I have an ec2 key pair which was used to provision an AMI. Now, I want to remove the public key from AMI. With ec2_key, there is an option to provide the region, but i want to delete the key only from the AMI instance. Is there a way by which I can achieve this ?
- name: Remove SSH key
ec2_key:
name: "{{ ec2_key_name }}"
state: absent
instance_ids: {{}} ```
Have deleted the key from an ec2 instance with authorized_key module :
authorized_key:
user: ubuntu
state: absent
key : "{{ ssh_public_key }}"
Related
I am launching aws ec2 2 instances using ansible using count:2 please check below playbook
- name: Create an EC2 instance
ec2:
aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ key }}"
key_name: "{{ keypair }}"
region: "{{ region }}"
group: "{{ security_group }}"
instance_type: "{{ instance_type }}"
image: "{{ image }}"
wait: yes
count: 2
vpc_subnet_id: "{{ vpc_subnet_id }}"
assign_public_ip: "{{ assign_public_ip }}"
register: ec2
- name: Add the newly created 1 EC2 instance(s) to webserver group
lineinfile: dest=inventory
insertafter='^\[webserver\]$'
line="{{ item.private_ip }} {{hoststring}}"
state=present
with_items: "{{ ec2.instances }}"
- name: add newly created remaining ec2 instance to db group
lineinfile: dest=inventory
insertafter='^\[db-server\]$'
line="{{ item.private_ip }} {{hoststring}}"
state=present
with_items: "{{ ec2.instances }}"
Here i want to add one ip to webserver host group & remaining to db host group but its not working with above playbook please help me to achieve same?
i dont wnt to use add_host here.
Since you are using AWS, have you considered using the aws_ec2 plugin for dynamic inventory?
As long as you are tagging your instances correctly, and you set up the yaml file, it would do what you want it.
Otherwise, your register: ec2 has two elements in it. The way (if it worked) you are looping through ec2 would add both to each group. You would need to add a when condition to match the something like the tag/subnet/cidr to know which server to add to which group.
One way to help see what the return is would be do print out the ec2 variable:
- debug: var=ec2
I want to resize a ec2 type from ansible.
This is my code:
- name: resize the instance
ec2:
aws_access_key: "{{ aws_access_key_var }}"
aws_secret_key: "{{ aws_secret_key_var }}"
region: "{{ region }}"
instance_ids:
- "{{ instance_id }}"
instance_type: "{\"Value\": \"t2.small\"}"
wait: True
register: ec2_result_file
But I get this error:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "image parameter is required for new instance"}
I try with command line all good
aws ec2 modify-instance-attribute --region reg --instance-id i-xx --instance-type "{\"Value\": \"t2.small\"}
Regards,
How to arrive at the solution:
Ansible tells you it wants to create "a new instance", but you already provided an existing instance ID.
Go to the docs for the ec2 module and check the argument in which you provided the ID of the current instance:
instance_ids list of instance ids, currently used for states: absent, running, stopped
Check what state you specified - you did not, so it's the default.
Check the same docs what is the default for state argument: it is present.
present is not listed in the instance_ids description, so the instance_ids is completely ignored.
Ansible thinks you really wanted to create a new instance.
Solution:
Add state: running to the ec2 module arguments.
I am creating a Windows instance using Ansible. Once the instance got created I need to install IIS on that created instance automatically.
How to login to the newly created instance automatically?
What are the parameters I need to mention in the host (inventory) file to login?
To connect to ec2 instances you will first need to retrieve the password using the ec2_win_password module
Example:
- ec2_win_password:
instance_id: i-xxxxxxx
region: us-west-2
key_file: "/.ssh/yourPEM.pem"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key}}"
security_token: "{{ session_token }}"
key_passphrase: "1122355"
register: result
- debug : msg="{{ result }}"
The result can be used as your ansible_password
When creating an EC2 instance through Ansible, how do you specify the security group (this is for a Amazon VPC environment that is not the account default)? In my case, I am attempting to assign a security group (that currently exists) to my webserver EC2 instance that restricts traffic to only the traffic coming from the ELB that sits in front of it. If I try the following:
- name: Create webserver instance
ec2:
key_name: "{{ project_name }}-{{ env }}-key"
image: "{{ image }}"
instance_type: "{{ instance_type }}"
instance_tags: '{"Name":"{{ project_name }}-{{ env }}-{{ webserver_name }}","Owner":"{{ project_name }}", "Type":"{{ webserver_name }}","Environment":"{{ env }}"}'
region: "{{ aws_region }}"
group: "{{ security_group_name }}"
wait: true
register: ec2
where {{ security_group_name }} is the 'Group Name' found in the AWS console, I receive the following error: 'Value () for parameter groupId is invalid. The value cannot be empty'
If I try the following:
- name: Create webserver instance
ec2:
key_name: "{{ project_name }}-{{ env }}-key"
image: "{{ image }}"
instance_type: "{{ instance_type }}"
instance_tags: '{"Name":"{{ project_name }}-{{ env }}-{{ webserver_name }}","Owner":"{{ project_name }}", "Type":"{{ webserver_name }}","Environment":"{{ env }}"}'
region: "{{ aws_region }}"
group_id: "{{ security_group_id }}"
wait: true
register: ec2
where {{ security_group_id }} is the 'Group Id' found in the AWS console (such as sg-xxxxxx), I receive the same error. The Ansible documentation stated that 'group' and 'group_id' are for the specification of the security group (http://docs.ansible.com/ansible/ec2_module.html).
