mroche / awx-aws-provisioning

Created 9 months ago
Maintained by mroche
Provisioning and managing EC2 systems from Ansible Tower (Controller)
Members 1
Mike Rochefort committed 8 months ago

Ansible Tower, AWS, and RHEL

This repository provides plays for provisioning RHEL nodes in AWS and creating/destroying an Apache web server.

Requirements

The plays rely on particular assets being stored in Tower as credentials and extra_vars, and some preconfiguration in AWS. They can't run on their own.

Red Hat

Your AWS account ID needs to be enrolled as an AWS Account in the Subscriptions > Cloud Access section of the Customer Portal. This is required to gain access to the RHEL AMIs.

AWS Config

  • An SSH key-pair needs to be prepared in EC2.
  • A Security Group allowing SSH and HTTP. In my test environment they are as follows:
    • Inbound:
      • SSH - Custom - <my_personal_ip>/32
      • HTTP - Anywhere-IPV4 - 0.0.0.0/0
    • Outbound:
      • All Traffic - Anywhere

Tower Config

Credentials

  • A credential of type Machine with the private key/user for the AWS SSH key-pair and AMI user.
    • Private key
    • User: ec2-user
    • Privilege escalation method: sudo
  • A credential of type Amazon Web Services with an access key/secret key with the ability to create/manage ec2 instances.
  • A custom credential type for the Red Hat subscription:
# Input Configuration
fields:
  - id: redhat_acct
    type: string
    label: Username
  - id: redhat_acct_pass
    type: string
    label: Password
    secret: true
  - id: redhat_acct_pool
    type: string
    label: Pool ID
    secret: true
required:
  - redhat_acct
  - redhat_acct_pass
  - redhat_acct_pool

# Injector Configuration
extra_vars:
  redhat_account: '{{ redhat_acct }}'
  redhat_passphrase: '{{ redhat_acct_pass }}'
  redhat_pool: '{{ redhat_acct_pool }}'

Inventory

An inventory with a source of type Amazon EC2 using the AWS credential. In my environment I have "Overwrite" and "Update on Launch" enabled, allowing the inventory to be dynamically updated and cleansed on every job run using it.

Job Templates

All job templates should use the previously created EC2 inventory.

create_ec2

On the EC2 creation template, the AWS credential created needs to be applied, as well as the following extra_args with "Prompt on Launch" enabled. Defaults can be set here for ease of use.

instance_name:
instance_env:
aws_region:
aws_ssh_key:
aws_subnet:
aws_ami:
aws_sec_groups:
# Supply as YAML list!
configure_ec2

On the configuration template the Machine and Subscription credentials need to be applied. Also apply "Prompt on Launch" to the Limit parameter, using the public DNS name output from the creation job as its input.

deploy_apache and remove_apache

For the web server templates, the Machine key needs to be applied, as well as enabling "Prompt on Launch" for Limit (same as the configuration template) and "Enable Privilege Escalation".

destroy_ec2

This template is a slimmed down variant of the initial EC2 creation playbook. It requires the following extra_args with "Prompt on Launch" enabled.

aws_region:
instance_name: