brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ansible): improve article and examples for aws ssm integration

Browse Source
This commit is contained in:
Michele Cereda
2024-04-04 01:07:55 +02:00
parent 3df430d948
commit 04b4ca1073
3 changed files with 51 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
examples/ansible/aws_ec2.yml Normal file
View File

@@ -0,0 +1,26 @@
---
################################################################################
## aws_ec2.yml
##
## Dynamic inventory for integration with AWS SSM.
## Makes use of the 'aws_ec2' plugin.
## The file must be named 'aws_ec2.yml'.
################################################################################
plugin: aws_ec2
regions:
- eu-east-2
keyed_groups:
- key: tags.Name
# add hosts to 'tag_Name_<tag_value>' groups for each aws_ec2 host's 'Tags.Name' attribute
prefix: tag_Name_
separator: ""
- key: tags.application
# add hosts to 'tag_application_<tag_value>' groups for each aws_ec2 host's 'Tags.application' attribute
prefix: tag_application_
separator: ""
hostnames:
- instance-id
# acts as keyword to use the instances' 'InstanceId' attribute
# use 'private-ip-address' to use the instances' 'PrivateIpAddress' attribute instead

9
knowledge base/ansible.md
View File

@@ -572,7 +572,7 @@ Conversely, one can achieve the opposite by using the `always` tag and the `--sk
Message example: Message example:
> fatal: [i-4ccab452bb7743336]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp `\"&& mkdir \"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp/ansible-tmp-1708603630.2433128-49665-225488680421418 `\" && echo ansible-tmp-1708603630.2433128-49665-225488680421418=\"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp/ansible-tmp-1708603630.2433128-49665-225488680421418 `\" ), exited with result 1, stdout output: \u001b]0;@ip-192-168-42-42:/usr/bin\u0007bash: @ip-192-168-42-42:/usr/bin/home/centos/.ansible/tmp: No such file or directory\r\r\nmkdir: cannot create directory '0': Permission denied\r\r", "unreachable": true} > fatal: \[i-4ccab452bb7743336]: UNREACHABLE! => {"changed": false, "msg": "Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp `\"&& mkdir \"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp/ansible-tmp-1708603630.2433128-49665-225488680421418 `\" && echo ansible-tmp-1708603630.2433128-49665-225488680421418=\"` echo \u001b]0;@ip-192-168-42-42:/usr/bin\u0007/home/centos/.ansible/tmp/ansible-tmp-1708603630.2433128-49665-225488680421418 `\" ), exited with result 1, stdout output: \u001b]0;@ip-192-168-42-42:/usr/bin\u0007bash: @ip-192-168-42-42:/usr/bin/home/centos/.ansible/tmp: No such file or directory\r\r\nmkdir: cannot create directory '0': Permission denied\r\r", "unreachable": true}
Root cause: Root cause:
@@ -581,7 +581,7 @@ By default, SSM starts sessions in the `/usr/bin` directory.
Solution: Solution:
Explicitly set Ansible's temporary directory to a folder the remote user can write to.<br/> Explicitly set Ansible's temporary directory to a folder the remote user can write to.<br/>
See [Integration with AWS SSM]. See [Integrate with AWS SSM].
## Further readings ## Further readings
@@ -600,7 +600,7 @@ See [Integration with AWS SSM].
- [Ansible Galaxy user guide] - [Ansible Galaxy user guide]
- [Windows playbook example] - [Windows playbook example]
- [Special tags: `always` and `never`][special tags: always and never] - [Special tags: `always` and `never`][special tags: always and never]
- [Integration with AWS SSM] - [Integrate with AWS SSM]
### Sources ### Sources
@@ -627,7 +627,7 @@ See [Integration with AWS SSM].
--> -->
<!-- Knowledge base --> <!-- Knowledge base -->
[integration with aws ssm]: cloud%20computing/aws/ssm.md##integrate-with-ansible [integrate with aws ssm]: cloud%20computing/aws/ssm.md#integrate-with-ansible
<!-- Files --> <!-- Files -->
[examples]: ../examples/ansible/ [examples]: ../examples/ansible/
@@ -645,6 +645,7 @@ See [Integration with AWS SSM].
[special variables]: https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html [special variables]: https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html
[templating]: https://docs.ansible.com/ansible/latest/user_guide/playbooks_templating.html [templating]: https://docs.ansible.com/ansible/latest/user_guide/playbooks_templating.html
[tests]: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html [tests]: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
[slurp]: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/slurp_module.html
<!-- Others --> <!-- Others -->
[ansible: set variable to file content]: https://stackoverflow.com/questions/24003880/ansible-set-variable-to-file-content [ansible: set variable to file content]: https://stackoverflow.com/questions/24003880/ansible-set-variable-to-file-content

