disable public ip of GCE vm in ansible playbook - ansible

I have ansible playbook for for GCE VM creation. This playbook launch GCE VM with public ip address.
How to launch my GCE vm without public ip address.?
I'm new to ansible.

I suppose you are using GCE Ansisble module for VM creation. According to GCE module documentation, the module has a parameter named external_ip. Set it to none if you don't want any public IP address assigned to your VM.
external_ip:
type of external ip, ephemeral by default; alternatively, a fixed gce ip or ip name can be given. Specify 'none' if no external ip is desired.
Example:
- gce:
instance_names: my-test-instance1
zone: us-central1-a
machine_type: n1-standard-1
external_ip: none
image: debian-8
state: present
service_account_email: "your-sa#your-project-name.iam.gserviceaccount.com"
credentials_file: "/path/to/your-key.json"
project_id: "your-project-name"
disk_size: 32

Related

Is it possible to write an ansible playbook that can tell me if my ec2 instance has a security group that opens a port?

I would like to write an ansible playbook that will tell me if my ec2 instances have a security group that contains a rule that allows ingress on a specified port. I have seen answers like Test if a server is reachable from host and has port open with Ansible where one would have this in the playbook:
- hosts: target.host
tasks:
- wait_for: host=remote.host port=8080 timeout=1
- debug: msg=ok
But that tells me if something is listening on port 8080 on the remote host. In my circumstance there will be no process listening because the service has not yet been installed.
You could try using the aws ec2 module to get Netword ACLs and apply a filter to get the one's you're after. Using tags could also be an easy method to filter the resources for your playbook. This code is untested, and you'd need to parse the response into your playbook get the information you're after. It's basically a starting point. Check this link for further info.
# Retrieve Port 8080 Network ACLs
- name: Get Port 8080 NACLs
community.aws.ec2_vpc_nacl_info:
region: us-west-2
filters:
'entry.port-range.from': 8080,
'entry.port-range.to': 8080
register: port_8080_nacls

force Static IP on VM creation

I have an ansible script that connects to my Vcenter and builds out a VM. This works great assuming the network it will be built on has DHCP enabled. I am building mostly Centos 7 VM's on a network that does not have DHCP enabled meaning static IP's. The VM gets built, but then I am stuck logging into each VM manually and assigning the IP.
How can I tell CentOS to use a specific IP?
I am familiar with kickstart, but not sure how to trigger the install to pickup a ks file. (I know I can create a custom ISO, but I dont want to create a custom ISO for each VM I built.)
I have tried using the following flags on ansible VMware_guest module, but no luck.
Any Suggestions??
vmware_guest:
network:
type: static
ip: 192.168.1.5
mask: 255.255.255.0
gateway: 192.168.1.1
Please try using netmask instead of mask.
vmware_guest:
network:
name: "{{ network_name }}"
type: static
ip: 192.168.1.5
netmask: 255.255.255.0
gateway: 192.168.1.1

Unable to access internet from Private subnet | Error: Cannot find a valid baseurl

I am trying to use a NAT Instance rather than a NAT Gateway; I am also not using any Community AMIs for the NAT Instance configuration.
I am trying to do a yum update from my private but I am thrown the following error: Cannot find a valid baseurl for repo: amzn-main/latest
My AWS stack is as follows:
VPC: A VPC VPC1 with an Internet Gateway IGW1 attached.
Subnets: Two subnets - public in us-east-1a and private in us-east-1b.
Public subnet: Subnet1.1-1a has Route table [Public-IGW-1 with local and IGW1 - 0.0.0.0/0].
Private subnet: Subnet1.2-1b has Route table [Private-1 with local and NAT instance NAT EC2 1- 0.0.0.0/0].
Route tables:
Private-1 has routes local and NAT EC2 1 instance - 0.0.0.0/0.
Public-IGW-1 has routes local and IGW1 - 0.0.0.0/0.
Security groups: Subnet-1.1-1a-Public from us-east-1a in VPC1 has SSH MyIP and HTTP with anywhere.
Subnet1.1-1a-Private from us-east-1b (have to rename; else deceiving) in VPC1 has inbound 22 - anywhere.
Instances:
NAT EC2 1 lives in Subnet1.1-1a of VPC1 with Security group NAT SG inbound 80 - anywhere 22. Private instance has SG - 22 - anywhere. Public instance has SG - 22 - MyIP and 80 - anywhere.
I copied my keypair into the public instance with scp and ssh-ed into the private instance with ssh -i keypair ec2-user#private-ip-addr. When I do a sudo yum update the error canot find a valid baseurl is shown.
I have made sure that NACL is allowing all traffic.
I figured it. The NAT Instance and the Public Instance have to be in the same security groups.

