Automation with Power

Automation with Power

Learn about using IBM Power automation tools to automate repetitive tasks and quickly identify and resolve production issues. Start a discussion thread - share your experiences by writing a blog - and stay up to date by browsing the content library. 

 View Only
Expand all | Collapse all

Ansible ibm.power_hmc.powervm_inventory plugin security question

  • 1.  Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Sun June 01, 2025 07:04 PM

    I'm trying to use the inventory plugin that's part of ibm.power_hmc. 

    powervm_inventory as per the documentation on Galaxy (Ansible Galaxy) connects to the HMC, pulls and populates AAP inventory. In general, the plugin works as advertised, but what I do NOT want to is hard code hostnames and credentials into the yaml file, as provided in all the examples.

    I've tried various different ways to pass it variables in AAP but have had zero success. Has anyone found a way to implement this add-in without hardcoding credentials?  Last thing I want is credentials stored in any sort of repositories.

    Thanks,



    ------------------------------
    Mark Steele
    Guru
    Direct Systems Support
    San Diego CA
    ------------------------------


  • 2.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Mon June 02, 2025 03:26 AM

    Hi Mark,

    I don't know a way to pass credentials variables into inventory. But can ansible-vault help you? You can encrypt your inventory file.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 3.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Mon June 02, 2025 09:47 AM

    Hi Andrey,

    Was thinking I'd give that a try, but it would be a band-aid at best. I'd really like a generic inventory plug-in file that I can pass variables to. Using a vault would require me to hardcode all the information into the YAML file, just with an encrypted password. Also, think it's unlikely to work, since the vault requires a password, which, I think, be the same thing as trying to pass a variable. I will put that in as a feature request in Github. 



    ------------------------------
    Mark Steele
    Guru
    Direct Systems Support
    San Diego CA
    ------------------------------



  • 4.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 02:25 AM

    Hi!

    ansible is quite flexible how to open a vault, as you can basically use any script for that. That could for example be a tiny script to output an environment variable.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 5.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 06:46 AM

    Mark,

    Hi, good day to you.

    Are you looking to do something like the below then?

    plugin: ibm.power_hmc.powervm_inventory
    hmc_hosts:
      - hmc: "HMC1"
        user: "{{ lookup('env', 'hmc_username') }}"
        password: "{{ lookup('env', 'hmc_password') }}"
      - hmc: "HMC2"
        user: "{{ lookup('env', 'hmc_username') }}"
        password: "{{ lookup('env', 'hmc_password') }}"
      - hmc: "HMC3"
        user: "{{ lookup('env', 'hmc_username') }}"
        password: "{{ lookup('env', 'hmc_password') }}"
    filters:
        PartitionState: 'running'

    Many thanks, Steve



    ------------------------------
    Steve Munday
    AIX, IBMi, HMC, PowerVM, PowerVS, Ansible automation engineering
    ------------------------------



  • 6.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 10:46 AM

    If I understand this correctly, this would be using environment variables. Not exactly sure how I would pass them to an execution environment or how to keep that secure.  Might be worth mucking with, thanks Steve. Just be so much smoother if I could just pass variables  and/or credentials to the plugin. 



    ------------------------------
    Mark Steele
    Guru
    Direct Systems Support
    San Diego CA
    ------------------------------



  • 7.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 11:20 AM

    When I finished this, I realized it might not apply to exactly what you are doing... but I think it's the first mention of custom credential types in this forum, so I decided to send anyway.

    In AAP you can make a Custom Credential Type. That custom type can have "injectors" that set variables in the environment, or just as extra vars on the job template, or both.  You get to decide what the variables are named, etc.

    Here is some configuration-as-code I wrote recently (you are NOT going to do it this way):

      - name: Integrated Lights Out (ILO) Credential

        descrption: Credential Type for HPE Server Hardware Management

        kind: net

        inputs:

          fields:

            - id: ilo_username

              label: Storage Virtualize Username

              type: string

            - id: ilo_password

              label: Storage Virtualize Password

              type: string

              secret: true

          required:

            - ilo_username

            - ilo_password

        injectors:

          extra_vars:

            ilo_username: !unsafe "{{ ilo_username }}"

            ilo_password: !unsafe "{{ ilo_password }}"

          env:

            ilo_username_env: !unsafe "{{ ilo_username }}"

            ilo_password_env: !unsafe "{{ ilo_password }}"

    Again, this is just for an example. When you add a credential type in AAP, you will see basically the above fields to fill out. Then you create an instance of your new type in AAP and assign actual values to these fields, just like you would a machine credential or a vault credential. You're just making a new type so you can use more than one credential and this one doesn't clobber a built-in type's variables names.

