Build your first live IdM inventory

What You Will Build

A minimal inventory source and a playbook that targets hosts selected from live IdM policy state.

What You Need Before Starting

A control node or EE that can reach IdM
Credentials allowed to read IdM host records
The collection installed in the active Ansible environment

Lab Assumptions

Use a lab IdM realm, not production first.
The example hosts app01.example.com and app02.example.com are enrolled in IdM.
The HBAC rule allow-ssh-app contains the hosts you want to target.
The inventory source does not store a credential value in Git.

Step-By-Step Path

Run kinit automation or use an equivalent Kerberos credential for the IdM account.
Create inventory.eigenstate_ipa.yml with the IdM inventory plugin and lab connection values.
Run ansible-inventory --graph to see the IdM-backed group.
Run list-hosts.yml against that generated group.
Compare the output to the host records and HBAC rule in IdM.

kinit automation
ansible-inventory -i inventory.eigenstate_ipa.yml --graph
ansible-playbook -i inventory.eigenstate_ipa.yml list-hosts.yml

Example Tutorial Files

Start with a narrow inventory source, inspect the graph, then target the generated group in a simple playbook.

inventory.eigenstate_ipa.yml

---
plugin: eigenstate.ipa.idm

# This must be the IdM API endpoint reachable from the control node or
# execution environment.
server: idm-01.example.com

# Kerberos keeps the inventory file free of password material. Run
# kinit before using this tutorial, or provide kerberos_keytab for a
# non-interactive execution environment.
ipaadmin_principal: automation
use_kerberos: true
verify: /etc/ipa/ca.crt

# Keep the first inventory sync narrow. This example uses an HBAC rule
# as the source of target scope because the same policy can govern SSH
# access and automation placement.
sources:
  - hosts
  - hbacrules
hbacrule_filter:
  - allow-ssh-app

# Dropping the prefix makes the generated group name match the policy
# name after Ansible-safe normalization: allow-ssh-app -> allow_ssh_app.
hbacrule_prefix: ""
host_filter_from_groups: true

# The playbook below connects to the FQDN returned by IdM.
compose:
  ansible_host: idm_fqdn

list-hosts.yml

---
- name: Show hosts discovered from live IdM inventory
  hosts: allow_ssh_app
  gather_facts: false
  tasks:
    - name: Confirm the host came from live IdM inventory
      ansible.builtin.debug:
        msg: "{{ inventory_hostname }} resolves to {{ ansible_host }}"

Run It

ansible-inventory -i inventory.eigenstate_ipa.yml --graph
ansible-playbook -i inventory.eigenstate_ipa.yml list-hosts.yml

Expected Evidence

This output shape was captured from a live IdM inventory run and sanitized. Hostnames and the policy name are examples, but the group structure and debug messages match the playbook above.

@all:
  |--@ungrouped:
  |--@allow_ssh_app:
  |  |--app01.example.com
  |  |--app02.example.com

PLAY [Show hosts discovered from live IdM inventory] ***************************

TASK [Confirm the host came from live IdM inventory] ***************************
ok: [app01.example.com] => {
    "msg": "app01.example.com resolves to app01.example.com"
}
ok: [app02.example.com] => {
    "msg": "app02.example.com resolves to app02.example.com"
}

PLAY RECAP *********************************************************************
app01.example.com : ok=1    changed=0    unreachable=0    failed=0    skipped=0
app02.example.com : ok=1    changed=0    unreachable=0    failed=0    skipped=0

What You Learned

Inventory is built at query time from IdM.
Hostvars can carry selected IdM facts into playbooks.
AAP inventory sync can consume the same source after credentials are configured.

Continue with /how-to/use-idm-as-live-inventory.html.