We want to manage ACS policies in a GitOps fashion with two major goals:
- All policies are stored in git and version controlled.
- Policies can be created using the ACS Central GUI.
This project implements an Ansible-based solution that will
- Pull desired configuration from a git repo.
- Pull the current configuration from ACS.
- Change current policies to the desired state.
- Create a new branch in the git repo with any changes that were made.
This meets our goals as any new policies created in the UI are reflected in the new branch which can, then, be merged into main via a pull request.
Create a new git repo and initialize it with a README.md. Create a Personal Access Token (PAT) that can read from & write to the repo.
Create an ACS API token. The ACS API token can either have the Admin role or, if you prefer, a custom role with read/write permission to the /policies API endpoint. More info can be found here.
Install Ansible Galaxy requirements with ansible-galaxy install -r requirements.yml.
Create your Ansible Vault with those variables:
vaulted_acs_host: <your-acs-host>
vaulted_acs_token: <your-acs-API-token>
vaulted_git_user: <git user with read/write access>
vaulted_git_pat: <git PAT>
vaulted_git_url: <http URL to the git repo>Run the initial.yml playbook to create the desired policy collection
ansible-playbook --ask-vault-pass initial.ymlWhen needed, execute the update.yml playbook to compare actual policies to desired, ensure that desired policies are applied, and create a new branch with any changes.
ansible-playbook --ask-vault-pass update.ymlIf desired, this could be triggered by ACS audit log entries for policy changes and/or by git webhooks on updates to the main branch.