Dynamic inventory Ansible (behind a jumpbox / bastion )

The problem: you want to deploy code to an AutoScaling Group, but the EC2 instances are in a security group that is only accessible through a jumpbox.

Dynamic inventory

Step one is to get Ansible working with dynamic inventory. (We assume you’ve installed Ansible already.)

Download ec2.py and ec2.ini and put them both in /etc/ansible/. (If you’re on a Mac you’ll need to create this directory.)

Then set environment variables to point Ansible to the right locations:

If your AWS credentials have been set, you should be able to list your inventory:

Make sure your ssh keypair has been added to your ssh-agent:

And from there, you should be able to run Ansible against one of your instances. In this case, there’s an EC2 instance that was tagged with Name: testbox.

Jumpbox

The next step is to get Ansible working with instances that are only ssh accessible through a jumpbox.

Make the following changes to /etc/ansible/ec2.ini to ensure Ansible connects on the EC2 instances’ private IPs:

Add the following lines to ~/.ssh/config. This will forward all ssh connections to anything within your VPC on the 10.0.0.0/16 subnet through your jumphost’s public IP (13.50.123.45 in this case).

Add these lines to a file called playbook.yml:

When you run ansible-playbook on this file, you should get a positive response from your tagged instance:

(If you get a /usr/bin/python error, make sure that you have python installed on the managed node as per the Ansible install guide.)

It’s a short jump to get this integrated into your deployment pipeline!

Links

http://docs.ansible.com/ansible/intro_dynamic_inventory.html

https://aws.amazon.com/blogs/apn/getting-started-with-ansible-and-dynamic-amazon-ec2-inventory-management/

http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/

Cloud/Culture/DevOps

Cloud/Culture/DevOps