Ansible
Integrate Multiple Playbooks

Procedure Manual: Integrating Playbooks in Ansible

Title: Playbook Integration and Execution

Objective: Combine multiple Ansible playbooks into a single playbook that executes tasks on specified hosts or groups. This manual details the steps to integrate and execute multiple playbooks using import_tasks and explains best practices, including the removal of the hosts file and individual hosts directives.

Steps to Integrate Multiple Playbooks

  1. Create the Main Playbook

    Create a main playbook that includes other playbooks as tasks. Use the import_tasks directive to include the tasks from other playbooks. This approach allows you to manage and run several playbooks from a single file.

    ---
- name: Harden Ubuntu Servers
  hosts: webservers, dbservers
  become: yes
 
  tasks:
    - name: Include SSH key distribution playbook
      import_tasks: ansible/playbooks/1-distribute_ssh_keys.yml
 
    - name: Include SSH security playbook
      import_tasks: ansible/playbooks/2-secure_ubuntu-ssh.yml
 
    - name: Include UFW setup playbook
      import_tasks: ansible/playbooks/3-secure_ubuntu-ufw.yml
 
    - name: Include Fail2ban setup playbook
      import_tasks: ansible/playbooks/4-setup_fail2ban.yml

  2. Ensure Task Files Are Correctly Formatted

    Each included playbook file should be formatted correctly with a tasks: section. Ensure that the tasks in each file are valid and follow the YAML syntax.

    Example for 1-distribute_ssh_keys.yml:

    ---
- name: Create Group
  group:
    name: "{{ item }}"
    state: present
  with_items:
    - "ansible"
 
- name: Create users and SSH Keys
  user:
    password: "$6$GHSHYwrL8/7CQOgE$/sKgcUjQix6mlB6ctd8hhPJjgsMD3Adyy4RyQO2yfjkWdsmLxehfa9/2jQ/CY1Pwv3y.Q2WDnWamrTStIp928."
    name: "{{ item.name }}"
    groups: "{{ item.groups }}"
    state: present
    shell: /bin/bash
    create_home: yes
  with_items:
    - { name: "ansible", groups: ["ansible", "sudo"] }
 
- name: Install authorized Key for ansible user
  authorized_key:
    user: "ansible"
    key: "{{ lookup('file', '/home/hwdev123/.ssh/id_rsa.pub') }}"

  3. Remove hosts Directive from Individual Playbooks

    Reason for Removal:

    • Avoid Conflicts: Removing the hosts directive prevents conflicts when including playbooks in a main playbook where hosts is already specified.
    • Centralized Control: Managing hosts in the main playbook provides centralized control over the execution targets.
    • Flexibility: Allows for easier reuse of playbooks in different contexts or for different groups of hosts.

    How to Adjust Individual Playbooks:

    • Remove the hosts directive from each playbook.
    • Ensure each playbook only defines tasks.

    Example Adjustments:

    1-distribute_ssh_keys.yml

    ---
- name: Create Group
  group:
    name: "{{ item }}"
    state: present
  with_items:
    - "ansible"
 
- name: Create users and SSH Keys
  user:
    password: "$6$GHSHYwrL8/7CQOgE$/sKgcUjQix6mlB6ctd8hhPJjgsMD3Adyy4RyQO2yfjkWdsmLxehfa9/2jQ/CY1Pwv3y.Q2WDnWamrTStIp928."
    name: "{{ item.name }}"
    groups: "{{ item.groups }}"
    state: present
    shell: /bin/bash
    create_home: yes
  with_items:
    - { name: "ansible", groups: ["ansible", "sudo"] }
 
- name: Install authorized Key for ansible user
  authorized_key:
    user: "ansible"
    key: "{{ lookup('file', '/home/hwdev123/.ssh/id_rsa.pub') }}"

    2-secure_ubuntu-ssh.yml

    ---
- name: Disable root login
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
 
- name: Ensure PasswordAuthentication is uncommented and turned off
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "^#PasswordAuthentication yes"
    line: "PasswordAuthentication no"
 
- name: Restart SSH Service
  service:
    name: sshd
    state: restarted

    3-secure_ubuntu-ufw.yml

    ---
- name: ALLOW OpenSSH
  ufw:
    name: OpenSSH
    rule: "allow"
 
- name: Allow Nginx
  ufw:
    name: Nginx HTTP
    rule: "allow"
 
- name: Enable UFW
  ufw:
    state: enabled

    4-setup_fail2ban.yml

    ---
- name: Install Fail2ban
  apt:
    name: fail2ban
    update_cache: yes
    state: present
 
- name: Start fail2ban service
  service:
    name: fail2ban
    enabled: yes
    state: started
 
- name: Check fail2ban status
  service:
    name: fail2ban
    enabled: yes
    state: started
  register: result
 
- name: Print result
  debug:
    var: result.stdout

  4. Run the Main Playbook

    Execute the main playbook using the ansible-playbook command:

    ansible-playbook ansible/playbooks/main-harden_ubuntu.yml

  5. Verify Execution

    Check the output of the playbook run to ensure all tasks were executed successfully. Look for any errors or warnings in the output and address them as needed.

  6. Update and Maintain

    Regularly review and update the playbooks as necessary to reflect any changes in requirements or infrastructure. Ensure that any new playbooks or tasks are integrated into the main playbook appropriately.

Notes:

  • Use Dynamic Inventory: Consider using dynamic inventory scripts or plugins to manage your hosts. This allows for automatic updates and scalability.
  • Keep Playbooks Modular: Continue to keep playbooks modular and focused on specific tasks or roles, enhancing reusability and readability.
  • Regular Reviews: Regularly review and update your playbooks and inventory setup to adapt to changes in your infrastructure and requirements.

By following these best practices and the updated procedure manual, you ensure a more efficient and maintainable approach to managing and executing Ansible playbooks.

Ansible VaultsZtp