eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when enrolled hosts, hostgroups, netgroups, HBAC relationships, or selected IdM host attributes should drive Ansible targeting.

Boundary
Read-only
Authority
idm, collection, ansible
Evidence
inventory-output

Use IdM as live Ansible inventory

When To Use This

Use this when enrolled hosts, hostgroups, netgroups, HBAC relationships, or selected IdM host attributes should drive Ansible targeting.

Required Authority

IdM owns host and policy state. The inventory plugin reads that state and Ansible consumes the generated inventory.

Safety Boundary

This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Inputs

  • An IdM server reachable from the control node or EE
  • Inventory source YAML using plugin: eigenstate.ipa.idm
  • Password or Kerberos credentials allowed to read host and policy records

Steps

  1. Create an inventory source file with IdM connection settings.
  2. Run ansible-inventory --list -i inventory.eigenstate_ipa.yml.
  3. Inspect generated groups and hostvars before using the inventory in a playbook or AAP sync.
ansible-inventory -i inventory.eigenstate_ipa.yml --graph
ansible-inventory -i inventory.eigenstate_ipa.yml --host idm-client01.example.com

Example Inventory Source

This inventory source reads host and policy state from IdM, composes the Ansible connection address from the IdM FQDN, and creates reviewable groups from IdM attributes.

inventory.eigenstate_ipa.yml

---
plugin: eigenstate.ipa.idm

# The control node or execution environment must reach this IdM API.
server: idm-01.example.com

# Kerberos is preferred for scheduled jobs because no password is stored
# in the inventory source. In AAP, mount this keytab as a credential.
use_kerberos: true
ipaadmin_principal: automation
kerberos_keytab: /runner/env/ipa/automation.keytab
verify: /etc/ipa/ca.crt

# Keep the first sync narrow. Add sources only when a job needs them.
sources:
  - hosts
  - hostgroups
  - hbacrules

# Limit the inventory to the hostgroups that this automation owns.
hostgroup_filter:
  - linux-app
  - linux-db
host_filter_from_groups: true

# Expose a stable connection variable and create useful groups.
compose:
  ansible_host: idm_fqdn
keyed_groups:
  - key: idm_location
    prefix: location
    separator: "_"
  - key: idm_os
    prefix: os
    separator: "_"

Run It

ansible-inventory -i inventory.eigenstate_ipa.yml --graph
ansible-inventory -i inventory.eigenstate_ipa.yml --host app01.example.com

Expected Evidence

A captured live inventory validation produced host data directly from IdM. The hostnames below are sanitized, but the graph shape and hostvar result are the captured output shape:

@all:
  |--@ungrouped:
  |  |--apps.ocp.example.com
  |  |--bastion-01.example.com
  |  |--idm-01.example.com
  |  |--mirror-registry.example.com
  |  |--podinfo.apps.ocp.example.com
  |  |--stale-app-01.example.com

{
  "idm_schema_warnings": [],
  "idm_userclass": [],
  "idm_userclass_raw": null,
  "idm_userclass_type": "missing"
}

Troubleshooting

  • Authentication failure: verify Kerberos ticket, keytab, or password credentials.
  • Missing hosts: verify the hosts are enrolled and visible to the IdM account.
  • Unexpected grouping: inspect hostgroup, netgroup, and HBAC inputs in IdM.