Added rhsm changes and updates to get installer working

.ansible-lint

@@ -6,5 +6,6 @@ verbosity: 1
 skip_list:
   - ignore-errors
   - package-latest
+  - command-instead-of-shell
 
 offline: true

playbook_deploy_aap.yml

@@ -18,3 +18,41 @@
       ansible.builtin.dnf:
         name: "*"
         state: latest
+
+- name: Configure hosts
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  become: false
+  tasks:
+    - name: Debug hosts
+      ansible.builtin.debug:
+        var: hostvars.localhost.infrastructure_db.endpoint.address
+
+- name: Enable AAP repos
+  hosts: "{{ groups.aap | default('all') }}"
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Register subscription manager
+      community.general.redhat_subscription:
+        state: present
+        username: "{{ aap_red_hat_username }}"
+        password: "{{ aap_red_hat_password }}"
+        auto_attach: true
+    - name: Ensure rhsm is managing repos
+      ansible.builtin.command: sudo subscription-manager config --rhsm.manage_repos=1
+
+- name: Install AAP
+  hosts: "{{ groups.controller[0] | default('all') }}"
+  gather_facts: true
+  become: false
+  vars:
+    controller_hosts: "{{ groups.controller }}"
+    hub_hosts: "{{ groups.hub | default('') }}"
+    eda_hosts: "{{ groups.eda | default('') }}"
+    infrastructure_db_host: "{{ hostvars.localhost.infrastructure_db.endpoint.address }}"
+  tasks:
+    - name: Run AAP role
+      ansible.builtin.import_role:
+        name: aap

roles/aap/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+aap_installer_dest_path: /home/ec2-user/aap.tgz
+aap_installer_unarchive_path: /home/ec2-user/
+aap_installer_installer_path: /home/ec2-user/ansible-automation-platform-setup-2.4/
+aap_installer_inventory_path: "{{ aap_installer_installer_path }}inventory"
+aap_ssh_path: /home/ec2-user/.ssh/

roles/aap/tasks/aap_setup.yml

@@ -0,0 +1,3 @@
+---
+- name: Run the AAP install script
+  ansible.builtin.shell: "ANSIBLE_BECOME_METHOD='sudo' ANSIBLE_BECOME=True {{ aap_installer_installer_path }}setup.sh"

roles/aap/tasks/configure_ssh.yml

@@ -0,0 +1,15 @@
+---
+- name: Copy an SSH private key to the installer host to connect to other servers
+  ansible.builtin.copy:
+    remote_src: false
+    src: "{{ aap_installer_ssh_key_src }}"
+    dest: "{{ aap_installer_ssh_key_dest }}"
+    owner: ec2-user
+    group: ec2-user
+    mode: '0600'
+    force: true
+
+- name: Copy ssh config to make calling the AAP installer from this role possible
+  ansible.builtin.template:
+    src: config.j2
+    dest: "{{ aap_ssh_path }}/config"

roles/aap/tasks/create_inventory.yml

@@ -0,0 +1,5 @@
+---
+- name: Copy inventory to install server
+  ansible.builtin.template:
+    src: inventory.j2
+    dest: "{{ aap_installer_inventory_path }}"

roles/aap/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Unarchive installer
+  ansible.builtin.import_tasks: unarchive_installer.yml
+
+- name: Create inventory
+  ansible.builtin.import_tasks: create_inventory.yml
+
+- name: Configure SSH
+  ansible.builtin.import_tasks: configure_ssh.yml
+
+- name: Run the AAP installer
+  ansible.builtin.import_tasks: aap_setup.yml

roles/aap/tasks/unarchive_installer.yml

@@ -0,0 +1,5 @@
+---
+- name: Copy inventory to install server
+  ansible.builtin.unarchive:
+    src: "{{ aap_installer_src_path }}"
+    dest: "{{ aap_installer_unarchive_path }}"

roles/aap/templates/config.j2

@@ -0,0 +1,4 @@
+Host {{ controller_hosts | join(' ') }} {{ hub_hosts | join(' ') }} {{ eda_hosts | join(' ') }}
+    User ec2-user
+    IdentityFile ~/.ssh/{{ aap_installer_ssh_key }}
+    StrictHostKeyChecking no

