ssh_bastion.yml

---
- hosts: localhost
  connection: local
  gather_facts: False

  tasks:

    - name: Security group SSH into bastion host
      amazon.aws.ec2_group:
        name: COmanage Training SSH bastion
        tags:
            Name: comanage_training_ssh_bastion
            tier: all
        description: COmanage Training SSH bastion
        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
        region: "{{ comanage_training_region }}"
        rules:
            - proto: tcp
              ports: 22
              cidr_ip: 0.0.0.0/0
              rule_desc: SSH from anywhere
      register: bastion_ssh_security_group

    # For each public subnet, build a bastion host
    - name: Provision SSH bastion hosts
      amazon.aws.ec2:
        key_name: "{{ training_node_ssh_key_name }}"
        group_id: "{{ bastion_ssh_security_group.group_id }}"
        instance_type: "{{ ssh_bastion_instance_type }}"
        image: "{{ ssh_bastion_ami_id }}"
        wait: true
        region: "{{ comanage_training_region }}"
        assign_public_ip: yes
        instance_initiated_shutdown_behavior: stop
        monitoring: no
        vpc_subnet_id: "{{ item.subnet.id }}"
        private_ip: "{{ item.item.value.bastion_ip }}"
        volumes:
          - device_name: "{{ ssh_bastion_device_name }}"
            volume_type: "{{ ssh_bastion_volume_type }}"
            volume_size: "{{ ssh_bastion_volume_size }}"
            delete_on_termination: yes
        instance_tags:
            Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
            public_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
            private_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
            comanage_training: True
            role : bastion
        count_tag:
            Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
        exact_count: 1
      register: bastion
      loop: "{{ subnet_public.results }}"

    - name: List EC2 instance ID information
      debug:
        msg: "{{ item.tagged_instances[0].id }}"
      loop: "{{ bastion.results }}"

    - name: Create CNAME entries for bastion hosts
      community.aws.route53:
        state: present
        zone: "{{ r53_hosted_zone }}"
        record: "{{ item.tagged_instances[0].tags.public_fqdn }}"
        value: "{{ item.tagged_instances[0].public_dns_name }}"
        type: CNAME
        ttl: 30
        overwrite: yes
        wait: no
      loop: "{{ bastion.results }}"

    - name: Build Ansible inventory host group of bastions
      add_host:
        name: "{{ item.tagged_instances[0].public_dns_name }}"
        groups: ssh_bastion_hosts
      loop: "{{ bastion.results }}"

    - name: Build ssh_config from bastion host list
      template:
        src: ssh_config.j2
        dest: ssh_config
        backup: false

    - name: Build bastion_internal_ip from bastion host list
      set_fact:
        bastion_internal_ip: "{{ bastion_internal_ip | default([]) + [item.tagged_instances[0].private_ip + '/32']}}"
      loop: "{{ bastion.results }}"

    - name: Wait for SSH to come up on SSH bastion hosts
      delegate_to: "{{ item.tagged_instances[0].public_dns_name }}"
      wait_for_connection:
        timeout: 300
      register: bastion_ssh_connections
      loop: "{{ bastion.results }}"

    - name: Pause two minutes for bastion nodes to come up
      ansible.builtin.pause:
        minutes: 2

# Now provision inside all of the bastion hosts
- hosts: ssh_bastion_hosts
  become: yes
  gather_facts: True
  # Run in parallel
  strategy: free

  tasks:
    - import_role:
        # Refer to the file roles/common/tasks/main.yml
        name: common

    - name: Configure DHCP to set domain search
      lineinfile:
        path: /etc/dhcp/dhclient.conf
        regexp: "^prepend domain-search"
        line: "prepend domain-search \"{{ r53_dns_domain }}\";"
      register: bastion_domain_config

    - name: Reboot bastion host
      reboot:
      when: bastion_domain_config.changed
	---
	- hosts: localhost
	connection: local
	gather_facts: False

	tasks:

