Ansbile + AWS Private hosts provisioning

Question

I am trying to provision 2 ec2 instances on a private subnet using Ansible playbooks. My infrastructure includes:

• Bastion Host on a public subnet
• 2 EC2 instances on 2 private subnets
• NAT Gate for outgoing connections
• Application Load Balancer

My question is how to run the Ansible playbook from localhost to affect the private instances. Can I SSH forward the playbook or does the playbook have to reside in the bastion host and then use the private IPs as hosts?

Answer 1

Create ssh-config file ~/.ssh/config and then add the following line to config file

host bastion
   HostName bastion_ip
   User bastion_user
   identityFile ~/.ssh/mykey.pem

host private_instance
   HostName  10.0.0.11
   user  private_ec2_user
   ProxyCommand ssh bastion -W %h:%p
   identityFile ~/.ssh/mykey.pem

My question is how to run the Ansible playbook from localhost to affect the private instances.

Now you have configured ssh config file all you need to type

ssh private_instance

this will create SSH tunneling to your private instance, you do not need complex or lengthy command to type every time.

Answer 2

Ansible allows the use of SSH configuration options and ProxyCommand can come to rescue when trying to forward the command from bastion to private subnet hosts. Here is an example

ssh -o ProxyCommand="ssh ubuntu@52.50.10.5 'nc 192.168.0.20 22'" ubuntu@nothing

The above command will, for example, first connect to 52.50.10.5 via SSH, and then open a socket to 192.168.0.20 on port 22. The socket connection (which is connected to the remote SSH server) is then passed to the original SSH client command invocation to utilize.

Source : https://spin.atomicobject.com/2016/05/16/ansible-aws-ec2-vpc/