roles/aap/templates/inventory.j2

@@ -0,0 +1,256 @@
+# Automation Controller Nodes
+# There are two valid node_types that can be assigned for this group.
+# A node_type=control implies that the node will only be able to run
+# project and inventory updates, but not regular jobs.
+# A node_type=hybrid will have the ability to run everything.
+# If you do not define the node_type, it defaults to hybrid.
+#
+# control.example node_type=control
+# hybrid.example  node_type=hybrid
+# hybrid2.example <- this will default to hybrid
+[automationcontroller]
+{{ controller_hosts | join('\n') }}
+
+[automationcontroller:vars]
+peers=execution_nodes
+
+
+# Execution Nodes
+# There are two valid node_types that can be assigned for this group.
+# A node_type=hop implies that the node will forward jobs to an execution node.
+# A node_type=execution implies that the node will be able to run jobs.
+# If you do not define the node_type, it defaults to execution.
+#
+# hop.example        node_type=hop
+# execution.example  node_type=execution
+# execution2.example <- this will default to execution
+[execution_nodes]
+
+[automationhub]
+{{ hub_hosts | join('\n') }}
+
+[automationedacontroller]
+{{ eda_hosts | join('\n') }}
+
+[database]
+
+# Single Sign-On
+# If sso_redirect_host is set, that will be used for application to connect to
+# SSO for authentication. This must be reachable from client machines.
+#
+# ssohost.example sso_redirect_host=<host/ip>
+[sso]
+
+[all:vars]
+admin_password='{{ aap_admin_password }}'
+
+pg_host='{{ infrastructure_db_host }}'
+pg_port=5432
+
+pg_database='aap'
+pg_username='{{ infrastructure_db_username }}'
+pg_password='{{ infrastructure_db_password }}'
+pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL
+
+# Managed Postgres Options
+
+# If you wish to install AAP with a single managed postgres server and would
+# like to modify the port for postgres, set the following variable. Note that 
+# the *pg_port variables for the components should be changed to match the 
+# value set by this variable if you wish to connect that component to this
+# managed postgres database server.
+
+# install_pg_port=5432
+
+# Execution Environment Configuration
+#
+
+# Credentials for container registry to pull execution environment images from,
+# registry_username and registry_password are required for registry.redhat.io
+#
+# When deployed with Automation Hub:
+# - The installer will push execution environment images to Automation Hub and
+#   configure Automation Controller to pull images from the Hub registry.
+# - To make Hub to be the only registry to pull execution environment images from,
+#   set 'ee_from_hub_only' to True. This is set to True by default when bundle
+#   installer is used.
+
+registry_url='registry.redhat.io'
+registry_username='{{ aap_red_hat_username }}'
+registry_password='{{ aap_red_hat_password }}'
+# ee_from_hub_only =
+
+# If you wish to add Ansible Engine 2.9 execution environment, set the following variable to true.
+# However this is only available for x86_64 architecture.
+
+# ee_29_enabled=false
+
+# Receptor Configuration
+#
+receptor_listener_port=27199
+
+# Automation Hub Configuration
+#
+
+automationhub_admin_password='{{ aap_admin_password }}'
+
+automationhub_pg_host='{{ infrastructure_db_host }}'
+automationhub_pg_port=5432
+
+automationhub_pg_database='automationhub'
+automationhub_pg_username='{{ infrastructure_db_username }}'
+automationhub_pg_password='{{ infrastructure_db_password }}'
+automationhub_pg_sslmode='prefer'
+
+# Set to True to overwrite existing admin password.
+#
+# automationhub_force_change_admin_password = False
+
+# The main automation hub URL that clients will connect to (e.g. https://<load balancer host>).
+# If not specified, the first node in the [automationhub] group will be used when needed.
+#
+# automationhub_main_url = ''
+
+# By default when one uploads collections to Automation Hub
+# an admin needs to approve it before it is made available
+# to the users. If one wants to disable the content approval
+# flow, the following setting should be set to False.
+#
+# automationhub_require_content_approval = True
+
+# At import time collections can go through a series of checks.
+# Behaviour is driven by galaxy-importer.cfg configuration.
+# Example are ansible-doc, ansible-lint, flake8, ...
+#
+# The following parameter allow one to drive this configuration.
+# This variable is expected to be a dictionary.
+#
+# automationhub_importer_settings = None
+
+# The default install will deploy a TLS enabled Automation Hub.
+# If for some reason this is not the behavior wanted one can
+# disable TLS enabled deployment.
+#
+# automationhub_disable_https = False
+
+# The default install will deploy a TLS enabled Automation Hub.
+# Unless specified otherwise the HSTS web-security policy mechanism
+# will be enabled. This setting allows one to disable it if need be.
+#
+# automationhub_disable_hsts = False
+
+# The default install will not create a signing service. If set to true
+# a signing service will be created.
+
+# automationhub_create_default_collection_signing_service = False
+# automationhub_create_default_container_signing_service = False
+
+# If a signing service is enabled, one must provide a signing script and a key.
+# Note: these MUST be absolute paths.
+
+# automationhub_collection_signing_service_key = /absolute/path/to/key/to/sign
+# automationhub_collection_signing_service_script =  /absolute/path/to/script/that/signs
+
+# automationhub_container_signing_service_key = /absolute/path/to/key/to/sign
+# automationhub_container_signing_service_script =  /absolute/path/to/script/that/signs
+
+# If a collection signing service is enabled, collections won't be signed automatically by default.
+# The following parameter will have them signed by default.
+#
+# automationhub_auto_sign_collections = False
+
+# If upgrading from Ansible Automation Platform 2.0 or earlier, you must either:
+# - provide an existing Automation Hub token as 'automationhub_api_token' or
+# - set 'generate_automationhub_token' to True to generate a new token
+# Generating a new token will invalidate the existing token.
+#
+# automationhub_api_token=''
+# generate_automationhub_token=
+
+# Automation Hub LDAP configuration
+#
+# For Automation Hub to connect to LDAP directly the following variables
+# need to be configured. The list of all possible configuration can be found here:
+# https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings
+# Extra parameters will need to be passed through an ansible ldap_extra_settings dictionary.
+#
+# automationhub_authentication_backend = "ldap"
+#
+# automationhub_ldap_server_uri = "ldap://ldap:10389"
+# automationhub_ldap_bind_dn = "cn=admin,dc=ansible,dc=com"
+# automationhub_ldap_bind_password = "GoodNewsEveryone"
+# automationhub_ldap_user_search_base_dn = "ou=people,dc=ansible,dc=com"
+# automationhub_ldap_group_search_base_dn = "ou=people,dc=ansible,dc=com"
+
+# By default, bundle installer seeds certified and validated collections into
+# Automation Hub. Set to False to disable the seeding.
+#
+# automationhub_seed_collections = True
+
+
+# Automation EDA Controller Configuration
+#
+
+automationedacontroller_admin_password='{{ aap_admin_password }}'
+
+automationedacontroller_pg_host='{{ infrastructure_db_host }}'
+automationedacontroller_pg_port=5432
+
+automationedacontroller_pg_database='automationedacontroller'
+automationedacontroller_pg_username='{{ infrastructure_db_username }}'
+automationedacontroller_pg_password='{{ infrastructure_db_password }}'
+automationedacontroller_pg_sslmode='prefer'
+
+# Certificate and key to install in Automation EDa Controller 
+# automationedacontroller_ssl_cert=/path/to/automationedacontroller.cert
+# automationedacontroller_ssl_key=/path/to/automationedacontroller.key
+
+# The full routeable URL used by EDA to connect to a controller host.
+# This URL is required if there is no Automation Controller configured
+# in inventory.
+#
+# Format example: automation_controller_main_url='https://<hostname>'
+#
+# automation_controller_main_url = '' 
+
+# Boolean flag used to verify Automation Controller's
+# web certificates when making calls from Automation EDA Controller.
+#
+# automationedacontroller_controller_verify_ssl = true
+
+# SSL-related variables
+
+# If set, this will install a custom CA certificate to the system trust store.
+# custom_ca_cert=/path/to/ca.crt
+
+# Certificate and key to install in nginx for the web UI and API
+# web_server_ssl_cert=/path/to/tower.cert
+# web_server_ssl_key=/path/to/tower.key
+
+# Certificate and key to install in Automation Hub node
+# automationhub_ssl_cert=/path/to/automationhub.cert
+# automationhub_ssl_key=/path/to/automationhub.key
+
+# Server-side SSL settings for PostgreSQL (when we are installing it).
+# postgres_use_ssl=False
+# postgres_ssl_cert=/path/to/pgsql.crt
+# postgres_ssl_key=/path/to/pgsql.key
+
+# Keystore file to install in SSO node
+# sso_custom_keystore_file='/path/to/sso.jks'
+
+# The default install will deploy SSO with sso_use_https=True
+# Keystore password is required for https enabled SSO
+sso_keystore_password=''
+
+# Single-Sign-On configuration
+sso_console_admin_password=''
+
+# Hostname used for access to RH SSO server
+# If SSO is not provided in inventory for configuration, then the SSO host 
+# needs to be defined with the below.
+# sso_host=''
+
+# The default install will register node to the Red Hat Insights Service
+# if the node is registered with Subscription Manager. Set to False to disable.
+# enable_insights_collection = True