Ansible connect to jump machine through VPN?

I was wondering if it were possible to tell Ansible to set up a VPN connection before executing the rest of the playbook. I've googled around, but haven't seen much on this.
You could combine a local playbook to setup a VPN and a playbook to run your tasks against a server.
Depending on whats the job you can use ansible or a shell script to connect the VPN. Maybe there should be another playbook to disconnect afterwards.
As result you will have three playbooks and one to combine them via include:
- include: connect_vpn.yml
- include: do_stuff.yml
- include: disconnect_vpn.yml
Check How To Use Ansible and Tinc VPN to Secure Your Server Infrastructure.
Basically, you need to install thisismitch/ansible-tinc playbook and create a hosts inventory file with the nodes that you want to include in the VPN, for example:
[vpn]
prod01 vpn_ip=10.0.0.1 ansible_host=162.243.125.98
prod02 vpn_ip=10.0.0.2 ansible_host=162.243.243.235
prod03 vpn_ip=10.0.0.3 ansible_host=162.243.249.86
prod04 vpn_ip=10.0.0.4 ansible_host=162.243.252.151
[removevpn]
Then you should review the contents of the /group_vars/all file such as:
---
netname: nyc3
physical_ip: "{{ ansible_eth1.ipv4.address }}"
vpn_interface: tun0
vpn_netmask: 255.255.255.0
vpn_subnet_cidr_netmask: 32
where:
physical_ip is IP address which you want tinc to bind to;
vpn_netmask is the netmask that the will be applied to the VPN interface.
If you're using Amazon Web Services, check out the ec2_vpc_vpn module which can create, modify, and delete VPN connections. It uses boto3/botocore library.
For example:
- name: create a VPN connection
ec2_vpc_vpn:
state: present
vpn_gateway_id: vgw-XXXXXXXX
customer_gateway_id: cgw-XXXXXXXX
- name: delete a connection
ec2_vpc_vpn:
vpn_connection_id: vpn-XXXXXXXX
state: absent
For other cloud services, check the list of Ansible Cloud Modules.

Test Kitchen (chefdk), Vagrant and Amazon VPC

I'm trying to get KitchenCI to build test instances inside my Amazon VPC. I have this working, however when Vagrant goes to attempt to connect to the ec2 instance, it uses the instance's external (public) IP vs it's internal (VPC) IP. Is there any way to change this in Vagrant?
.kitchen.yml:
---
provisioner:
name: chef_solo
platforms:
- name: centos-6.5
driver:
name: vagrant
- name: amazon
driver:
name: ec2
image_id: ami-ed8e9284
flavor_id: t2.medium
aws_ssh_key_id: DevOps
ssh_key: /Users/djimenez/.ssh/devops_rsa.pub
availability_zone: us-east-1a
subnet_id: subnet-1903a976
require_chef_omnibus: true
iam_profile_name: atc
ebs_delete_on_termination: true
security_group_ids: sg-7461ae1b
suites:
<snip>
Looks like I needed to add the following to my .kitchen.yml:
driver:
name: ec2
interface: private
The docs say:
interface
The place from which to derive the hostname for communicating with the
instance. May be dns, public or private. If this is unset, the driver
will derive the hostname by failing back in the following order:
DNS Name
Public IP Address
Private IP Address
The default is unset.

Resources