Chapter 2. Installation
2.1. Prerequisites
Before you can install and register Ansible Automation Platform, you must be familiar with GCP including how services operate, how data is stored, and any privacy implications that may exist by using these services. You must also set up an account with Google Cloud Platform (GCP).
You must have a working knowledge of the following aspects of Google Cloud Platform:
- Deploying solutions from the GCP Marketplace
- Compute engine Virtual machine (VM) instances
- Cloud SQL for PostgreSQL
- Filestore
GPC Virtual Private Clouds (VPCs)
- Subnets
- Route Tables
- Load Balancers
Network Design
- Hub-and-spoke networking designs
- VPC Peering
- Class Inter-Domain Routing (CIDR) blocks
- Transit routing
GCP Cloud monitoring
- GCP Ops agent
- SSH
For more information about Google Cloud Platform and terminology, see the GCP product documentation.
2.2. Create a project
To install Ansible Automation Platform, you must create a project in your Google Cloud Platform account to host the application if you do not already have one. See Creating and managing projects in the GCP documentation.
2.2.1. Required APIs
Your Google Cloud Platform (GCP) project requires access to several API services to complete Ansible Automation Platform installation. On marketplace deployment, the process automatically attempts to enable the following APIs.
If you prefer, you can enable the APIs ahead of time to ensure they are permitted by your organization.
API Service | Console service name |
---|---|
Compute Engine API |
|
Google Cloud APIs |
|
Identity and Access Management (IAM) API |
|
Cloud SQL Admin API |
|
Cloud Logging API |
|
Cloud Monitoring API |
|
Cloud Resource Manager API |
|
Cloud Identity-Aware Proxy API |
|
Secret Manager API |
|
Service Networking API |
|
Service Usage API |
|
OS Config API |
|
Cloud Runtime Configuration API |
|
Cloud Filestore API |
|
2.2.2. Create a service account
You must have a service account to set up Ansible Automation Platform from GCP Marketplace. This account is used to install and configure the application and remains associated with the Ansible Automation Platform virtual machines. You can use an existing service account with the required roles, or the Ansible Automation Platform deployment can create one with the required roles on your behalf. If you use an existing account, or create a service account in advance, it must have the following roles:
- Editor
- Logs Writer
- Cloud SQL Client
- Cloud SQL Instance User
- Secret Manager Secret Accessor
- Compute Network Admin
See Grant a single role for steps to add the required roles to your existing service account.
The Compute Network Administrator role is only required at the time of deployment to configure the application properly. When installation and configuration are complete, this role can be removed from the service account, which remains configured on the Ansible Automation Platform Virtual Machines.
2.2.3. Policies and permissions
Your GCP account must have the following Identity and Access Management (IAM) permissions to successfully create and manage Ansible Automation Platform deployments as well as the resources described in Application architecture.
Your GCP account must also be licensed to deploy Ansible Automation Platform from GCP Marketplace.
The application can fail to deploy if your IAM policies restrict deployment and management of these resources.
The application has two deployment options:
- Create a deployment with a new VPC.
- Create a deployment using an existing VPC.
Both options require the same minimum permissions
Cloud SQL Client Cloud SQL Instance User Compute Network Admin Editor Logs Writer Secret Manager Secret Accessor
2.3. Application deployment
To launch your offer on the Google Cloud Console, navigate to the marketplace and search for Red Hat Ansible Automation Platform 2 - Up to 100 Managed Nodes. After selecting this offer click .
There are four virtual machines included in this product listing. Three n2-standard-2 virtual machines make up the permanent compute components of the solution. Additionally, a single ephemeral e2-medium instance is used to run Red Hat Ansible Automation Platform and Google Cloud deployment workloads. This virtual machine is only used during deployment and then is permanently removed from the solution. The infrastructure cost for the ephemeral VM is charged at the hourly rate during the periiod that the VM exists, usually less than an hour.
A temporary yet necessary constraint has been placed on the length of deployment names. This is due to GCP’s naming scheme for internal components that make up an Ansible Automation Platform deployment. Component names based on this naming scheme can get too long and often break naming constraints imposed by other services, creating deployment errors.
The length of the name of your deployment, plus the length of your GCP project name must be less than 35 characters and the length of the deployment name must be less than 30 characters.
The calculation below will help you find the maximum length of the name of an Ansible Automation Platform deployment in your project.
length of deployment name < = (minimum between 30 and 35) - length(gcp project name)
There are two methods for deploying the application:
2.3.1. Deploying an application with a new VPC
This procedure creates a new VPC network and deploys the application in the created VPC.
The process of deploying the application using a new VPC has been deprecated, and the functionality will be removed from Ansible Automation Platform from GCP Marketplace in a future release.
Procedure
- In the Deployment page, select the Service Usage API link below the Confirm Service Usage API is enabled checkbox.
- In the API/Service Details tab, ensure that the API is enabled, then return to the Deployment page.
- Check the Confirm Service Usage API is enabled checkbox.
- Select or create a Service Account. For further information see Your service account.
- In the Region field, select the region where you want the application deployed.
- In the Zone field, select the zone where you want the Filestore deployed. The zone must be in the Region you selected.
