Ansible Playbooks — StackStorm 3.9.0 documentation
Want to use Ansible to deploy StackStorm? Look no further - here’s the details on Ansible playbooks and roles to install StackStorm. Perfect for repeatable, configurable, and idempotent production-friendly StackStorm installations.
The source code for all our playbooks is available as a GitHub repo: StackStorm/ansible-st2.
Supported Platforms
Our Ansible playbooks support the same platforms as manual installation, i.e.:
Ubuntu Bionic (18.04)
Ubuntu Focal (20.04)
RHEL 7/CentOS 7
RHEL 8/RockyLinux 8/CentOS 8
Note
StackStorm is verified on RHEL/RockyLinux 8.x distributions, but our RPMs should be compatible with other RHEL``8.x`` derivatives, e.g. CentOS 8 Stream.
The same system size requirements also apply.
Quick Start
To get started with a single node deployment, and default configuration settings, run these commands:
git clone https://github.com/StackStorm/ansible-st2.git cd ansible-st2 ansible-playbook stackstorm.yml
Roles
Behind the scenes the stackstorm.yml play is composed of the following Ansible roles for a
complete installation:
epel- Repository with extra packages forRHEL/RockyLinux/CentOS.mongodb- Main DB storage engine.rabbitmq- Message broker.st2repos- Adds StackStorm PackageCloud repositories.st2- Install and configure StackStorm itself. This includesLDAPandRBACin StackStorm >= 3.4, however these features will not be enabled by default.nginx- Dependency forst2web.st2web- Nice & shiny WebUI for StackStorm. This includes Workflow Designer in StackStorm >= 3.4.nodejs- Dependency forst2chatops.st2chatops- Install and configure st2chatops for hubot adapter integration with StackStorm.st2smoketests- Simple checks to see if StackStorm is working.
For StackStorm versions earlier than 3.3, Extreme Networks provided a commercial version of the StackStorm automation platform (EWC). EWC contained advanced features like RBAC, LDAP and the Workflow Designer. Since StackStorm 3.4 RBAC and LDAP are core-features of StackStorm itself and the FlowUI as part of st2web replaces the Workflow Designer. Therefore, the ewc role is no longer supported and the LDAP and RBAC backends are now configured and deployed via the st2 role. The FlowUI does not require any configuration.
Example Play
Here’s a more advanced example showing how to customize your StackStorm deployment:
- name: Install StackStorm with all services on a single node hosts: all roles: - mongodb - rabbitmq - nginx - nodejs - name: Install StackStorm Packagecloud repository role: st2repo vars: st2repo_name: stable - name: Install and configure st2 role: st2 vars: st2_version: latest st2_auth_enable: yes st2_auth_username: testu st2_auth_password: testp st2_save_credentials: yes st2_system_user: stanley st2_system_user_in_sudoers: yes # Dict to edit https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample st2_config: {} - name: Install st2web role: st2web - name: Install st2chatops with "slack" hubot adapter role: st2chatops vars: st2chatops_version: latest st2chatops_st2_api_key: CHANGE-ME-PLEASE # (optional) This can be generated using "st2 apikey create -k" st2chatops_hubot_adapter: slack st2chatops_config: HUBOT_SLACK_TOKEN: xoxb-CHANGE-ME-PLEASE - name: Verify StackStorm Installation role: st2smoketests
Check out the full list of Variables.
Custom SSL Certificate for st2web
By default we generate a self-signed certificate for nginx in st2web role. If you have your own properly signed certificate, you can use that instead:
- name: Configure st2web with custom SSL certificate role: st2web vars: st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}" st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"
Installing Behind a Proxy
If you are installing from behind a proxy, you can use the environment variables http_proxy,
https_proxy, and no_proxy. They will be passed through during the execution.
--- - name: Install st2 hosts: all environment: http_proxy: http://proxy.example.net:8080 https_proxy: http://proxy.example.net:8080 no_proxy: 127.0.0.1,localhost roles: - st2
Enabling LDAP authentication and add RBAC configuration
By default LDAP authentication & RBAC are disabled. You can enable and configure these features via the Stackstorm.st2 role to allow/restrict/limit StackStorm functionality to specific users:
- name: Install and configure st2 with enabled LDAP authentication and RBAC role: st2 vars: st2_version: latest st2_auth_enable: yes st2_auth_username: testu st2_auth_password: testp st2_save_credentials: yes st2_system_user: stanley st2_system_user_in_sudoers: yes # Dict to edit https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample st2_config: {} st2_ldap_enable: yes st2_ldap: # Configure the LDAP connection and query attributes # https://docs.stackstorm.com/authentication.html#ldap backend_kwargs: bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net" bind_password: "foobar123" base_ou: "dc=example,dc=net" group_dns: - "CN=stormers,OU=groups,DC=example,DC=net" host: identity.example.net port: 389 id_attr: "samAccountName" st2_rbac_enable: yes st2_rbac: # Define roles and permissions # https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants roles: - name: core_local_only description: "This role has access only to action core.local in pack 'core'" enabled: true permission_grants: - resource_uid: "action:core:local" permission_types: - action_execute - action_view - permission_types: - runner_type_list # Assign roles to specific users # https://docs.stackstorm.com/rbac.html#defining-user-role-assignments assignments: - name: test_user roles: - core_local_only - name: stanley roles: - admin - name: chuck_norris roles: - system_admin
Note
Please refer to https://github.com/StackStorm/ansible-st2 for updates and more detailed examples, descriptions and code. If you’re familiar with Ansible, and think you’ve found a bug, or would like to propose a feature or pull request, your contributions are very welcome!