The only thing I can think of is that AWS cannot find the security group because I am creating it and it does not know the VPC to place it in or it is placing it in my default VPC and cannot find the security group as it is in a different VPC.
So, maybe a better question is, how to I specify the VPC for a particular EC2 instance (when I have multiple VPCs in a region)?
I receive the following error: 'Value () for parameter groupId is invalid. The value cannot be empty'
It sounds like those variables aren't defined; where are you defining them? Does it work when you don't use a variable, but put in the value directly?
So, maybe a better question is, how to I specify the VPC for a particular EC2 instance (when I have multiple VPCs in a region)?
The VPC is implied by other values, notably group/group_id and vpc_subnet_id.
One of the main advantages of using group_id instead of group is that you'll get an error if you accidentally use a subnet for the wrong VPC, whereas if you have security groups with the same names in multiple VPCs, using group and an incorrect vpc_subnet_id will successfully launch a machine in the wrong place.
There is no way to specify the VPC ID in your playbook. Instead you specify the vpc_subnet_id. AWS can figure out the VPC based on subnet id. You are not specifying the subnet id, so AWS assumes that you want to launch it in EC2 Classic. Since the specified security group is not found in EC2 Classic, you are getting the not found or invalid error.
How to fix this? Find the id of the subnet where you want to launch the instance. Each VPC can have one more public and/or private subnets. From AWS dashboard, select VPC Service which will list the subnets and VPCs. Find the subnet you want to launch in, and specify its id in the playbook.
vpc_subnet_id: subnet-29e63245
I would like to create and provision Amazon EC2 machines with a help of Ansible.
Now, I get the following error:
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Instance creation failed => InvalidKeyPair.NotFound: The key pair '~/.keys/EC2-Kibi-Enterprise-Deployment.pem' does not exist"}
But the .pem key exists:
$ ls -lh ~/.keys/EC2-Kibi-Enterprise-Deployment.pem
-r-------- 1 sergey sergey 1.7K Apr 6 09:56 /home/sergey/.keys/EC2-Kibi-Enterprise-Deployment.pem
And it was created in EU (Ireland) region.
Here is my playbook:
--
- name: Setup servers on Amazon EC2 machines
hosts: localhost
gather_facts: no
tasks:
- include_vars: group_vars/all/ec2_vars.yml
### Create Amazon EC2 instances
- name: Amazon EC2 | Create instances
ec2:
count: "{{ count }}"
key_name: "{{ key }}"
region: "{{ region }}"
zone: "{{ zone }}"
group: "{{ group }}"
instance_type: "{{ machine }}"
image: "{{ image }}"
wait: true
wait_timeout: 500
#vpc_subnet_id: "{{ subnet }}"
#assign_public_ip: yes
register: ec2
- name: Amazon EC2 | Wait for SSH to come up
wait_for:
host: "{{ item.public_ip }}"
port: 22
delay: 10
timeout: 60
state: started
with_items: "{{ ec2.instances }}"
- name: Amazon EC2 | Add hosts to the kibi_servers in-memory inventory group
add_host: hostname={{ item.public_ip }} groupname=kibi_servers
with_items: "{{ ec2.instances }}"
### END
### Provision roles
- name: Amazon EC2 | Provision new instances
hosts: kibi_servers
become: yes
roles:
- common
- java
- elasticsearch
- logstash
- nginx
- kibi
- supervisor
### END
And my var file:
count: 2
region: eu-west-1
zone: eu-west-1a
group: default
image: ami-d1ec01a6
machine: t2.medium
subnet: subnet-3a2aa952
key: ~/.keys/EC2-Kibi-Enterprise-Deployment.pem
What is wrong with the .pem file here?
The key parameter for the ec2 module is looking for the key pair name that has been already uploaded to AWS, not a local key.
If you want to get Ansible to upload a public key you can use the ec2_key module.
So your playbook would look like this:
--
- name: Setup servers on Amazon EC2 machines
hosts: localhost
gather_facts: no
tasks:
- include_vars: group_vars/all/ec2_vars.yml
### Create Amazon EC2 key pair
- name: Amazon EC2 | Create Key Pair
ec2_key:
name: "{{ key_name }}"
region: "{{ region }}"
key_material: "{{ item }}"
with_file: /path/to/public_key.id_rsa.pub
### Create Amazon EC2 instances
- name: Amazon EC2 | Create instances
ec2:
count: "{{ count }}"
key_name: "{{ key_name }}"
...
Do not specify extension for the key. So that key name should be " EC2-Kibi-Enterprise-Deployment " only. Ansible doesn't care if your key is on your local machine at this stage. It verifies if it exists on your AWS account. Go to 'EC2 > Key Pairs' section in your AWS account and you'll see keys are listed without file extensions.
The solution has been found. EC2 doesn't like when you put a full path for the .pem key file.
So, I moved EC2-Kibi-Enterprise-Deployment.pem into ~/.ssh, added it to the authentication agent with ssh-add using:
ssh-add ~/.ssh/EC2-Kibi-Enterprise-Deployment.pem
And corrected the key line in my var file to key: EC2-Kibi-Enterprise-Deployment.pem
The same if you use EC2 cli tools, don't specify a full path to the key file.
ec2-run-instances ami-d1ec01a6 -t t2.medium --region eu-west-1 --key EC2-Kibi-Enterprise-Deployment.pem
While providing Key in variable don't give file extension (.pem). Just give file name.
For example: akshay.pem is my key then in vars filoe just provide akshay as key.