Ansible select host based on combination of EC2 tags

Question

I have 2 VPCs, each of which has a VPN instance, whose configuration I would like to share. Both instances have a class tag, whose value is now vpn_dev, however, they should differ by the environment tags - one would have environment: default, and the other environment: london.

I also have 2 playbooks, one for each VPC. I would like to run my vpn role on exactly one of the instances based on the combination of the class and environment tags, i.e. select the instance that has class: vpn_dev and environment: london. E.g.

- name: Deploy developer VPN in AWS
  hosts:
    - tag_class_vpn_dev
    - tag_environment_london
  roles:
    - vpn

However, this would of course install the role on all instances that have class: vpn_dev (regardless of environment), and on all instances that have environment: london (regardless of class).

Is there a way to achieve this? Currently it seems like the only way is to have a single tag that uniquely identifies an instance.

Answer 1

It is possible to apply some ansible role to one host for each tag combination, although I would not recommend it, because this approach IMHO is not idempotent.

One of the possible risk with this scenario is that when you re-run this playbook, selected host for some tag combination can be different from previous run, and therefore you will end up with two instances per this unique tag combination group.

My recommended approach would be to use some tag to mark host which is supposed to be used as VPN role target, and then use ansible to apply VPN role only to hosts marked by this tag.

Answer 2

The lists of hosts in a playbook is an OR operation by default. You can use AND over to host groups with this syntax:

- hosts:
    - tag_class_vpn_dev:&tag_environment_london

More about host patterns here