Advanced Automation Setup
We’ll enhance the setup by:
✅ Fetching EC2 instances based on tags (e.g., only “Production” servers).
✅ Running Ansible playbooks on specific instances dynamically.
✅ Using SSH key-based authentication for seamless execution.
1️⃣ Refined Inventory Configuration (aws_ec2.yml)
Modify the inventory file to target specific instances based on tags.
plugin: amazon.aws.ec2_instance
regions:
- us-east-1 # Change to your AWS region
filters:
"tag:Environment": "Production" # Fetch only production instances
instance-state-name: running # Exclude stopped instances
hostnames:
- private-ip-address # Use private IP for internal networking
compose:
ansible_host: private_ip_address # Define the host variable
keyed_groups:
- key: tags.Role
prefix: role
🔹 What’s New?
- Fetches only EC2 instances tagged “Environment=Production”.
- Uses private IP (for internal communication).
- Groups servers based on “Role” (e.g.,
role-webserver).
2️⃣ Running Ansible Playbooks on Targeted Instances
Example Playbook (update_servers.yml)
This playbook will update and restart web servers in Production.
- name: Update and Restart Web Servers
hosts: role-webserver # Target only web servers
become: yes
tasks:
- name: Update all packages
ansible.builtin.apt:
update_cache: yes
upgrade: dist
- name: Restart Web Server
ansible.builtin.service:
name: apache2
state: restarted
Run the Playbook
ansible-playbook -i aws_ec2.yml update_servers.ymlNote: The ansible-playbook -i command is used to run Ansible playbooks while specifying an inventory file (-i flag).
Dynamic Execution! 🎯 Ansible will only run this on EC2 instances tagged as web servers in Production.
3️⃣ Automating SSH Access with Key Authentication
To ensure smooth Ansible execution, set up SSH key-based authentication.
Step 1: Store Your AWS Key Pair
Make sure your AWS private key (.pem file) is properly set up:
chmod 400 my-aws-key.pemStep 2: Configure Ansible SSH Settings (ansible.cfg)
Create or modify your ansible.cfg file:
[defaults]
inventory = aws_ec2.yml
host_key_checking = False
private_key_file = /path/to/my-aws-key.pem4️⃣ Automating with Ansible & AWS Lambda
For completely hands-free execution, trigger Ansible from an AWS Lambda function using AWS SSM (Systems Manager).
Example: Running Ansible via SSM Agent
Instead of SSH, you can use AWS SSM Agent to run commands on EC2 instances.
Run Ansible Playbook via AWS CLI
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Environment,Values=Production" \
--parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]' \
--region us-east-1Explanation:
aws ssm send-command- This triggers an SSM command to be executed on EC2 instances.
--document-name "AWS-RunShellScript"- Specifies that the command to be executed is a shell script.
"AWS-RunShellScript"is an SSM document used for executing shell commands on Linux-based EC2 instances.
--targets "Key=tag:Environment,Values=Production"- Specifies which EC2 instances should receive this command.
- In this case, all EC2 instances that have the tag
Environment=Productionwill execute the command.
--parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]'- Specifies the actual shell command that will run on the target instances.
- This command runs an Ansible playbook using:
aws_ec2.ymlas the inventory file.update_servers.ymlas the playbook.
--region us-east-1- Specifies the AWS region where this command should be executed.
How It Works:
- AWS SSM will find all EC2 instances tagged with
Environment=Production. - It will execute the command
ansible-playbook -i aws_ec2.yml update_servers.ymlon each of them. - The playbook will then run, performing updates on the target servers.
🔹 Conclusion & Next Steps
✅ Now you can:
🔹 Auto-discover EC2 instances dynamically.
🔹 Filter based on tags & roles (e.g., only web servers).
🔹 Run Ansible securely with SSH keys or AWS SSM.
🔹 Fully automate Ansible execution using AWS Lambda.
