如何从 AWS 上的 ansible 动态库存返回私有 IP?

tag-icon tag-icon amazon-ec2 amazon-web-services ansible
如何从 AWS 上的 ansible 动态库存返回私有 IP?

无论我尝试什么,出于某种原因,当我使用 ansible 动态库存脚本 (ec2.py+ec2.ini) 运行 ansible ad-hoc 模块时,只会返回民众标签查询的 IP 并尝试通过 SSH 连接到民众目标的 IP。例如,如果我运行:

ansible -m ping tag_env_dev

然后,它尝试通过公共 IP 进行连接,尽管私有 IP 更可取(出于安全性、复杂性和成本原因)。我尝试在 ec2.ini 文件中调整以下选项:

regions = us-east-1 # to restrict to us-east-1 region
destination_variable = public_dns_name # I've also tried private_dns_name and private_ip_address, all of which still attempt to connect to the public IP of the destination instance(s)
vpc_destination_variable = ip_address # also tried private_ip_address

如果我运行./ec2.py --list --refresh-cache | grep -B 5 -A 5 "tag_env_dev",我会得到仅返回公共 IP 的结果:

"tag_env_dev": [
  "{{public ip here}}"
],

每次尝试后,我都会运行./ec2.py --list --refresh-cache以清除并重新生成缓存。然后我将重新运行ansible -m ping tag_env_dev(或类似操作),并且我会在 SSH 上收到与实例的公共 IP 地址的连接超时。

我已经确认我可以通过 SSH 直接进入“公共主机名”(在 VPC 内解析为私有 IP)和私有 IP,但不能直接进入公共 IP(如预期的那样)。所以这不是密钥身份验证问题。

我还获得了一个分配给该服务器的 IAM 角色,并具有执行这些操作的大量权限(例如,它对 ec2 和 vpc 具有只读权限)。

附加信息:

我正在从与测试目标位于同一 VPC 中的 ec2 实例运行 ansible。并且目标上的安全组配置为允许从其内部 CIDR 块范围进行 SSH。ansible 主机还具有 IAM 角色,足以发现目标的私有 IP

任何帮助将不胜感激。

答案1

这是 ec2.ini 的工作示例(使用 ansible 2.1 和 2.3.1 测试)

[ec2]
regions = us-east-1,us-west-2
regions_exclude =
destination_variable = private_ip_address
hostname_variable = peerio
vpc_destination_variable = private_ip_address
route53 = False
rds = False
elasticache = False
all_instances = False
#instance_states = pending, running, shutting-down, terminated, stopping, stopped
all_rds_instances = False
all_elasticache_replication_groups = False
all_elasticache_clusters = False
all_elasticache_nodes = False
cache_path = ~/.ansible/tmp
cache_max_age = 300
nested_groups = False
replace_dash_in_groups = True
expand_csv_tags = False
group_by_instance_id = True
group_by_region = True
group_by_availability_zone = True
group_by_ami_id = True
group_by_instance_type = True
group_by_key_pair = True
group_by_vpc_id = True
group_by_security_group = True
group_by_tag_keys = True
group_by_tag_none = True
group_by_route53_names = True
#pattern_include = staging-*
#pattern_exclude = staging-*
#instance_filters = instance-type=t1.micro,tag:env=staging
#only process items we tagged
instance_filters = tag:serviceclass=*
boto_profile = ansible

然后,应使用其私有 IP 作为标识符列出实例:

./ec2.py  --list 
{
  "_meta": {
    "hostvars": {
      "10.255.100.138": {
        "ansible_ssh_host": "10.255.100.138", 
        "ec2__in_monitoring_element": false, 
        "ec2_ami_launch_index": "0", 
...       "ec2_vpc_id": "vpc-57ed3733"
      }, 
      "10.255.100.142": {
        "ansible_ssh_host": "10.255.100.142", 
        "ec2__in_monitoring_element": false, 
...

答案2

在 ec2.ini 中,编辑此行:

vpc_destination_variable = ip_address

对此:

vpc_destination_variable = private_ip_address

来自 ec2.ini:

# For server inside a VPC, using DNS names may not make sense. When an instance
# has 'subnet_id' set, this variable is used. If the subnet is public, setting
# this to 'ip_address' will return the public IP address. For instances in a
# private subnet, this should be set to 'private_ip_address', and Ansible must
# be run from within EC2. The key of an EC2 tag may optionally be used; however
# the boto instance variables hold precedence in the event of a collision.
# WARNING: - instances that are in the private vpc, _without_ public ip address
# will not be listed in the inventory until You set:
# vpc_destination_variable = private_ip_address
vpc_destination_variable = ip_address

https://github.com/ansible/ansible/blob/devel/contrib/inventory/ec2.ini

相关内容