I am trying to provision 2 ec2 instances on a private subnet using Ansible playbooks. My infrastructure includes:
My question is how to run the Ansible playbook from localhost to affect the private instances. Can I SSH forward the playbook or does the playbook have to reside in the bastion host and then use the private IPs as hosts?
Create ssh-config file ~/.ssh/config and then add the following line to config file
host bastion
HostName bastion_ip
User bastion_user
identityFile ~/.ssh/mykey.pem
host private_instance
HostName 10.0.0.11
user private_ec2_user
ProxyCommand ssh bastion -W %h:%p
identityFile ~/.ssh/mykey.pem
My question is how to run the Ansible playbook from localhost to affect the private instances.
Now you have configured ssh config file all you need to type
ssh private_instance
this will create SSH tunneling to your private instance, you do not need complex or lengthy command to type every time.
Ansible allows the use of SSH configuration options and ProxyCommand can come to rescue when trying to forward the command from bastion to private subnet hosts. Here is an example
ssh -o ProxyCommand="ssh [email protected] 'nc 192.168.0.20 22'" ubuntu@nothing
The above command will, for example, first connect to 52.50.10.5 via SSH, and then open a socket to 192.168.0.20 on port 22. The socket connection (which is connected to the remote SSH server) is then passed to the original SSH client command invocation to utilize.
Source : https://spin.atomicobject.com/2016/05/16/ansible-aws-ec2-vpc/
