Skip to content

Commit

Permalink
Merge pull request #22 from mpieters3/develop
Browse files Browse the repository at this point in the history
Release
  • Loading branch information
mpieters3 authored Mar 22, 2022
2 parents 5753363 + d2ac7dd commit 6faab26
Show file tree
Hide file tree
Showing 6 changed files with 142 additions and 191 deletions.
60 changes: 0 additions & 60 deletions .devcontainer/Dockerfile

This file was deleted.

36 changes: 0 additions & 36 deletions .devcontainer/devcontainer.json

This file was deleted.

31 changes: 18 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
# EC2 Instance Connect Connection Plugin for Ansible

The EC2 Instance Connect (ECI) connection plugin was created to take advantage of AWS's <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html">ECI</a> capability Rather than rely on public keys statically stored on resources, this allows us to take advantage of using AWS native roles and permissions to access and manage linux servers instead.

This is helpful in situations where you need to use continue to use ansible over AWS native instance management solutions, but want to take advantage of AWS's native IAM model for authorization as well as to avoid sharing of long living private keys.
Expand All @@ -17,27 +16,33 @@ In general, aligned to the same requirements as most other <a href="https://docs
TODO:
The connection plugin can take either instance_id or use ip address (public or private) or hostname to determine the correct connection details.

## Container development / local testing
Development / Local testing set up up to be with Visual Studio Code using its devcontainer.json with a DockerFile that includes Ansible, Python3, Boto3, and AWS CLI. This is largely as this was used as a one stop dev container, but should be easy to run in docker even without visual studio code.

This does create a publically accessible security group, so use wisely.

### Demo summary
## Local Testing
We test the plugin by doing the following:
1. Create a security group (opening port 22 from 0.0.0.0/0)
2. Creates a t2.micro aws linux ami; doesn't set any keypair, so not accessible with 'normal' ssh
3. Connects using eci with instance-id & ip address (preferred) information as root, echo basic message
4. Connects using eci with ip address host information as ec2-user, echo basic message

### Running playbook
Once in container, run the following commands to demonstrate.

### Env Setup
Using WSL2 or a Linux instance, setup a new python venv
```
python3 -m venv venv/
source venv/bin/activate
pip install requirements.txt
ansible-galaxy collection install amazon.aws
```

Make sure the plugin is being pulled in correctly... from the workspace directory, run the following command to make sure you're getting the connection info:
env ANSIBLE_CONNECTION_PLUGINS=./plugins/connection ansible-doc -t connection eci

### Running playbook
Continuing in your venv, set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for the account the test should run in, then run the test
```
export AWS_ACCESS_KEY_ID='<<YOUR_ACCESS_KEY_ID>>'
export AWS_SECRET_ACCESS_KEY='<<YOUR_SECRET_ACCESS_KEY>>'
cd /workspaces/ansible-eci-connector/test
ansible-playbook demo.yml
env ANSIBLE_CONNECTION_PLUGINS=../plugins/connection ansible-playbook demo.yml
```

## Why not MSSH?
Expand All @@ -46,7 +51,7 @@ While <a href="https://github.com/mingbowan/mssh/blob/master/mssh.py">mssh</a> m
## TODO
- IP Address to instance id (or vice versa?) lookup
- Handle boto3 / other requirements missing cleanly
- Align requirements to better follow ansible plugin standards
- remove temp keys when run finishes
- persist temp key across tasks?
- Add a docker compose file to run without Visual Studio Code
- Look at incorporating into or deprecating in favor of [ansible-collections/community.aws](https://github.com/ansible-collections/community.aws)
- - The S3 bucket does add additional complexity that this avoids...
Loading

0 comments on commit 6faab26

Please sign in to comment.