Empty project to be used as starting point for an ansible playbook
Dynamic inventory script files taken from here is included in folder dynamicInventory. The ec2.py is the main script, ec2.ini the setting file for the script. The script should be used with public or private network, it depends on configuration. To show the output of the script:
python dynamicInventory/ec2.py --refresh-cache --profile boto_profile_name
it will print the json of ec2 inventory, forcing the cache clean with option --refresh-cache
The ec2.ini file is well documented inline. Here some useful option:
- regions = eu-west-1: filter the region
- destination_variable = public_dns_name and vpc_destination_variable = ip_address: use these configurations to work with public IP
- destination_variable = private_dns_name and vpc_destination_variable = private_ip_address: use these to work with private IP; usefel when the ansible configuration server is in the same VPC or when a bastion host is used.
- instance_filters = tag:Role=*: filter only the instance with Role tag. More information further and in the comment inside the file.
- boto_profile = profilename: name of the boto profile defined in ~/.aws folder
- cache_max_age = 0: to force to clean cache every run.
Before launch the ansible-playbook to configure the environment is better to dry run ansible to see what is going to happen:
chmod +x dynamicInventory/ec2.py
ansible-playbook -i dynamicInventory/ec2.py --list-hosts site.yml
it will print the dry-run groups and tasks. Analyze it before run ansible-playbook.
In an AWS EC2 environment it's useful to filter and group the EC2 instances. A good way to filter the instances is to use tags, Role for example like in this repository. The instances that have to be a webserver should have Role=webserver. In the _ec2.ini__settings, as describe before, we filter the instance that have a tag call Role. Using hosts: tag_Role_webserver as group filter in site.yaml that role will be executed in the EC2 group webserver.
In addition to filter EC2 by role most of the time we need the filter also by environment, for example webserver in the development environment. It's possible to user multiple filters in ec2.ini, but there are applied with logic OR. To solve the problem a filter is added to site.yaml in hosts:
- hosts: tag_Role_value:&tag_Environment_{{env}} in this way two filters liked with logic AND are applied to create group: tag Role and tag Environment. In addition an env variable is added to generalized the case. Launch the dry-run version:
ansible-playbook -i dynamicInventory/ec2.py --extra-vars "env=development" --list-hosts site.yaml
The classic version for inventory is in hosts-classic. In the file there are specified group of host with IP, username and ssh location file. Classic ssh config file, located in ~/.ssh/config is used. To provision the environment use:
ansible-playbook -i hosts-classic site.yaml
To connect to machine trough a bastion host the hosts file (host-bastionhost) is very similar to the classic type, the difference is in the private network IP. In addition a custom ansible.cfg and ssh.cfg are used. In the ansible.cfg is specified to use the ssh.cfg config file instead the default one. In ssh.cfg is defined the bastion host to use. Then is defined a group of private IP and the proxy command to use to connect with. Bastion host and private newtwork instance have different key pair; no -A option is needed with ProxyCommand. To provision the environment use:
ansible-playbook -i hosts-bastionhost site.yaml