No matter what I try, for some reason, when I run an ansible ad-hoc module using the ansible dynamic inventory script (ec2.py+ec2.ini) will only return public IPs for tag queries and attempt to connect over SSH to the public IP of the target(s). For instance, if I run:
ansible -m ping tag_env_dev
Then, it tries to connect over the public IP, despite the private IP being preferable (for security, complexity and cost reasons). I've tried to tweak the following options in my ec2.ini file:
regions = us-east-1 # to restrict to us-east-1 region
destination_variable = public_dns_name # I've also tried private_dns_name and private_ip_address, all of which still attempt to connect to the public IP of the destination instance(s)
vpc_destination_variable = ip_address # also tried private_ip_address
If I run ./ec2.py --list --refresh-cache | grep -B 5 -A 5 "tag_env_dev"
, I get a result with only the public IP returned:
"tag_env_dev": [
"{{public ip here}}"
],
After each subsequent attempt, I've run ./ec2.py --list --refresh-cache
to purge and regenerate the cache. Then I'll re-run ansible -m ping tag_env_dev
(or similar) and I'll get a connection timeout on SSH to the public IP address of the instance.
I've confirmed that I can SSH into the "public hostname" (which resolves within a VPC to the private IP) and to the private IP directly, but not the public IP directly (as expected). So it's not a key auth issue.
I've also got an IAM role to which this server is assigned, with plenty of permissions to perform these operations (e.g. it does have readonly for ec2 and vpc).
Additional info:
I’m running ansible from an ec2 instance in the same VPC as the test target. And the security group on the target is configured to allow SSH from its internal CIDR block range. The ansible host also has an IAM role which is sufficient to discover the private IP of the target
Any help would be greatly appreciated.
Best Answer
Here is a working sample of ec2.ini (tested with ansible 2.1 & 2.3.1)
Then, instances should be listed using their private IP as identifier: