Ir al contenido principal

Managing dynamic inventory in private subnets using bastion jump box

Managing dynamic inventory in private subnets using bastion jump box
The title of post is quite large, but is something I encountered issues in the last weeks. I had a VPC in AWS, creating x amount of instances in a private network, and was quite complex to manage this instance using static inventory files. So I will explain you how to manage this problem with Ansible.
Before continue, I want to say these articles are really good and can help you with this issues.
So you will be asking, if these articles are so good, why are you writing them again? Easy, I’m doing this in Gitlab CI, and I suppose other CI will encounter similar issues. It’s not possible to connect to the instances using the instructions above.

First Step

We get our inventory in a dynamic way. For this we will use the inventory scripts.
We need to modify the ec2.ini file with uncommenting the vpc_destination_variable and set the value to private_ip_address
An example
# For server inside a VPC, using DNS names may not make sense. When an instance
# has 'subnet_id' set, this variable is used. If the subnet is public, setting
# this to 'ip_address' will return the public IP address. For instances in a
# private subnet, this should be set to 'private_ip_address', and Ansible must
# be run from within EC2. The key of an EC2 tag may optionally be used; however
# the boto instance variables hold precedence in the event of a collision.
# WARNING: - instances that are in the private vpc, _without_ public ip address
# will not be listed in the inventory until You set:
vpc_destination_variable = private_ip_address
#vpc_destination_variable = ip_address
Be sure to have your ansible.cfg, with the following line.
host_key_checking = False
This is useful, as we’re running this in a CI, we can’t hit enter to accept the connection in the terminal.
Then we begin working with our yml file. As I’m running this on a container, I need to create the .ssh directory and the config file. Here it’s important to add StrictHostKeyChecking=no If we don’t do this, this will fail in our CI, as we can’t hit enter. If you don’t included it and run it locally, it will work.
---
- name: Creates ssh directory
  file:
    path: ~/.ssh/
    state: directory


- name: Create ssh config file in local computer
  copy:
    dest: ~/.ssh/config
    content: |
       Host 10.*.*.*
       User ubuntu
       IdentityFile XXXXX.pem
       StrictHostKeyChecking=no
       ProxyCommand ssh -q -W %h:%p {{ lookup('env', 'IP') }}
       Host {{ lookup('env', 'IP') }}
       User ubuntu
       StrictHostKeyChecking=no
       IdentityFile XXXXX.pem
       ForwardAgent yes

And finally we test it running the ping command.
---
- name: test connection
  ping:

In case you need the code : https://github.com/DiegoTc/bastionansible

Comentarios

Entradas populares de este blog

Find which devices are connected to our network

Sometimes, we want to know how many devices are connected to our network. With any Unix OS you get easily know this. For this small tutorial we´re going to use Lubuntu 16.04. We will use nmap. Nmap (Network Mapper) is a security scanner. It is used to discover hosts and services on a computer network. For installing it, we first do sudo apt-get install nmap If we just need to identify the host names  sudo nmap -sL 192.168.0.1/24  The result of this command will be Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-02 12:39 CST Nmap scan report for 192.168.0.0 Nmap scan report for 192.168.0.1 Nmap scan report for 192.168.0.2 Nmap scan report for 192.168.0.3 Nmap scan report for 192.168.0.4 Nmap scan report for 192.168.0.5 If we need to know the OS of the devices we have connected we do a: sudo nmap -O 192.168.0.1/24 The address 192.188.0.1 depends of your network, you should do a ifconfig for knowing yours. The result of this command will be something like this:

Access to AWS Postgres instance in private subnet

I have been working with AWS in the last days and encounter some issues when using RDS.  Generally when you're working in development environment you have setup your database as Publicly accessible and this isn't an issue. But when you're working in Production. So we place the Amazon RDS database into a private subnet. What we need to do for connecting to the database using PgAdmin or other tool? We're going to use one of the most common methods for doing this. You will need to launch an Amazon EC2 instance in the public subnet and then use it as jumping box. So after you have your EC2, you will need to run the following command. See explantion below After this, you will need to configure your PgAdmin. The host name will be your localhost, the port is the same you define in the above command. Maintenance database will be your DB name and the username you have for connecting. Hope this helps you connect to your databases.

Pre order your Super Smash Bros. Ultimate for Nintendo Switch

Are you fan of Super Smash Bros! Don't wait until the last minute, you can pre order you Super Smash Bros Ultimate here This new game has stages and fighters are joined by the combined rosters of every past Super Smash Bros game. If you buy it, you will be enjoying this Limited Time Offer: Piranha Plant Playable Fighter. Buy Super Smash Bros. Ultimate and register your game with My Nintendo by 11:59 PM on Jan. 31, 2019 and get Piranha Plant in your game for free.