Managing dynamic inventory in private subnets using bastion jump box

The title of post is quite large, but is something I encountered issues in the last weeks. I had a VPC in AWS, creating x amount of instances in a private network, and was quite complex to manage this instance using static inventory files. So I will explain you how to manage this problem with Ansible.
Before continue, I want to say these articles are really good and can help you with this issues.

• Dynamic inventory Ansible (behind a jumpbox / bastion )
• SSH jump hosts on CircleCI 2.0

So you will be asking, if these articles are so good, why are you writing them again? Easy, I’m doing this in Gitlab CI, and I suppose other CI will encounter similar issues. It’s not possible to connect to the instances using the instructions above.

First Step

We get our inventory in a dynamic way. For this we will use the inventory scripts.
We need to modify the ec2.ini file with uncommenting the vpc_destination_variable and set the value to private_ip_address
An example

# For server inside a VPC, using DNS names may not make sense. When an instance
# has 'subnet_id' set, this variable is used. If the subnet is public, setting
# this to 'ip_address' will return the public IP address. For instances in a
# private subnet, this should be set to 'private_ip_address', and Ansible must
# be run from within EC2. The key of an EC2 tag may optionally be used; however
# the boto instance variables hold precedence in the event of a collision.
# WARNING: - instances that are in the private vpc, _without_ public ip address
# will not be listed in the inventory until You set:
vpc_destination_variable = private_ip_address
#vpc_destination_variable = ip_address

Be sure to have your ansible.cfg, with the following line.

host_key_checking = False

This is useful, as we’re running this in a CI, we can’t hit enter to accept the connection in the terminal.
Then we begin working with our yml file. As I’m running this on a container, I need to create the .ssh directory and the config file. Here it’s important to add StrictHostKeyChecking=no If we don’t do this, this will fail in our CI, as we can’t hit enter. If you don’t included it and run it locally, it will work.

---
- name: Creates ssh directory
  file:
    path: ~/.ssh/
    state: directory


- name: Create ssh config file in local computer
  copy:
    dest: ~/.ssh/config
    content: |
       Host 10.*.*.*
       User ubuntu
       IdentityFile XXXXX.pem
       StrictHostKeyChecking=no
       ProxyCommand ssh -q -W %h:%p {{ lookup('env', 'IP') }}
       Host {{ lookup('env', 'IP') }}
       User ubuntu
       StrictHostKeyChecking=no
       IdentityFile XXXXX.pem
       ForwardAgent yes

And finally we test it running the ping command.

---
- name: test connection
  ping:

In case you need the code : https://github.com/DiegoTc/bastionansible