We want to hear from you! Help us gain insights into the state of the Ansible ecosystem.
Take the Ansible Project Survey 2024




Introducing the Ansible API for ServiceNow ITSM

Introducing the Ansible API for ServiceNow ITSM

One of the most popular platform integrations available to Ansible Automation Platform subscribers in Ansible automation hub is the Red Hat Ansible Certified Content Collection for ServiceNow ITSM. This collection helps you create new automation workflows faster based on ServiceNow ITSM while establishing a single source of truth in the ServiceNow configuration management database (CMDB). You can help free teams from hours of manual effort and have greater data integrity within your ServiceNow ITSM instance. 

For ServiceNow users, we've launched a new native ServiceNow application, the API for Red Hat Ansible Automation Platform Certified Content Collection, available exclusively through the ServiceNow store to enhance and support the integration between the two platforms.   

What is the Ansible API for ServiceNow ITSM?

The API for Red Hat Ansible Automation Platform Certified Content Collection integrates Ansible's certified content with your ServiceNow instance. Prior to the launch of ServiceNow's Rome API, Ansible users could download the Red Hat Ansible Certified Content Collection for ServiceNow ITSM from the Ansible automation hub and directly manage ServiceNow resources using their REST API. 

With the release of Rome, the REST API no longer provided all of the support needed to automate ServiceNow using Ansible. To remedy this problem, Red Hat and our partner, XLAB, developed this new API to enhance and restore that functionality. 

While the need to develop the Ansible API for ServiceNow ITSM was a result of the release of Rome, it's also compatible with ServiceNow ITSM San Diego and Tokyo.

What can you automate in the ServiceNow ITSM?

Using both the API and the Certified Content Collection for ServiceNow ITSM, you can:

  • Automate change requests. Use Ansible Playbooks to automate ServiceNow ITSM service requests, including reporting change results and all information related to those changes. Your service representatives can simply kick off an Ansible Playbook to resolve common requests and reduce rote, repetitive tasks.
  • Automate incident response. Assets in the ServiceNow Certified Collection support automatic updates to incident tickets to provide a consistent audit trail. Your team can also streamline the required steps for issue remediation and apply them at scale.
  • Enable full "closed loop" automation. Simplify the opening, advancement, and resolution of IT service management workflow items while keeping relevant and accurate information flowing into the CMDB across disparate users, teams, and assets. Ensure that infrastructure information is always up to date, actionable, and auditable while work is completed by cross-domain teams that may or may not have access to ServiceNow.

Getting started with the Ansible API for ServiceNow ITSM

To get started:

  • Install the API for Red Hat Ansible Certified Content Collection for free from the ServiceNow store and consult the "Application Installation and Configuration Guide" for additional instructions. 
  • Download the Ansible Content Collection for ServiceNow ITSM from Ansible automation hub on the Red Hat Hybrid Cloud Console

Additional resources




Let Ansible keep an eye on your AWS environment

Let Ansible keep an eye on your AWS environment

In a cloud model, the security of the environment and compliance becomes the responsibility of both the end users and the cloud provider. This is what we call the shared responsibility model in which every part of the cloud, including the hardware, data, configurations, access rights, and operating system, are protected. Depending on the local legislation and the origin of the data that is handled (for instance laws like HIPAA, the GDPR in Europe, or the Californian CCPA),  you may have to enforce strict rules on your environment and log events for audit purposes. AWS CloudTrail will help you to achieve this goal. The service can collect and record any kind of information coming from your environment and store or send the events to a destination for audit. In addition to security and compliance, this service helps keep track of resource consumption.

Ansible's CloudTrail module is used to leverage the various features of the CloudTrail service to monitor and audit user activities and API calls in the AWS environment. A trail is a configuration that lets us describe an event filter and decide where the matching entries should be sent. The recent 5.0.0 release of the Amazon.aws collection comes with a new Cloudtrail module. This module helps create, configure, and delete a trail. The final destination of a trail can be an S3 bucket or a CloudWatch log. We have also paired the cloudtrail module with a cloudtrail_info module, which helps collect the information of all or a specific trail.

In this blog post, we are going to take a few configuration use cases and show how Ansible's CloudTrail module can be used to automate the same.

To download the amazon.aws collection, you can download it from

Use Case 1 - Get maximum visibility

Unless a trail is used for a specific activity in a specific region, it is the best practice to enable CloudTrail for all regions. By doing so, we maximize the visibility of the AWS environment so there is no weakness (unmonitored region) that can be exploited by an attacker. This will also make sure that we receive the event history for any new region that AWS will launch in the future. 