    I just looked at the inventory source definition in an AAP server. Assuming you are keeping the inventory source definition in a project, the credential assigned to the project definition is about syncing the project itself. Updating the inventory from the project is a separate step, and inventory sources associated with projects don't seem to get separate credentials. Other types of inventory sources do, though, so you might need to create a custom inventory source type... I'm not sure.

    I hope this helps a little, with this or the next thing.



    ------------------------------
    --
    Stephen Ulmer
    Enterprise Architect
    Mainline Information Systems
    ------------------------------



  • 8.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 11:29 AM

    Mark,

    Hi, here's what I have defined in AWX, does that help or hinder?

    Administration > Credential types

    Created a credential called "Hardware Management Console"

    Within that (credential) definition is a field called "Input configuration" into which I put:

    fields:
      - id: username
        type: string
        label: Username
      - id: password
        type: string
        label: Password
        secret: true
    required:
      - username
      - password

    In the field called "Injector configuration" I put:

    env:
      hmc_password: '{{ password }}'
      hmc_username: '{{ username }}'

    I then created a new Credential (Resources > Credentials) called "UNIX-HMC" which has a Credential Type of "Hardware Management Console" (i.e. taken from the name of the Credential Type we defined above).

    I then created a new Inventory (Resources > Inventories) called "HMC_Inventory" which has the following configuration:

    (Source) Name: HMC_plugin

    Source: Sourced from a Project

    Project: UNIX-ibm  << You will need to have already defined a GitHub centric project as that's where the inventory playbook is located

    Inventory file: / (project root)   << Our inventory (playbook) file is called "hosts.power_hmc.yml" (excerpt provided earlier) which is all alone in its own Repo just to keep things very simple

    Credential: UNIX-HMC (we created this above)

    Enabled options: "Overwrite local groups and hosts from remote inventory source" and "Update on launch"

    Once all the above has been defined and an initial "sync" at the Inventory layer has been run you should then see the HMC inventory appear within the "Group" and "Host" tabs of the inventory based upon how you have defined / filtered your inventory.yml playbook.

    Hope that provides some insight into a possible way you can go about things.

    Many thanks, Steve



    ------------------------------
    Steve Munday
    AIX, IBMi, HMC, PowerVM, PowerVS, Ansible automation engineering
    ------------------------------



  • 9.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 12:29 PM

    You all rock! That works as great solution. So here's the summary of what I did.

    Created a custom credential:

    Input Configuration

    fields:
      - id: username
        type: string
        label: Username
      - id: password
        type: string
        label: Password
      - id: hostname
        type: string
        label: Hostname
    required:
      - username
      - password
      - hostname

    Injector configuration

    env:
      hmc_hostname: '{{ hostname }}'
      hmc_password: '{{ password }}'
      hmc_username: '{{ username }}'

    The added an actual credential with HMC hostname, user and password.

    Then created an inventory source, that uses this new credential and the plugin in a generic state as much as possible, pulled from a project. The YAML looks like this:

    # Pull inventory from a single HMC
    ---
    plugin: ibm.power_hmc.powervm_inventory
    advanced_fields: true
    hmc_hosts:
      - hmc: "{{ lookup('env', 'hmc_hostname') }}"
        user: "{{ lookup('env', 'hmc_username') }}"
        password: "{{ lookup('env', 'hmc_password') }}"
    keyed_groups:
      - prefix: type
        key: PartitionType
    compose:
      current_memory: CurrentMemory
      os: OperatingSystemVersion
      name: PartitionName
      HMCIP: AssociatedHMC
    

    When run, this now pulls in the inventory information from the HMC and populates AAP.  This also allows me to use this project file for any HMC, just a one-to-one mapping between inventory sources, credentials and HMC's. 

    This is working great.  Thanks again!

    Hopefully this will help someone in the future.



    ------------------------------
    Mark Steele
    Guru
    Direct Systems Support
    San Diego CA
    ------------------------------



  • 10.  RE: Ansible ibm.power_hmc.powervm_inventory plugin security question

    Posted Tue June 03, 2025 12:51 PM

    Mark,

    Excellent, glad our collective thoughts have helped you out.

    In my inventory playbook I also included "groups:" and "exclude_lpar:" to slice'n'dice things to meet my needs.

    Happy Inventory-ing :-)

    All the best, Steve



    ------------------------------
    Steve Munday
    AIX, IBMi, HMC, PowerVM, PowerVS, Ansible automation engineering
    ------------------------------