Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
comanage-registry-training-ansible/ssh_bastion.yml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
141 lines (123 sloc)
4.36 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: localhost | |
connection: local | |
gather_facts: False | |
tasks: | |
- name: Security group SSH into bastion host | |
amazon.aws.ec2_group: | |
name: COmanage Training SSH bastion | |
tags: | |
Name: comanage_training_ssh_bastion | |
tier: all | |
description: COmanage Training SSH bastion | |
vpc_id: "{{ comanage_training_vpc.vpc.id }}" | |
region: "{{ comanage_training_region }}" | |
rules: | |
- proto: tcp | |
ports: 22 | |
cidr_ip: 0.0.0.0/0 | |
rule_desc: SSH from anywhere | |
register: bastion_ssh_security_group | |
# For each public subnet, build a bastion host | |
- name: Provision SSH bastion hosts | |
amazon.aws.ec2_instance: | |
key_name: "{{ training_node_ssh_key_name }}" | |
security_group: "{{ bastion_ssh_security_group.group_id }}" | |
instance_type: "{{ ssh_bastion_instance_type }}" | |
image_id: "{{ ssh_bastion_ami_id }}" | |
wait: true | |
region: "{{ comanage_training_region }}" | |
network: | |
assign_public_ip: true | |
private_ip: "{{ item.item.value.bastion_ip }}" | |
instance_initiated_shutdown_behavior: stop | |
detailed_monitoring: false | |
vpc_subnet_id: "{{ item.subnet.id }}" | |
volumes: | |
- device_name: "{{ ssh_bastion_device_name }}" | |
ebs: | |
volume_type: "{{ ssh_bastion_volume_type }}" | |
volume_size: "{{ ssh_bastion_volume_size }}" | |
delete_on_termination: yes | |
tags: | |
Name: "comanage_training_{{ item.item.value.bastion_hostname }}" | |
public_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}" | |
private_fqdn: "{{ item.item.value.bastion_hostname }}.{{ r53_dns_domain }}" | |
comanage_training: True | |
role : bastion | |
exact_count: 1 | |
register: bastion | |
loop: "{{ subnet_public.results }}" | |
- name: List EC2 instance ID information | |
debug: | |
msg: "{{ item.instances[0].instance_id }}" | |
loop: "{{ bastion.results }}" | |
- name: Create CNAME entries for bastion hosts | |
community.aws.route53: | |
state: present | |
zone: "{{ r53_hosted_zone }}" | |
record: "{{ item.instances[0].tags.public_fqdn }}" | |
value: "{{ item.instances[0].public_dns_name }}" | |
type: CNAME | |
ttl: 30 | |
overwrite: yes | |
wait: no | |
loop: "{{ bastion.results }}" | |
- name: Build Ansible inventory host group of bastions | |
add_host: | |
name: "{{ item.instances[0].public_dns_name }}" | |
groups: ssh_bastion_hosts | |
loop: "{{ bastion.results }}" | |
- name: Build ssh_config from bastion host list | |
template: | |
src: ssh_config.j2 | |
dest: ssh_config | |
backup: false | |
- name: Build bastion_internal_ip from bastion host list | |
set_fact: | |
bastion_internal_ip: "{{ bastion_internal_ip | default([]) + [item.instances[0].private_ip_address + '/32']}}" | |
loop: "{{ bastion.results }}" | |
- name: Wait for SSH to come up on SSH bastion hosts | |
delegate_to: "{{ item.instances[0].public_dns_name }}" | |
wait_for_connection: | |
timeout: 300 | |
register: bastion_ssh_connections | |
loop: "{{ bastion.results }}" | |
- name: Pause two minutes for bastion nodes to come up | |
ansible.builtin.pause: | |
minutes: 2 | |
# Now provision inside all of the bastion hosts | |
- hosts: ssh_bastion_hosts | |
become: yes | |
gather_facts: True | |
# Run in parallel | |
strategy: free | |
tasks: | |
- import_role: | |
# Refer to the file roles/common/tasks/main.yml | |
name: common | |
- name: Configure DHCP to set domain search | |
lineinfile: | |
path: /etc/dhcp/dhclient.conf | |
regexp: "^prepend domain-search" | |
line: "prepend domain-search \"{{ r53_dns_domain }}\";" | |
register: bastion_domain_config | |
- name: Configure systemd-resolved service | |
blockinfile: | |
path: /etc/systemd/resolved.conf | |
block: | | |
Domains={{ r53_dns_domain }} | |
LLMNR=no | |
backup: yes | |
- name: Configure Name Service Switch | |
lineinfile: | |
path: /etc/nsswitch.conf | |
regexp: "^hosts:" | |
line: "hosts: files resove dns" | |
- name: Restart systemd-resolved service | |
systemd: | |
state: restarted | |
name: systemd-resolved | |
- name: Reboot bastion host | |
reboot: | |
when: bastion_domain_config.changed |