AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Build an AAP Self-Service Template: Provision an AWS EC2 Instance

By Luca Berton · Published 2024-01-01 · Category: aws-automation

Learn how to build the 'Cloud - Provision AWS EC2 Instance' self-service template in AAP 2.7's Automation Portal for one-click EC2 provisioning.

Why Self-Service EC2 Provisioning Matters

At Red Hat Tech Day Netherlands 2026 in Bunnik, Fred van Zwieten and Ismail Dhaoui demoed one of the headline features of Ansible Automation Platform (AAP) 2.7: the new Automation Portal. Instead of asking developers to hunt through job templates, learn survey field names, or figure out which project holds the right playbook, the Automation Portal exposes a self-service gallery of pre-approved templates. Each one has a single "Start" button. Click it, answer a short form, and the automation runs — no knowledge of Ansible internals required.

Among the templates shown live in the demo catalog was Cloud - Provision AWS EC2 Instance: a template that spins up an EC2 instance with standard tagging applied automatically. This article walks through how a platform engineering team would design, build, and publish that exact template so it shows up correctly in the Automation Portal catalog.

See also: Build an AAP Self-Service Template: Create a Compliant S3 Bucket

What the Demo Catalog Looked Like

The Bunnik demo catalog spanned several operational domains, not just cloud. Seeing the full list helps clarify where EC2 provisioning fits in the bigger self-service picture:

TemplateDomainPurpose
Branch - After Hours Access ReportBranch/SecurityReport access outside operating hours
Branch - Network Health CheckBranch/NetworkRun a health check across a branch
Branch - WiFi ResetBranch/NetworkReset branch WiFi
Cloud - Create S3 BucketCloudCreate a compliant, encrypted S3 bucket
Cloud - Provision AWS EC2 InstanceCloudSpin up an EC2 instance with standard tagging
Cloud - Request Azure Resource GroupCloudProvision an Azure RG with RBAC
CVE PatchSecurityPatch a given CVE
Network - Backup Switch ConfigsNetworkBack up Cisco/Arista configs to Git
Network - Firewall RemediationNetworkCorrect a firewall misconfiguration
Network - Firewall Rule RequestNetworkSubmit a firewall change for approval
RHEL - Patch Servers (Maintenance Window)SystemsApply security patches in a window
The cloud templates share a pattern: they wrap a moderately complex provisioning or governance task behind a short survey, so a requester never touches raw variables like AMI IDs, subnet CIDRs, or IAM policy documents directly.

Step 1: Write the Underlying Playbook

The self-service experience is only as good as the job template underneath it. Start with a playbook that provisions the instance and immediately applies your organization's standard tagging scheme — this is exactly the behavior called out in the demo.

---
- name: Cloud - Provision AWS EC2 Instance
  hosts: localhost
  gather_facts: false
  connection: local

  vars:
    instance_type: "{{ ec2_instance_type | default('t3.medium') }}"
    environment_tag: "{{ ec2_environment | default('dev') }}"

  tasks:
    - name: Launch EC2 instance
      amazon.aws.ec2_instance:
        name: "{{ ec2_name }}"
        key_name: "{{ ec2_key_pair }}"
        instance_type: "{{ instance_type }}"
        image_id: "{{ ec2_ami_id }}"
        subnet_id: "{{ ec2_subnet_id }}"
        security_group: "{{ ec2_security_group }}"
        wait: true
        tags:
          Name: "{{ ec2_name }}"
          Environment: "{{ environment_tag }}"
          Owner: "{{ ec2_requester }}"
          CostCenter: "{{ ec2_cost_center }}"
          ManagedBy: "ansible-automation-platform"
      register: ec2_result

    - name: Report provisioned instance details
      ansible.builtin.debug:
        msg: >
          Instance {{ ec2_result.instances[0].instance_id }}
          launched in {{ ec2_subnet_id }} with tags applied.

Notice that every variable a requester might normally have to guess — AMI ID, subnet, security group, cost center — is parameterized. That parameterization is what the survey layer will drive.

See also: Build an AAP Self-Service Template: Request an Azure Resource Group

Step 2: Design the Survey for Non-Expert Requesters

The whole point of the Automation Portal is hiding complexity. A well-designed survey turns a raw job template into something a developer or business user can complete in under a minute:

  • Instance name (text field, required)
  • Environment (multiple choice: dev, staging, production)
  • Instance size (multiple choice: small / medium / large, mapped internally to real instance types)
  • Cost center (text field, required, validated against a regex if your finance team needs a specific format)
  • Requester email (text field, auto-populated from the logged-in user where possible)
Keep the survey short. Every additional field is friction between "I need a VM" and actually getting one — which defeats the purpose of a self-service catalog.

Step 3: Publish the Template to the Automation Portal

Once the job template and survey exist in AAP, publishing it into the Automation Portal catalog is a matter of:

  1. Marking the job template as available for self-service (visible in the portal, not just the controller UI).
  2. Assigning it a clear, action-oriented name — the demo catalog's naming convention (Cloud - Provision AWS EC2 Instance) uses a Domain - Action pattern that keeps a growing catalog scannable.
  3. Setting RBAC so only appropriate teams can see and launch it — self-service does not mean unrestricted access.
  4. Confirming the "Start" button surfaces the survey correctly and that credentials (AWS access in this case) are attached to the template rather than requested from the end user.
That last point matters: end users should never need to supply or even see AWS credentials. The credential lives on the job template, scoped by AAP's RBAC, so the self-service experience stays credential-free from the requester's point of view.

See also: Build an AAP Self-Service Template: After Hours Branch Access Report

Standard Tagging: Why It's Non-Negotiable

The demo explicitly called out "standard tagging" as part of what the EC2 template does automatically. This is a governance win as much as a technical one — every instance created through the portal gets consistent Environment, Owner, CostCenter, and ManagedBy tags without the requester having to know or care about your tagging policy. That consistency pays off downstream in cost allocation reports, security audits, and automated lifecycle policies (e.g., a nightly job that stops all Environment=dev instances outside business hours).

Key Takeaways

  • AAP 2.7's Automation Portal turns job templates into a one-click, self-service catalog — no playbook or survey knowledge required by the requester.
  • The Cloud - Provision AWS EC2 Instance template demoed at Red Hat Tech Day Netherlands 2026 spins up an instance and applies standard tagging automatically, removing a common source of cloud governance drift.
  • A good self-service template pairs a parameterized playbook with a short, focused survey — hide complexity, don't just relocate it.
  • Credentials belong on the job template, never in the requester's hands, preserving both the self-service experience and your security posture.
  • Consistent naming (Domain - Action) and tight RBAC keep a growing self-service catalog usable as more templates are added alongside network, branch, and patching automations.

Category: aws-automation

Browse all Ansible tutorials · AnsiblePilot Home