IPA (acronym for identity, policy and audit) and its open-source implementation FreeIPA, serve both as a user management system and as your internal DNS nameserver.

This is a configuration template (i.e. an Ansible Playbook) to customize your environment in the European Weather Cloud (EWC).

The template is designed to:

• Provision an instance via Terraform, with your specified VM image and desired flavor (a.k.a VM plan):

  • If a terraform.tfstate state file is not found under the user-defined directory, attempts to create the instance from scratch

  OR

  • if a terraform.tfstate file is found, leverages Terraform's out-of-the-box functionality to update the instance referenced on it

• Validate that network/subnet configuration in the EWC tenancy

• Configure the existing or newly provisioned instance such that it:

  • Provides DNS resolutions for discovery of resources (i.e. other virtual machines)
  • Enables centralized user and credentials creation/edition/deletion/authentication
  • Allows centralized authorization between users and resources

• Automatically update the underlying subnet DNS nameserver to point to the newly configured IPA server

After successful provisioning, you can take advantage of Terraform built-in functionality to safely modify or delete the instance. You'll find the definition of your instance in main.tf, and its current state in terraform.tfstate, under the user-defined tf_project_path directory.

To learn the basics about managing infrastructure with Terraform, checkout the official documentation examples.

⚠️ Successfull execution leads to changes of the DNS nameserver(s) in your OpenStack subnet (includes now only the IP address of the new IPA server). This can negatively affect existing VMs within your subnet. To prevent issues, programatically update each VM via the IPA Client Enroll Flavour CommunityHub Item. Alternatively, you can manually add the new nameserver to their DNS configuration.

Prerequisites

💡 Versions listed correspond to minimal prerequisites.

To successfully run this playbook, the following packages should be available in your work environment:

Usage

1. Download Ansible dependencies

💡 By default, Ansible Roles are installed under the ~/.ansible/roles directory within your working environment.

Download the correct version of the Ansible dependencies, if you haven't done so already:

ansible-galaxy role install -r requirements.yml

2. Configure and apply the template

2.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook ipa-server-provisioning.yml

2.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -e '{
        "ewc_provider": "eumetsat",
        "tf_project_path":"~/iac/ipa-server-1",
        "app_name":"ipa",
        "instance_name":"server",
        "instance_index": 1,
        "flavor_name":"eo2.medium",
        "image_name":"Rocky-8.10-20250204105303",
        "public_keypair_name":"my-public-key",
        "private_keypair_path":"~/.ssh/id_rsa",
        "private_network_name": "private",
        "security_group_name": "ipa",
        "ipa_domain":"eumetsat.sandbox.ewc",
        "ipa_admin_username":"ipaadmin",
        "ipa_admin_password":"my-secret-password",
        "ipa_admin_givenname": "IPAADMIN",
        "ipa_admin_surname": "EWC"
    }' \
  ipa-server-provisioning.yml

Inputs

Dependencies

⚠️ Only RockyLinux 9.5 and RockyLinux 8.10 VM images are currently supported. This is due to constrains imposed by the required ewc-ansible-role-ipa-server Ansible Role.

💡 A VM plan with at least 4GB of RAM is recommended for successful setup and stable operation.