32
knowledge base/cloud computing/aws/ssm.md
View File

@@ -44,20 +44,20 @@ It needs to be named like that to be found by the ['community.aws.aws_ssm' conne
# File: 'aws_ec2.yml'. # File: 'aws_ec2.yml'.
plugin: aws_ec2 plugin: aws_ec2
regions: regions:
- eu-west-1 - eu-east-2
keyed_groups: keyed_groups:
- key: tags.application
# add hosts to tag_application_<tag_value> groups for each aws_ec2 host's
# tags.application attribute
prefix: tag_application_
separator: ""
- key: tags.Name - key: tags.Name
# add hosts to tag_Name_<tag_value> groups for each aws_ec2 host's tags.Name # add hosts to 'tag_Name_<tag_value>' groups for each aws_ec2 host's 'Tags.Name' attribute
# attribute
prefix: tag_Name_ prefix: tag_Name_
separator: "" separator: ""
- key: tags.application
# add hosts to 'tag_application_<tag_value>' groups for each aws_ec2 host's 'Tags.application' attribute
prefix: tag_application_
separator: ""
hostnames: hostnames:
- <instance-id> - instance-id
# acts as keyword to use the instances' 'InstanceId' attribute
# use 'private-ip-address' to use the instances' 'PrivateIpAddress' attribute instead
``` ```
Pitfalls: Pitfalls:
@@ -65,9 +65,13 @@ Pitfalls:
- One **shall not use the `remote_user` connection option**, as it is not supported by the plugin.<br/> - One **shall not use the `remote_user` connection option**, as it is not supported by the plugin.<br/>
From the [plugin notes][aws_ssm connection plugin notes]: From the [plugin notes][aws_ssm connection plugin notes]:
> The `community.aws.aws_ssm` connection plugin does not support using the `remote_user` and `ansible_user` variables to configure the remote user. The ``become_user`` parameter should be used to configure which user to run commands as. Remote commands will often default to running as the `ssm-agent` user, however this will also depend on how SSM has been configured. > The `community.aws.aws_ssm` connection plugin does not support using the `remote_user` and `ansible_user` variables
> to configure the remote user. The ``become_user`` parameter should be used to configure which user to run commands
> as. Remote commands will often default to running as the `ssm-agent` user, however this will also depend on how SSM
> has been configured.
- Since [SSM starts shell sessions under `/usr/bin`][gotchas], one must explicitly set Ansible's temporary directory to a folder the remote user can write to ([source][ansible temp dir change]): - Since [SSM starts shell sessions under `/usr/bin`][gotchas], one must explicitly set Ansible's temporary directory to
a folder the remote user can write to ([source][ansible temp dir change]):
```sh ```sh
ANSIBLE_REMOTE_TMP='/tmp' ansible… ANSIBLE_REMOTE_TMP='/tmp' ansible…
@@ -85,6 +89,9 @@ Pitfalls:
tasks: … tasks: …
``` ```
This, or use the shell profiles in [SSM's preferences][session manager preferences] to change the directory when
logged in.
## Further readings ## Further readings
- [Ansible] - [Ansible]
@@ -110,8 +117,9 @@ Pitfalls:
<!-- Upstream --> <!-- Upstream -->
[start a session]: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html [start a session]: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html
[session manager preferences]: https://eu-west-1.console.aws.amazon.com/systems-manager/session-manager/preferences?region=eu-west-1 [session manager preferences]: https://console.aws.amazon.com/systems-manager/session-manager/preferences
[aws_ssm connection plugin notes]: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html#notes [aws_ssm connection plugin notes]: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html#notes
[community.aws.aws_ssm connection]: https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ssm_connection.html
<!-- Others --> <!-- Others -->
[ansible temp dir change]: https://devops.stackexchange.com/questions/10703/ansible-temp-dir-change [ansible temp dir change]: https://devops.stackexchange.com/questions/10703/ansible-temp-dir-change