- name: create multi-region trail
  amazon.aws.cloudtrail:
    state: present
    name: myCloudTrail
    s3_bucket_name: mylogbucket
    region: us-east-1
    is_multi_region_trail: true
    tags:
      environment: dev

The cloudtrail_info module can be used to get all the information about a particular trail or all the trails present. If a trail name is not provided as input to this module, this module will get the information of all trails, including shadow trails, by default. The shadow trails can be skipped by setting [include_shadow_trails] to [False].

# Gather information about the multi-region trail
- amazon.aws.cloudtrail_info:
    trail_names:
      - arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail
    include_shadow_trails: False
      register: trail_info

trail_info :
"trail_list": [
            {
                "has_custom_event_selectors": false,
                "has_insight_selectors": false,
                "home_region": "us-east-1",
                "include_global_service_events": true,
                "is_logging": true,
                "is_multi_region_trail": true,
                "is_organization_trail": false,
                "latest_delivery_attempt_succeeded": "",
                "latest_delivery_attempt_time": "",
                "latest_notification_attempt_succeeded": "",
                "latest_notification_attempt_time": "",
                "log_file_validation_enabled": false,
                "name": "myCloudTrail",
                "resource_id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail",
                "s3_bucket_name": "mylogbucket",
                "start_logging_time": "2022-09-29T11:41:41.752000-04:00",
                "tags": {"environment": "dev"},
                "time_logging_started": "2022-09-29T15:41:41Z",
                "time_logging_stopped": "",
                "trail_arn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail"
            }
        ]

Use Case 2 - Manage access to S3 buckets

For this use case, we will manage the access given to the S3 buckets where the trail logs are stored. As mentioned earlier, shared responsibility includes sharing the security of the resources as well.  S3 buckets are prone to incorrect configurations and are the major source of data leaks. S3 buckets configured with public access allow anyone on the internet to access the data. Ansible's s3_bucket  module can be used to set CloudTrail's S3 bucket permissions and policies. This S3 bucket can be passed to the CloudTrail module, which will be used as the destination for the trail-generated logs.

- amazon.aws.s3_bucket:
   name: mys3bucket
   state: present
   public_access:
       block_public_acls: true
       ignore_public_acls: true
       block_public_policy: false
       restrict_public_buckets: false

- name: Create trail with secured s3 bucket
  amazon.aws.cloudtrail:
    state: present
    name: myCloudTrail
    s3_bucket_name: mys3bucket
    region: us-east-1
    tags:
      environment: dev

Use Case 3 - Maintain CloudTrail logs integrity

CloudTrail logs are collected to verify the compliance and security of the AWS environment. It is always possible that an attacker can gain access and tamper with these logs to obscure their presence. By enabling log file validation, a digital signature of the log file is generated, which is used to check if the log files are valid and not tampered with.

- name: create a trail with log file validation
  amazon.aws.cloudtrail:
    state: present
    name: myCloudTrail
    s3_bucket_name: mylogbucket
    region: us-east-1
    log_file_validation_enabled: true
    tags:
      environment: dev

# Gather information about the trail
- amazon.aws.cloudtrail_info:
    trail_names:
      - arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail
    include_shadow_trails: False
      register: trail_info

trail_info :
"trail_list": [
            {
                "has_custom_event_selectors": false,
                "has_insight_selectors": false,
                "home_region": "us-east-1",
                "include_global_service_events": true,
                "is_logging": true,
                "is_multi_region_trail": fail,
                "is_organization_trail": false,
                "latest_delivery_attempt_succeeded": "",
                "latest_delivery_attempt_time": "",
                "latest_notification_attempt_succeeded": "",
                "latest_notification_attempt_time": "",
                "log_file_validation_enabled": true,
                "name": "myCloudTrail",
                "resource_id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail",
                "s3_bucket_name": "mylogbucket",
                "start_logging_time": "2022-09-29T11:41:41.752000-04:00",
                "tags": {"environment": "dev"},
                "time_logging_started": "2022-09-29T15:41:41Z",
                "time_logging_stopped": "",
                "trail_arn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myCloudTrail"
            }
        ]

Use Case 4 - Encrypt the logs

By default, the S3 buckets are protected by an A[mazon server-side encryption method and Amazon S3-managed encryption keys. To add an extra layer of security, you can use the AWS Key Management Service. This is directly manageable and helps protect the log files from any attacker's survey of the environment.

- name: Create an LMS key using lookup for policy JSON
  amazon.aws.kms_key:
    alias: my-kms-key
    policy: "{{ lookup('template', 'kms_iam_policy_template.json.j2') }}"
    state: present
  register: kms_key_for_logs

- name: Create a CloudTrail with kms_key for encryption
  amazon.aws.cloudtrail:
     state: present
     name: myCloudTrail
     s3_bucket_name: mylogbucket
     kms_key_id: "{{ kms_key_for_logs.key_id }}"

Similar to the use cases mentioned above, many parameters allow the CloudTrail logs to be secure, compliant, and manageable. To get more information on how to configure CloudTrail and get the configuration information of an existing trail, please refer to amazon.aws.cloudtrail and amazon.aws.cloudtrail_info.

