diff --git a/amazon-ec2/README b/amazon-ec2/README new file mode 100644 index 00000000..d3be7dc3 --- /dev/null +++ b/amazon-ec2/README @@ -0,0 +1,58 @@ +# amazon-ec2 + +Manage Amazon EC2 instances. + +This role is intended to be called before any other role to setup and start EC2 +instances. + +## Dependancies + +You should first ensure that you have python-boto package installed on your +machine and an Amazon security access key pair created for your account. + +## Tasks + +By default, this role does nothing (no `main.yml` file). + +* `create-instance.yml`: create new EC2 instances + +## Variables + + - `aws_access_key` and `aws_secret_key`: your AWS credentials + - `aws_region`: where to create instances. Default: ca-central-1 + - `ec2_public_ip`: assign public elastic IP address. Default: False + - `ec2_instance_count`: how many instance to launch. Default: 1 + - `ec2_security_group: EC2 security group to use. See + ec2_evolinux_security_group in `defaults/main.yml` to define your own. + Default: ec2_evolinux_security_group + - `ec2_base_ami`: EC2 image to use. Default is to use Debian official ones, + depending on the region + - `ec2_instance_type`: EC2 instance type to use + - `ssh_pubkey_file`: SSH public key file to push to AWS. Do not try to put + your ED25519 key here, AWS does not support it. Default: ~/.ssh/id_rsa.pub + - `ec2_keyname: a name to give to your public key on AWS. Default is to use + $USER environment variable. + +## Examples + +In your main evolinux playbook put this play before Evolinux one: + +``` +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + # Any other variable you want to set. + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml +``` + +See amazon-ec2-evolinux.yml for an almost ready-to-use playbook to set up +Amazon EC2 instances running Evolinux. diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml new file mode 100644 index 00000000..282b8353 --- /dev/null +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -0,0 +1,59 @@ +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + aws_region: ca-central-1 + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml + +- name: Install Evolinux + hosts: launched-instances + become: yes + + vars_files: + - 'vars/secrets.yml' + + vars: + admin_users: "{{ admin_users }}" + minifirewall_trusted_ips: "{{ trusted_ips }}" + fail2ban_ignore_ips: "{{ trusted_ips }}" + evolinux_hostname: + evolinux_domain: + evolinux_fqdn: + evolinux_internal_hostname: + minifirewall_public_ports_tcp: [80, 443] + minifirewall_public_ports_udp: [] + minifirewall_semipublic_ports_tcp: [22] + nagios_nrpe_allowed_hosts: "{{ trusted_ips }}" + + roles: + - etc-git + - evolinux-base + - admin-users + - munin + - minifirewall + - fail2ban + - nagios-nrpe + - listupgrade + - evomaintenance + - evocheck + - packweb-apache + - mysql + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible post-run Evolinux playbook" + + - include_role: + name: evocheck + tasks_from: exec.yml diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml new file mode 100644 index 00000000..d53371dc --- /dev/null +++ b/amazon-ec2/defaults/main.yml @@ -0,0 +1,48 @@ +--- +aws_region: ca-central-1 +ec2_public_ip: False +ec2_instance_count: 1 +ec2_security_group: "{{ec2_evolinux_security_group}}" +ec2_base_ami: "{{ec2_debian_base_ami[aws_region]}}" +ec2_instance_type: t2.micro +# Note: Do not try to put your ED25519 key here, AWS does not support it... +ssh_pubkey_file: ~/.ssh/id_rsa.pub +ec2_keyname: "{{lookup('env', 'USER')}}" + +# From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch +ec2_debian_base_ami: + ap-northeast-1: ami-032dd665 + ap-northeast-2: ami-e174ac8f + ap-south-1: ami-6e7a3e01 + ap-southeast-1: ami-41365b22 + ap-southeast-2: ami-51f61333 + ca-central-1: ami-18239d7c + eu-central-1: ami-11bb0e7e + eu-west-1: ami-d037cda9 + eu-west-2: ami-ece3f388 + sa-east-1: ami-a24635ce + us-east-1: ami-ac5e55d7 + us-east-2: ami-9fbb98fa + us-west-1: ami-560c3836 + us-west-2: ami-fa18f282 + +ec2_evolinux_security_group: + name: evolinux-default + description: Evolinux default security group + rules: + - proto: icmp + cidr_ip: 0.0.0.0/0 + from_port: -1 + to_port: -1 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 5666 + to_port: 5666 + cidr_ip: 0.0.0.0/0 + rules_egress: + - proto: all + cidr_ip: 0.0.0.0/0 + diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml new file mode 100644 index 00000000..25b5c620 --- /dev/null +++ b/amazon-ec2/tasks/create-instance.yml @@ -0,0 +1,55 @@ +--- +- name: Create default security group + ec2_group: + name: "{{ec2_security_group.name}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + description: "{{ec2_security_group.description}}" + rules: "{{ec2_security_group.rules}}" + +- name: Create key pair + ec2_key: + name: "{{ec2_keyname}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + key_material: "{{item}}" + with_file: "{{ssh_pubkey_file}}" + +- name: Launch new instance(s) + ec2: + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + image: "{{ec2_base_ami}}" + instance_type: "{{ec2_instance_type}}" + count: "{{ec2_instance_count}}" + assign_public_ip: "{{ec2_public_ip}}" + group: "{{ec2_security_group.name}}" + key_name: "{{ec2_keyname}}" + wait: yes + register: ec2 + +- name: Add newly created instance(s) to inventory + add_host: + hostname: "{{item.public_dns_name}}" + groupname: launched-instances + ansible_user: admin + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + with_items: "{{ec2.instances}}" + +- debug: + msg: "Your newly created instance is reachable at: {{item.public_dns_name}}" + with_items: "{{ec2.instances}}" + +- name: Wait for SSH to come up on all instances (give up after 2m) + wait_for: + state: started + host: "{{item.public_dns_name}}" + port: 22 + timeout: 120 + with_items: "{{ec2.instances}}"