Looks like the demo links are all broken, not sure, but for example

https://github.com/ansible/product-demos/blob/master/docs/infrastructure/azure_provision_vm.md%22

is one of the Azure VM links, and goes nowhere :(

Currently, this JT fails due to an open issue with win_psmodule in powershell_dsc.yml.
I've tested the workaround and we should add this to the play as a pre-task

The compliance DEMO cannot be completed per accompanying instructions due to insufficient memory size on the provisioned nodes. The total mem for each node is 800MB.

Steps:

1. Run the ansible job template name "Openscap report" in Ansible tower to create the openscap html report for all RHEL 8 servers

2. Check the /var/log/message - shows the error "out of memory"

The ansible tower url: https://student1..open.redhat.com/#/templates?template_search=page_size:20;order_by:name;type:workflow_job_template,job_template

Job template name: Openscap report

firewall module missing on default rhel8&9 amis. Reproduce with patching job

Failed to import the required Python library (firewall) on ip-192-168-0-103.us-east-2.compute.internal's Python /usr/libexec/platform-python. Please read the module documentation and install it in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter. Version 0.2.11 or newer required (0.3.9 or newer for offline operations)

Starting our release process, CHANGELOG & release process should be defined.

More often than not the Create AD Domain playbook takes multiple runs and reboots to complete due to some service quirks with Windows. Current work around is manually triggering a reboot after the first failure and run the playbook again.

In both the RHPDS - Ansible Product Demo site, as well as the DoD Automated Compliance site, the NETWORK / DISA STIG consistently fails (multiple reports from customers and multiple tests on my end) on the [Gathering Facts] task with the following fatal error: "msg": "ssh connection failed: ssh connect failed: Socket error: Connection reset by peer." The full stack is attached. For reference, it is calling this playbook to run the job template.

job_17.txt

add check_mode: false to yum utils install for linux patching

currently the product-demos EE configuration pulls the latest image tag, so any collection updates made in the product-demos-ee repo could cause issues with current demo content. the task that defines the product-demos EE should use a specific version tag instead of latest so updates to the EE can be tested without affecting current demo content.

Starting Ansible Product Demos Sandbox doesn't always start, even after manually approving certificates.

First, can we get rid of the need to manually approve the certificates?

Second, when I first ran this demo, even after manually approving the certificates the demo environment would not start. Josh Disraeli was able to fix this for me but I don't know what he did to actually fix it.

in addition to creating RHEL and windows instances as part of the "Deploy Cloud Stack in AWS", add the creation of a "node1" instance. this node will be used for hosting reports generated by other job templates such as the patching report, network report, etc.

depends on ansible-content-lab/aws.infrastructure_config_demos#16

when defining injectors for controller credential types (see linux/setup.yml example), the infra.controller_configuration.credential_types role has an odd requirement for adding two spaces between jinja brackets in order to pass the bracketed variable through to the credential configuration. see https://github.com/redhat-cop/controller_configuration/tree/devel/roles/credential_types#formating-injectors for details. this caused some confusion for users of this repo who weren't familiar with the requirement, so a comment should be added for clarity where used.

additionally, the {% raw %} {% endraw %} construct is not required when using the infra.controller_configuration.credential_types role and its two space construct.

re: https://issues.redhat.com/browse/NAPSPACE-16

Missing PowerShell module on AD user creation. @MKletz

Suggested fix in the warnings appears applicable

infra.controller_configuration is being better maintained than redhat_cop.controller_configuration

The VPC report is failing due to AWS permission issues.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetPublicAccessBlock operation: Access Denied
7
fatal: [localhost]: FAILED! => {"boto3_version": "1.28.62", "botocore_version": "1.31.62", "changed": false, "error": {"code": "AccessDenied", "message": "Access Denied"}, "msg": "Failed to get bucket public access configuration: An error occurred (AccessDenied) when calling the GetPublicAccessBlock operation: Access Denied", "response_metadata": {"host_id": "u/NEFouJ/8csVLtlJFC65G5wgtPvNltvmr0h93kFly0HFl1EMbC51EDAe80cYJpmZdrMaFpWqAQ=", "http_headers": {"content-type": "application/xml", "date": "Tue, 24 Oct 2023 16:49:42 GMT", "server": "AmazonS3", "transfer-encoding": "chunked", "x-amz-id-2": "u/NEFouJ/8csVLtlJFC65G5wgtPvNltvmr0h93kFly0HFl1EMbC51EDAe80cYJpmZdrMaFpWqAQ=", "x-amz-request-id": "X884301GABKE3R5H"}, "http_status_code": 403, "request_id": "X884301GABKE3R5H", "retry_attempts": 0}}

due to changes in ansible-content-lab/aws.infrastructure_config_demos@64bb2d8

the playbook playbook_create_transit_network.yml referenced by our setup no longer exists.

edit: I'm sure there are others

I have a ServiceNow developer instance which at one time week was running the Madrid release. Using the ServiceNow documentation showing Google as an Oauth2 provider, I set up ServiceNow to successfully make outbound RESTful calls into Ansible Tower. I used a self-signed certificate from Ansible Tower in order to make these calls.

When available, I upgraded my developer instance to New York. Where I was able to make outbound RESTful calls before, I am now unable to. Inspection into the Logs shows that ServiceNow is not seeing certificate for the web server:

I've gone through the settings and everything looks correct. Furthermore, I changed the system properties to ignore any certificate chain and to trust all certificates (just to take those checks out of the equation):

com.glide.communications.httpclient.verify_hostname: false

com.glide.communications.trustmanager_trust_all: true

I am still getting the message "no issuer certificate found for [webserver]." In order to test whether or not this is an issue with self-signed certificates, I created a certificate via letsencrypt.org and installed it to my webserver. This new certificate is not being recognized either, and I am still seeing "no issuer certificate found for [webserver]." This is the case both for Oauth2 authentication as well as basic authentication.