roles/infrastructure/tasks/database.yml

@@ -21,6 +21,7 @@
     id: "aap-infrastructure-{{ deployment_id }}-db"
     state: present
     engine: postgres
+    db_name: aap
     engine_version: "{{ infrastructure_db_engine_version }}"
     allow_major_version_upgrade: "{{ infrastructure_db_allow_major_version_upgrade }}"
     auto_minor_version_upgrade: "{{ infrastructure_db_auto_minor_version_upgrade }}"
@@ -32,7 +33,8 @@
     storage_type: "{{ infrastructure_db_storage_type }}"
     iops: "{{ infrastructure_db_storage_iops | default(None) }}"
     allocated_storage: "{{ infrastructure_db_allocated_storage }}"
-    db_security_groups: "{{ infrastructure_db_security_groups }}"
+    vpc_security_group_ids: 
+      - "{{ infrastructure_security_group.group_id }}"
     db_subnet_group_name: "{{ infrastructure_db_subnet_group.subnet_group.name }}"
     tags:
       Name: "aap-infrastructure-{{ deployment_id }}-db"
@@ -42,3 +44,9 @@
   tags:
     - database
   register: infrastructure_db
+
+- name: Set DB stats
+  ansible.builtin.set_stats:
+    data:
+      infrastructure_db_host: "{{ infrastructure_db.endpoint.address }}"
+    per_host: false