SSH access | string |
n/a | yes |
| private_keypair_path | path to the local private keypair to use for SSH access to the instance. Example: ~/.ssh/id_rsa |
string |
n/a | yes |
| private_network_name | private network name to attach the instance to. Example: private |
string |
n/a | yes |
| security_group_name | security group name to apply to the instance. Example: ipa |
string |
n/a | yes |
| instance_has_fip | whether to assign a floating IP to the instance. Only yes will be accepted to approve |
string |
n/a | yes |
| ipa_domain | domain name managed by the IPA server. Example: eumetsta.sandbox.ewc |
string |
n/a | yes |
| ipa_server_hostname | hostname of the IPA server. Example: ipa-server-1 |
string |
n/a | yes |
| ipa_admin_username | username of the administrator account from the IPA server | string |
n/a | yes |
| ipa_admin_password | password of the administrator account from the IPA server | string |
n/a | yes |
| password_allowed_ip_ranges | IP addresses or IP ranges (in CIDR format) to be allowed for password access in SSHD configuration. When in doubt, add only IP addresses you know and trust. Example: ['10.0.0.0/24','192.168.1.0/24'] |
list(string) |
['10.0.0.0/8','172.16.0.0/12','192.168.0.0/16'] |
no |
Dependencies
⚠️ Only Ubuntu 22.04 and RockyLinux 8.10 VM images are currently supported. This is due to constrains imposed by the required ewc-ansible-role-ipa-client-enroll Ansible Role.
| Name | Version | License | Home URL |
|---|---|---|---|
| ewc-tf-module-openstack-compute | 1.4 | MIT | https://github.com/ewcloud/ewc-tf-module-openstack-compute |
| ewc-ansible-role-ipa-client-enroll | 1.0 | MIT | https://github.com/ewcloud/ewc-ansible-role-ipa-client-enroll |