Now you can see four awesome use cases for Red Hat Ansible Automation Platform and CloudTrail and how they can easily and seamlessly work together to accomplish cloud automation tasks. If you want more blogs on Ansible and AWS, please let us know!







Best of Fest 2022

Best of Fest 2022

At AnsibleFest 2022, the power of automation was on full display. Through sessions, workshops, labs and more, we explored how to transform enterprise and industry through automation. There were a lot of exciting announcements made on both days, and in case you missed it, we are going to dive into what is new!

Ansible and AWS

We are thrilled to also announce a new AWS Marketplace offering, Red Hat Ansible Automation Platform. By offering Ansible Automation Platform as a pre-integrated service that can be quickly deployed from cloud marketplaces, we are meeting our customers where they are, while giving them the flexibility to deliver any application, anywhere, without additional overhead or complexity. Whether you are automating your hybrid cloud or multi-cloud environments, Ansible Automation Platform acts as a single platform. This platform provides consistency, visibility, and control to help  you manage these environments at scale. Ansible is the IT automation "glue" for bringing your cloud, network, bare-metal and cloud-native infrastructure together. This  provides the functionality to coordinate and manage across  hybrid cloud environments in a simple and efficient way. Interested in learning more? Check out the press release.

Automation at the Edge

Ansible Automation Platform provides a framework for building and operating IT automation at scale. What this means for edge, much like the data center, is that users across an entire organization can create, share, and manage automation. They can develop and apply guidelines for  using automation within individual groups. They can write tasks that use existing knowledge so they can be leveraged by nonIT staff, allowing end-to-end automation to be deployed. Ansible Automation Platform uses containerization to package, distribute, and execute automation across environments securely via automation execution environments. This enables organizations to rapidly and consistently extend IT services to the edge, while maintaining a focus on security. This helps organizations to simplify capacity scaling, increase resiliency, and improve consistency. Learn more about automation at the edge here.

Event-Driven Ansible

Event-Driven Ansible is a new capability that we're making available to the entire Ansible open source community in developer preview. With Event-Driven Ansible, you can eliminate low-level tasks from the day-to-day routine so you have more time to focus on innovations. This means a happier, more productive, and more engaged team. It is fast, accurate, and will free you (and your teams) to work on the things you WANT to be doing, without being dragged down by all the things you HAVE to do. Event--Driven Ansible will support a range of use cases, and here are few good ones to get started with:

  • Automating remediation of common problems, like resetting a network router that's out.
  • Gathering information to solve problems faster, like information about a server configuration or buffer pool size so when you get the service ticket, the information you need is already there.
  • Administering user requests ... like "I can't log in" or "I cannot access the application".

We are excited about the future of automation and what is possible with Event-Driven Ansible.

Project Wisdom

Project Wisdom is a Red Hat initiative, developed in close collaboration with IBM Research, to give Ansible artificial intelligence superpowers. The first goal is to bring together automation novices and Ansible experts while enabling new automators to drastically reduce the challenge of learning and mastering Ansible. The first capability we are using AI for is content generation. The AI models we use underneath Project Wisdom are able to generate Ansible Playbooks or roles that are both syntactically correct and functional. You can also head to redhat.com/wisdom for more information on how to get involved. 

Ansible Automation Platform 2

Ansible Automation Platform 2 is built to enable a trusted automation supply chain. In the upcoming  Ansible Automation Platform 2.3 release, digital signing will be supported for containers, playbooks and collections. We're also excited to introduce Ansible validated content, which complements the  existing  ecosystem of Red Hat Ansible Certified Content Collections. Ansible validated content helps your teams to start automating faster by following a trusted, expert-led, opinionated path for performing operations and tasks on both Red Hat and third party platforms. Initially, Ansible validated content will be pre-loaded into private automation hub.

Community

We are so fortunate that we are a part of one of the largest, most vibrant open source project communities in the world. So while the landscape may be shifting around us, Ansible continues to push forward and evolve with the times. Ansible is celebrating its 10th anniversary this year! Within our expansive community, the new Working Groups focus on expanding the Ansible ecosystem with the development of Ansible Content Collections. First spun up by our team last year, Matrix has made a huge difference in our ability to connect and engage with the Ansible community. So far we've spun up 32 unique chat rooms, with 4200+ members and nearly 80k messages sent in the past 6 months. Matrix's ability to bridge with IRC gave us a strong foundation upon which to build. Join the Working Groups and become a part of the conversation: https://matrix.to/#/#social:ansible.com