	- name: Security group SSH into bastion host
	amazon.aws.ec2_group:
	name: COmanage Training SSH bastion
	tags:
	Name: comanage_training_ssh_bastion
	tier: all
	description: COmanage Training SSH bastion
	vpc_id: "{{ comanage_training_vpc.vpc.id }}"
	region: "{{ comanage_training_region }}"
	rules:
	- proto: tcp
	ports: 22
	cidr_ip: 0.0.0.0/0
	rule_desc: SSH from anywhere
	register: bastion_ssh_security_group

	# For each public subnet, build a bastion host
	- name: Provision SSH bastion hosts
	amazon.aws.ec2:
	key_name: "{{ training_node_ssh_key_name }}"
	group_id: "{{ bastion_ssh_security_group.group_id }}"
	instance_type: "{{ ssh_bastion_instance_type }}"
	image: "{{ ssh_bastion_ami_id }}"
	wait: true
	region: "{{ comanage_training_region }}"
	assign_public_ip: yes
	instance_initiated_shutdown_behavior: stop
	monitoring: no
	vpc_subnet_id: "{{ item.subnet.id }}"
	private_ip: "{{ item.item.value.bastion_ip }}"
	volumes:
	- device_name: "{{ ssh_bastion_device_name }}"
	volume_type: "{{ ssh_bastion_volume_type }}"
	volume_size: "{{ ssh_bastion_volume_size }}"
	delete_on_termination: yes
	instance_tags:
	Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
	public_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
	private_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}"
	comanage_training: True
	role : bastion
	count_tag:
	Name: "comanage_training_{{ item.item.value.bastion_hostname }}"
	exact_count: 1
	register: bastion
	loop: "{{ subnet_public.results }}"

	- name: List EC2 instance ID information
	debug:
	msg: "{{ item.tagged_instances[0].id }}"
	loop: "{{ bastion.results }}"

	- name: Create CNAME entries for bastion hosts
	community.aws.route53:
	state: present
	zone: "{{ r53_hosted_zone }}"
	record: "{{ item.tagged_instances[0].tags.public_fqdn }}"
	value: "{{ item.tagged_instances[0].public_dns_name }}"
	type: CNAME
	ttl: 30
	overwrite: yes
	wait: no
	loop: "{{ bastion.results }}"

	- name: Build Ansible inventory host group of bastions
	add_host:
	name: "{{ item.tagged_instances[0].public_dns_name }}"
	groups: ssh_bastion_hosts
	loop: "{{ bastion.results }}"

	- name: Build ssh_config from bastion host list
	template:
	src: ssh_config.j2
	dest: ssh_config
	backup: false

	- name: Build bastion_internal_ip from bastion host list
	set_fact:
	bastion_internal_ip: "{{ bastion_internal_ip \| default([]) + [item.tagged_instances[0].private_ip + '/32']}}"
	loop: "{{ bastion.results }}"

	- name: Wait for SSH to come up on SSH bastion hosts
	delegate_to: "{{ item.tagged_instances[0].public_dns_name }}"
	wait_for_connection:
	timeout: 300
	register: bastion_ssh_connections
	loop: "{{ bastion.results }}"

	- name: Pause two minutes for bastion nodes to come up
	ansible.builtin.pause:
	minutes: 2

	# Now provision inside all of the bastion hosts
	- hosts: ssh_bastion_hosts
	become: yes
	gather_facts: True
	# Run in parallel
	strategy: free

	tasks:
	- import_role:
	# Refer to the file roles/common/tasks/main.yml
	name: common

	- name: Configure DHCP to set domain search
	lineinfile:
	path: /etc/dhcp/dhclient.conf
	regexp: "^prepend domain-search"
	line: "prepend domain-search \"{{ r53_dns_domain }}\";"
	register: bastion_domain_config

	- name: Reboot bastion host
	reboot:
	when: bastion_domain_config.changed