I am at a point where nothing is readily apparent as to something being misconfigured in ServiceNow - does anyone have an idea as to what may have changed from Madrid to New York (and now Orlando) to result in this behavior?

The The conditional check 'azure_demo == True' failed. The error was: error while evaluating conditional (azure_demo == True): 'azure_demo' is undefined can is raised when running ansible workshops on devel

the DISA compliance roles are external third party content being "vendored" in under the collections/ directory. they should be moved under roles/ instead, just like the external redhatofficial.* roles currently under roles/.

update collections/requirements.yml to match what we're using in the product-demos-ee

Test and document...

1. setting up GitLab and Devspaces on OpenShift cluster
2. document self-registering users and create a project and repo (this could be automated maybe?)
3. connecting the dev space to a gitlab repo w/ a personal access token
4. connecting the gitlab repo to the automation controller

Migrate to setup_demo.yml to use dispatch role rather than looping over roles.

Having a way to showcase RBAC across organizations helps demo the value differentiation of AAP. This was an old PR that might be useful: RedHatGov#15

Old PR that might be helpful: RedHatGov#3

The patching report should always run. This line should be removed:

step 4, https://aap2.demoredhat.com/exercises/ansible_rhel_90/7-insights/
That whole step seems undo-able for me. Probably because I already have active accounts. But I do not understand the reference to templates, there is nothing that says "SERVER / Red Hat Insights

".

there are a few open items (#70, #115, #118) that require updates to the product-demos-ee image.

on rhpds using the Service "Ansible Compliance Demos", I tried running the "SECURITY / Create Openscap Report" template on Tower and it fails for all nodes with this error:

failed: [node2] (item=report.xml) => {"ansible_loop_var": "item", "changed": false, "item": "report.xml", "msg": "Source ./report.xml not found"}

The reporting demo fails currently due to the fact that node1 does not resolve.

Update all configuration as code credentials to use state: exists (see ansible/awx#13725)

Using state: exists allows credentials to not be over-written, improving idempotency . This is particularly helpful when attempting to use Product-demos in brown-field environments, as well as improving the debugging/troubleshooting experience

We now have a reproducible middleware + Ansible product demo that we can showcase. The demo uses 3 containers that host mysql, Decision Manager and Fuse within a podman pod on rhel. I tried to use node 3 to host the pod but that kills the VM. I would very much like this to be part of our product demos since we can build upon this state tracking use case to show customers. Any chance we could beef up our workshop VMs (or at least one of them) to xlarge? If that's not an option, would it make sense to have a "demo provisioner" with beefier nodes that is made available in RHPDS?

Details:
Demo provisioner: https://github.com/RedHatTelco/product-demos/tree/middleware
Demo dependencies: https://github.com/RedHatTelco/intelligent-restarts/blob/master/dependencies.yml

https://github.com/ansible/product-demos/blob/main/windows/snow.yml

because it changes

pulling it at runtime would be a plus, next step

Currently, base EE image is hardcoded and does not match the AAP version.

Related file https://github.com/cloin/ee-builds/blob/75fc290c80806d7efb19e81841654ee81e713ad0/product-demos-ee/execution-environment.yml#L5

Also comment on https://github.com/rhpds/agnosticv/blob/bffbf43846a496e1c3fe5ae3aa0407205ceb9813/sandboxes-gpte/AAP_PRODUCT_DEMOS/common.yaml#L80C1-L81C1 to make sure that we keep track of the versions w/ AAP

Add a section to the docs to document design choices. See example below
Example: https://github.com/MKletz/SecOps-Powershell-CISDSC/blob/main/docs/design_choices.md

the machine always wins

Navigate to playbooks/03_hardening.yml

Should probably be:

/playbooks/security/hardening.yml

There is a reference to the tower, instead of controller, in step 4, https://aap2.demoredhat.com/exercises/ansible_rhel_90/7-insights/

It would be helpful, to include Windows in the OpenSCAP demo as well in order to tell the story of having a single automation tool that can run compliance across the entire architecture. Are there any plans/efforts into this?

The current variable naming of the roles does not stick with the recommended role naming of ansible-lint.
All variables that need a rename have been identified using the following comment:

# noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way

This issue address the renaming of those and the associated tests & documentation.

At the very start of the workshop/lab, when running the SETUP Job template with Demo Category: 'Cloud' , the following error pops up: failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j760450173010.1206', 'results_file': '/tmp/.ansible_async/j760450173010.1206', 'changed': False, '__workflow_loop_node_item': {'identifier': 'Deploy Windows Blueprint', 'unified_job_template': 'Cloud / AWS / Create VM', 'extra_data': {'vm_name': 'aws_win', 'vm_blueprint': 'windows_full', 'vm_owner': '{{ aws_owner_tag }}'}, 'success_nodes': ['Update Inventory'], 'failure_nodes': ['Ticket - Instance Failed']}, 'ansible_loop_var': '__workflow_loop_node_item'}) => {"__workflows_node_async_results_item": {"__workflow_loop_node_item": {"extra_data": {"vm_blueprint": "windows_full", "vm_name": "aws_win", "vm_owner": "{{ aws_owner_tag }}"}, "failure_nodes": ["Ticket - Instance Failed"], "identifier": "Deploy Windows Blueprint", "success_nodes": ["Update Inventory"], "unified_job_template": "Cloud / AWS / Create VM"}, "ansible_job_id": "j760450173010.1206", "ansible_loop_var": "__workflow_loop_node_item", "changed": false, …