
Advanced Automation Setup
We’ll enhance the setup by:
✅ Fetching EC2 instances based on tags (e.g., only “Production” servers).
✅ Running Ansible playbooks on specific instances dynamically.
✅ Using SSH key-based authentication for seamless execution.
1️⃣ Refined Inventory Configuration (aws_ec2.yml
)
Modify the inventory file to target specific instances based on tags.
plugin: amazon.aws.ec2_instance
regions:
- us-east-1 # Change to your AWS region
filters:
"tag:Environment": "Production" # Fetch only production instances
instance-state-name: running # Exclude stopped instances
hostnames:
- private-ip-address # Use private IP for internal networking
compose:
ansible_host: private_ip_address # Define the host variable
keyed_groups:
- key: tags.Role
prefix: role
🔹 What’s New?
- Fetches only EC2 instances tagged “Environment=Production”.
- Uses private IP (for internal communication).
- Groups servers based on “Role” (e.g.,
role-webserver
).
2️⃣ Running Ansible Playbooks on Targeted Instances
Example Playbook (update_servers.yml
)
This playbook will update and restart web servers in Production.
- name: Update and Restart Web Servers
hosts: role-webserver # Target only web servers
become: yes
tasks:
- name: Update all packages
ansible.builtin.apt:
update_cache: yes
upgrade: dist
- name: Restart Web Server
ansible.builtin.service:
name: apache2
state: restarted
Run the Playbook
ansible-playbook -i aws_ec2.yml update_servers.yml
Note: The ansible-playbook -i
command is used to run Ansible playbooks while specifying an inventory file (-i
flag).
Dynamic Execution! 🎯 Ansible will only run this on EC2 instances tagged as web servers in Production.
3️⃣ Automating SSH Access with Key Authentication
To ensure smooth Ansible execution, set up SSH key-based authentication.
Step 1: Store Your AWS Key Pair
Make sure your AWS private key (.pem
file) is properly set up:
chmod 400 my-aws-key.pem
Step 2: Configure Ansible SSH Settings (ansible.cfg
)
Create or modify your ansible.cfg
file:
[defaults]
inventory = aws_ec2.yml
host_key_checking = False
private_key_file = /path/to/my-aws-key.pem
4️⃣ Automating with Ansible & AWS Lambda
For completely hands-free execution, trigger Ansible from an AWS Lambda function using AWS SSM (Systems Manager).
Example: Running Ansible via SSM Agent
Instead of SSH, you can use AWS SSM Agent to run commands on EC2 instances.
Run Ansible Playbook via AWS CLI
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Environment,Values=Production" \
--parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]' \
--region us-east-1
Explanation:
aws ssm send-command
- This triggers an SSM command to be executed on EC2 instances.
--document-name "AWS-RunShellScript"
- Specifies that the command to be executed is a shell script.
"AWS-RunShellScript"
is an SSM document used for executing shell commands on Linux-based EC2 instances.
--targets "Key=tag:Environment,Values=Production"
- Specifies which EC2 instances should receive this command.
- In this case, all EC2 instances that have the tag
Environment=Production
will execute the command.
--parameters 'commands=["ansible-playbook -i aws_ec2.yml update_servers.yml"]'
- Specifies the actual shell command that will run on the target instances.
- This command runs an Ansible playbook using:
aws_ec2.yml
as the inventory file.update_servers.yml
as the playbook.
--region us-east-1
- Specifies the AWS region where this command should be executed.
How It Works:
- AWS SSM will find all EC2 instances tagged with
Environment=Production
. - It will execute the command
ansible-playbook -i aws_ec2.yml update_servers.yml
on each of them. - The playbook will then run, performing updates on the target servers.
🔹 Conclusion & Next Steps
✅ Now you can:
🔹 Auto-discover EC2 instances dynamically.
🔹 Filter based on tags & roles (e.g., only web servers).
🔹 Run Ansible securely with SSH keys or AWS SSM.
🔹 Fully automate Ansible execution using AWS Lambda.