- In the Observability section, you can enable logging and metrics to be sent to Cloud Logging and Cloud Monitoring. See Operations Suite Pricing for the financial cost of enabling these services. See Monitoring and logging for more information on configuring this feature.
- In the Network Selection section, select New network. The Networking section provides defaults for all of the network ranges used in the deployment. If you want to modify these values, see Networking Options.
- Optional: In the Additional Labels section, provide any additional label key and value pairs to be added to the GCP resources that are part of the deployment. Valid keys and values must meet GCP label requirements. For a key, only hyphens, underscores, lowercase characters and numbers are permitted. A key must start with a lowercase character. For a value, only hyphens, underscores, lowercase characters and numbers are permitted.
- Click .
- The Deployment Manager displays the running deployment.
- The application begins provisioning. It can take some time for the infrastructure and application to fully provision.
You will see a warning on the deployment
This deployment has resources from the Runtime Configurator service, which is in Beta
This warning is expected and is not a cause for concern.
If you want to modify your network ranges post deployment, your current deployment must be deleted, then follow the instructions in Deploying an application with an existing VPC.
2.3.2. Deploying an application with an existing VPC
The following procedure uses an existing VPC network to deploy an application.
Procedure
- In the Deployment page, select the Service Usage API link below the Confirm Service Usage API is enabled checkbox.
- In the API/Service Details tab, ensure that the API is enabled, then return to the Deployment page.
- Check the Confirm Service Usage API is enabled checkbox.
- Select or create a Service Account. For further information, see Your service account.
- In the Region field, select the region where you want the application deployed.
- In the Zone field, select the zone where you want the Filestore deployed. The zone must be in the Region you selected.
- In the Observability section, you can enable logging and metrics to be sent to Cloud Logging and Cloud Monitoring. See Operations Suite Pricing for the financial cost of enabling these services. See Monitoring and logging for more information on configuring this feature.
- In the Network Selection section, select Existing network.
In the Existing Network section, provide your existing VPC network name, existing subnet name and existing proxy subnet name.
NoteThe existing proxy subnet must be of type Regional Managed Proxy, which is the reserved proxy-only subnet for load balancing.
Select cloud NAT router to create a NAT router in your VPC network.
- The Networking section provides defaults for all of the network ranges used in the deployment. Provide these values based on your existing network configuration. If you want to modify these values, see Networking Options
- Optional: In the Additional Labels section, provide any additional label key and value pairs to be added to the GCP resources that are part of the deployment. Valid keys and values must meet GCP label requirements. For a key, only hyphens, underscores, lowercase characters and numbers are permitted. A key must start with a lowercase character. For a value, only hyphens, underscores, lowercase characters and numbers are permitted.
- Click .
- The Deployment Manager displays the running deployment.
The application begins provisioning. It can take some time for the infrastructure and application to fully provision.
NoteYou will see a warning on the deployment.
This deployment has resources from the Runtime Configurator service, which is in Beta.
This warning is expected and is not a cause for concern.
2.4. Deployment information
After deploying Ansible Automation Platform, use the following procedures to retrieve information about your deployment.
2.4.1. Retrieving the administration password
Use the following procedure to retrieve the administration password.
Procedure
- In the GCP UI, select the main menu.
- Select Security. If you do not see Security, select View All Products.
- Select Secret Manager.
-
Filter with the name of the deployment. The secret name format is
<DeploymentName>-aap-admin
. - Click on the secret name of the deployment
- Click the ⋮ on the line of the deployment. icon
- Select View secret value. The administration password is displayed.
2.4.2. Retrieving the load balancer addresses
Use the following procedure to retrieve the controller and hub IP address.
Procedure
- In the GCP UI, select the main menu.
- Select Deployment Manager.
- Select Deployments.
- Select the deployment name.
- Select View Details.
- In the right pane, under Deployment properties, find the Layout line.
- Select View. The Outputs: section shows the finalValue for the name controllerIp and hubIp.
2.5. Setting up monitoring and logging at deployment time
Procedure
- In the GCP UI, navigate to .
Check the Connect Logging and Connect Metrics checkboxes.
NoteThese checkboxes are only available in the foundation deployment.
2.6. Deploying an extension node
You configure extension nodes after you have purchased and launched an extension from the public or private offer.
Procedure
- In the Deployment name field, enter a sufficiently short name as described in Application deployment.
- For the Service Account, select the service account used with your Red Hat Ansible Automation Platform with up to 100 Managed Nodes deployment.
- In the Region field, select the region where you want the application deployed.
- In the Zone field, select a zone in the Region you selected when deploying your foundational offer. This field is only used to filter the Network list.
In the Main Deployment Name field, enter the foundation deployment name for which you are deploying an extension.
NoteMain Deployment Name is a required field.
- In the Networking section, expand the default option.
-
In the Network field, select the existing foundation network ending with
-aap-net
. In the Subnetwork field, select the existing foundation subnetwork ending with
-aap-subnet
.ImportantDo not select the subnet ending with
-aap-proxy-subnet
.NoteIn case of an error stating
Make sure all fields are correct to continue
andYou must select a Network
. Reselect the values from the menu and click .- Ensure Extend Ansible Automation Platform deployment in selected VPC is checked.
- Click .
- The Deployment Manager displays the running deployment.
The extension begins provisioning.
It can take some time for the infrastructure and extension to fully provision.