⚠️ In the past this functionality has been provided out-of-the-box for all EWC tenancies running on the EUMETSAT site. However, this is no longer the case; after October 2025, EWC tenant admins wishing to integrate IPA enrollment with Morpheus VM provisioning can use this template to enable said functionality for newly onboarded tenancies, on both EUMETSAT or ECMWF sites.

IPA (identity, policy and audit) is a software stack that serves both as an LDAP user management system and as your internal DNS nameserver.

Morpheus UI, on the other hand, is a web-based cloud orchestration tool that lets you manage your EWC resources via a graphical interface. It has built-in Automation features you may use for arranging sets of individual Tasks and accomplishing some useful behavior, when managing with cloud resources via Morpheus.

This configuration template (i.e. an Ansible Playbook) customizes your environment in the European Weather Cloud (EWC), such that it crates a Morpheus Automation to simplify the administration of a fleet of IPA-aware EWC compute instances.

Functionality

💡 To provision and configure a VM as an IPA server from scratch and with fully-managed state (i.e. safe for resizing or upgrading), you may deploy the IPA Server Provisioning Community Hub Item.

💡 To configure an existing VM as an IPA server, you can deploy the IPA Server Flavour Community Hub Item.

Once an IPA server is successfully provisioned and configured within your EWC environment, this template reduces the Morpheus configuration required to achieve the following behavior:

• New VMs created via the Morpheus UI, within a user-defined Morpheus Network Domain, will enroll onto an IPA server's provided DNS and LDAP services, enabling users to log into any VM with the same username and password.

• Users may access any newly enrolled VMs with their existing LDAP credentials.

• Enrolled VMs will disenroll from the IPA server upon their deletion via Morpheus UI, to ensure a clean and healthy internal DNS table.

Prerequisites

To successfully run this playbook, the following packages should be available in your work environment:

Usage

1. Configure and apply the template

1.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook ipa-enroll-automation.yml

1.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -e '{ "morpheus_api_token":"<api-token>",
        "morpheus_api_url":"https://morpheus.ecmwf.int",
        "morpheus_tenant_name":"eumetsat-sandbox-ewc",
        "update_morpheus_cypher":"yes",
        "morpheus_cypher_ipa_domain":"eumetsat.sandbox.ewc",
        "morpheus_cypher_ipa_server_hostname":"ipa-server-1",
        "morpheus_cypher_ipa_admin_username":"ipaadmin",
        "morpheus_cypher_ipa_admin_password":"my-secret-password"
  }' \
  ipa-enroll-automation.yml

2. Manually link the Morpheus Workflow to the user-defined Morpheus Domain

⚠️ As of 17.07.2025, technical limitations on the side of the Morpheus API lead to unreliable configuration of links between workflows and domains. As a workaround, manual action over the Morpheus UI is required.

⛔ This step must be performed every time you update the template input values and apply them.

Finalize the configuration over the Morpheus UI:

1. Login to the Morpheus UI of your EWC environment
2. From the top navigation bar, go to Infrastructure > Network.
3. Select Domains from the sub navigation bar.
4. A table will be displayed in the lower portion of the view port, and containing details of available domains in your EWC environment. Click on the edit icon (🖉) on the same row where your defined domain is listed.
5. Within the pop-up edit form, click on the Select Workflow drop-down menu and select IPA Client Enroll Automation Via Morpheus.
6. Click on SAVE CHANGES at the bottom of the form to finalize the setup.

3. (Optional) Further integrate your IPA Server with Morpheus Monitoring

VMs provisioned via Morpheus UI, such as the ones you may have created before applying this template or those you'll create afterwards (which will automatically become part of your IPA-managed fleet), are equipped with a Morpheus Agent, a daemon that provide statistics for the guest operating system and resource utilization, to enable monitoring and log aggregations.

If you are fond of such Morpheus monitoring functionality, watch minutes 40:22-44:10 of this EWC webminar to learn about how you can turn instances provisioned via Community Hub Item templating, or alternative deployment methods, into Morpheus-monitored VMs.

Inputs

⚠️ If set, the update_morpheus_cypher flag will trigger the creation/edition of secrets within Morpheus Cypher. To avoid unexpected behavior during IPA clients enrollment, ensure the values of all input secrets (i.e. those with morpheus_cypher_ prefix) are set and match to the values used during the initial IPA server configuration in your EWC environment.

Outputs

Dependencies

⚠️ Only Ubuntu 22.04 and RockyLinux 8.10 VM images are currently supported. This is due to constrains imposed by the required ewc-ansible-role-ipa-client-enroll Ansible Role.