EC2动态清单-按VPC ID过滤实例

Question

I'm on Ansible 2.4.2.0 under Python 3.5.2 on Ubuntu 16.04 kernel 4.4.0.

I have downloaded the EC2 inventory Python script and configured it using ec2.ini like so:

[ec2]
regions = all
regions_exclude = us-gov-west-1,cn-north-1
destination_variable = private_dns_name
vpc_destination_variable = private_ip_address
route53 = True
rds = False
elasticache = False
all_instances = False
all_rds_instances = False
include_rds_clusters = False
all_elasticache_replication_groups = False
all_elasticache_clusters = False
all_elasticache_nodes = False
cache_path = ~/.ansible/tmp
cache_max_age = 300
nested_groups = True
replace_dash_in_groups = True
expand_csv_tags = True
group_by_instance_id = True
group_by_region = True
group_by_availability_zone = True
group_by_aws_account = False
group_by_ami_id = True
group_by_instance_type = True
group_by_instance_state = False
group_by_key_pair = True
group_by_vpc_id = True
group_by_security_group = True
group_by_tag_keys = True
group_by_tag_none = True
group_by_route53_names = True
group_by_rds_engine = True
group_by_rds_parameter_group = True
group_by_elasticache_engine = True
group_by_elasticache_cluster = True
group_by_elasticache_parameter_group = True
group_by_elasticache_replication_group = True
instance_filters = vpc-id=vpc-deadbeef

[credentials]

My inventory directory inventory/development contains the following:

inventory/development/
├── ec2.ini
├── ec2.py
└── hosts

My hosts file looks like this:

[tag_atlas_project_manager]

[manager:children]
tag_atlas_project_manager

My ansible.cfg :

[defaults]
retry_files_enabled = false
roles_path = galaxy_roles:roles
inventory = inventory/
timeout = 120

[ssh_connection]
pipelining = True
ssh_args = -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ControlMaster=auto -o ControlPath=~/.ssh/mux-%r@%h:%p -o ControlPersist=8h

Okay, so my VPC, vpc-deadbeef , is configured like this:

$ aws ec2 describe-vpcs | \
    jq -r '.Vpcs[] | { Id: .VpcId, CidrBlock: .CidrBlock } | select(.CidrBlock == "10.50.0.0/16")'
{
  "CidrBlock": "10.50.0.0/16",
  "Id": "vpc-deadbeef"
}

When I run the inventory script, I don't get any IP addresses outside of this range:

$ inventory/development/ec2.py --list | \
    grep -ioP '10\.\d{1,3}\.\d{1,3}.\d{1,3}' | sort -u
10.50.10.10
...

However, when I run a playbook against all , I see hosts outside of vpc-deadbeef :

$ ansible -i inventory/development/ -f 30 all -m command -a true
...

10.1.30.110 | UNREACHABLE! => {
    "changed": false,
    "msg": "SSH Error: data could not be sent to remote host \"10.1.30.110\". Make sure this host can be reached over ssh",
    "unreachable": true
}
10.1.30.250 | UNREACHABLE! => {
    "changed": false,
    "msg": "SSH Error: data could not be sent to remote host \"10.1.30.250\". Make sure this host can be reached over ssh",
    "unreachable": true
}

What gives? What am I doing wrong?

Answer 1

It turns out that there was another subdirectory in inventory/development which also had an ec2.ini and this inventory file was merged in by Ansible during run.

$ ansible -vvv -i inventory/development/ -u grindr all -m command -a 'true'
ansible 2.4.2.0
  config file = ansible.cfg
  configured module search path = ['/home/naftuli/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.5/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.5.2 (default, Nov 23 2017, 16:37:01) [GCC 5.4.0 20160609]
Using ansible.cfg as config file
Parsed inventory/development/ec2.py inventory source with script plugin
Parsed inventory/development/hosts inventory source with ini plugin
Parsed inventory/development/preprod/ec2.py inventory source with script plugin
Parsed inventory/development/preprod/hosts inventory source with ini plugin

This is the issue, Ansible climbs down recursively, which I suppose makes sense.