Discovering EC2 IP Addresses Dynamically with Ansible

Advanced Automation Setup

We’ll enhance the setup by:

✅ Fetching EC2 instances based on tags (e.g., only “Production” servers).
✅ Running Ansible playbooks on specific instances dynamically.
✅ Using SSH key-based authentication for seamless execution.

1️⃣ Refined Inventory Configuration (aws_ec2.yml)

Modify the inventory file to target specific instances based on tags.


plugin: amazon.aws.ec2_instance
regions:
- us-east-1 # Change to your AWS region
filters:
"tag:Environment": "Production" # Fetch only production instances
instance-state-name: running # Exclude stopped instances
hostnames:
- private-ip-address # Use private IP for internal networking
compose:
ansible_host: private_ip_address # Define the host variable
keyed_groups:
- key: tags.Role
prefix: role

🔹 What’s New?

  • Fetches only EC2 instances tagged “Environment=Production”.
  • Uses private IP (for internal communication).
  • Groups servers based on “Role” (e.g., role-webserver).

2️⃣ Running Ansible Playbooks on Targeted Instances

Example Playbook (update_servers.yml)

This playbook will update and restart web servers in Production.

- name: Update and Restart Web Servers
  hosts: role-webserver  # Target only web servers
  become: yes
  tasks:
    - name: Update all packages
      ansible.builtin.apt:
        update_cache: yes
        upgrade: dist

    - name: Restart Web Server
      ansible.builtin.service:
        name: apache2
        state: restarted

Run the Playbook

ansible-playbook -i aws_ec2.yml update_servers.yml

Note: The ansible-playbook -i command is used to run Ansible playbooks while specifying an inventory file (-i flag).

Dynamic Execution! 🎯 Ansible will only run this on EC2 instances tagged as web servers in Production.

3️⃣ Automating SSH Access with Key Authentication

To ensure smooth Ansible execution, set up SSH key-based authentication.

Step 1: Store Your AWS Key Pair

Make sure your AWS private key (.pem file) is properly set up:

chmod 400 my-aws-key.pem

Step 2: Configure Ansible SSH Settings (ansible.cfg)

Create or modify your ansible.cfg file:

[defaults]
inventory = aws_ec2.yml
host_key_checking = False
private_key_file = /path/to/my-aws-key.pem

4️⃣ Automating with Ansible & AWS Lambda

For completely hands-free execution, trigger Ansible from an AWS Lambda function using AWS SSM (Systems Manager).

Example: Running Ansible via SSM Agent

Instead of SSH, you can use AWS SSM Agent to run commands on EC2 instances.

Run Ansible Playbook via AWS CLI

aws ssm send-command \
  --document-name "AWS-RunShellScript" \
  --targets "Key=tag:Environment,Values=Production" \
  --parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]' \
  --region us-east-1

Explanation:

  1. aws ssm send-command
    • This triggers an SSM command to be executed on EC2 instances.
  2. --document-name "AWS-RunShellScript"
    • Specifies that the command to be executed is a shell script.
    • "AWS-RunShellScript" is an SSM document used for executing shell commands on Linux-based EC2 instances.
  3. --targets "Key=tag:Environment,Values=Production"
    • Specifies which EC2 instances should receive this command.
    • In this case, all EC2 instances that have the tag Environment=Production will execute the command.
  4. --parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]'
    • Specifies the actual shell command that will run on the target instances.
    • This command runs an Ansible playbook using:
      • aws_ec2.yml as the inventory file.
      • update_servers.yml as the playbook.
  5. --region us-east-1
    • Specifies the AWS region where this command should be executed.

How It Works:

  • AWS SSM will find all EC2 instances tagged with Environment=Production.
  • It will execute the command ansible-playbook -i aws_ec2.yml update_servers.yml on each of them.
  • The playbook will then run, performing updates on the target servers.

🔹 Conclusion & Next Steps

✅ Now you can:
🔹 Auto-discover EC2 instances dynamically.
🔹 Filter based on tags & roles (e.g., only web servers).
🔹 Run Ansible securely with SSH keys or AWS SSM.
🔹 Fully automate Ansible execution using AWS Lambda.

About Anant 443 Articles
Senior technical writer