通过 ansible 在具有两个网卡的 vpc 中创建 ec2 实例

Question

after a day of googling I decided to give up and ask here: I'm still quite new to ansible and AWS, hence this question might lack background information which I'm happy to provide on request.

What I'm trying to achieve: Write an Ansible playbook, which creates a new ec2 instance within my vpc. This instance shall be provided with two new nics, eth0 and eth1. These nics should be associated with each one specific security group.

My playbook so far is built like this:

• Create eth0
• Create eth1
• Create ec2 instance

My problem: All documentation says I need to provide the eni-id of the interface I'd like to attach to my instance. I can't provide this, since the ids do not exist yet. The only thing I know is the name of the interfaces so I was trying to get the id of the interfaces separately, which also didn't work. If I try to register the output of the creation of eth{0,1} in ansible, the whole output is stored and breaks the validation later when calling the variables in the section of the instance creation. Same with the extra step after the creation process.

More about the setup: Running a VPC in AWS, hosts inside VPC are only accessible through VPN. Running Ansible on macOS:

ansible --version

ansible [core 2.14.1]
  config file = None
  configured module search path = ['/Users/mg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/7.1.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/mg/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.1 (main, Dec 23 2022, 09:40:27) [Clang 14.0.0 (clang-1400.0.29.202)] (/usr/local/Cellar/ansible/7.1.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Playbook:

---
- name: Create ec2 instances
  hosts: localhost
  gather_facts: false
  tasks:

  # Block is a Group of Tasks combined together
  - name: Get Info Block
    block: 
      - name: Get Running instance Info
        
        ec2_instance_info:
        register: ec2info 

      - name: Print info
        debug: var="ec2info.instances"
             

    # By specifying always on the tag, 
    # I let this block to run all the time by module_default
    # this is for security to net create ec2 instances accidentally
    tags: ['always', 'getinfoonly']

  - name: Create ec2 block
    block: 
    
      - amazon.aws.ec2_vpc_net_info:
          vpc_ids: vpc-XXXXXXXXXXXXXXXXX
                                 
      - name: Create ec2 network interface eth0_lan
        delegate_to: localhost
        tags: ec2-create
        amazon.aws.ec2_eni:
          name: "eth0_lan_{{ vpc_hostname }}"
          description: "eth0_lan_{{ vpc_hostname }}"
          subnet_id: "{{ vpc_subnetid }}"
          state: present
          delete_on_termination: true
          region: eu-central-1
          security_groups: "sg-XXXXXXXXXXXXXXXXX"
      
      - name: Get id of eth0
        delegate_to: localhost
        tags: ec2-create
        amazon.aws.ec2_eni:
          name: "eth0_lan_{{ vpc_hostname }}"
        register: eth0
      

      - name: Create ec2 network interface eth1_wan
        delegate_to: localhost
        tags: ec2-create
        amazon.aws.ec2_eni:
          name: "eth1_wan_{{ vpc_hostname }}"
          description: "eth1_wan_{{ vpc_hostname }}"
          subnet_id: "subnet-XXXXXXXXXXXXXXXXX"
          state: present
          delete_on_termination: true
          region: eu-central-1
          security_groups: 'sg-XXXXXXXXXXXXXXXXX'

      - name: Get id of eth1
        delegate_to: localhost
        tags: ec2-create
        amazon.aws.ec2_eni:
          name: "eth1_wan_{{ vpc_hostname }}"
        register: eth1

      - name: Launch ec2 instances
        tags: ec2-create
        amazon.aws.ec2_instance:
          name: "{{ vpc_hostname }}"
          region: "eu-central-1"
          key_name: "MyKey"
          image_id: ami-XXXXXXXXXXXXXXXXX
          vpc_subnet_id: "{{ vpc_subnetid }}"
          instance_type: "{{ instance_type }}"
          volumes:
            - device_name: /dev/sda1
              ebs:
                volume_size: 30
                delete_on_termination: true
          network:
            interfaces:
              - id: "{{ eth0 }}"
              - id: "{{ eth1 }}"
          detailed_monitoring: true
        register: ec2
        delegate_to: localhost

    # By specifying never on the tag of this block, 
    # I let this block to run only when explicitely being called
    tags: ['never', 'ec2-create']

(If you're wondering about the tag-stuff, this comes from the tutorial I followed initially, credits: https://www.middlewareinventory.com/blog/ansible-aws-ec2/#How_Ansible_works_with_AWS_EC2_Setup_Boto_for_Ansible )

The execution of the ansible playbook breaks with this error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Invalid type for parameter NetworkInterfaces[1].NetworkInterfaceId, value: {'changed': True, 'interface': {'id': 'eni-XXXXXXXXXXXXXXXXX', 'subnet_id': 'subnet-XXXXXXXXXXXXXXXXX', 'vpc_id': 'vpc-XXXXXXXXXXXXXXXXX', 'description': 'somedescription', 'owner_id': 'XXXXXXXXXXXXXXXXX', 'status': 'available', 'mac_address': 'xx:xx:xx:xx:xx:xx, 'private_ip_address': 'xx.xx.xxx.xx', 'source_dest_check': True, 'groups': {'sg-XXXXXXXXXXXXXXXXX': 'SGNAME'}, 'private_ip_addresses': [{'private_ip_address': 'xx.xx.xxx.xx', 'primary_address': True}], 'name': 'eth1_wan_<fqdn>', 'tags': {'Name': 'eth1_wan_<fqdn>'}}, 'failed': False}, type: <class 'dict'>, valid types: <class 'str'>

Answer 1

So, my colleague and I managed to solve this: Use "{{ eth0.interface.id }}" instead. However, all instances continue to terminate themselves on creation. In AWS console: Client.InternalError. This is related to kms/ebs encryption which I turned on by default today. It turned out, that I tried to use an asymmetrical customer-managed-key for default ebs encryption. As soon as I replaced this with a symmetrical one, it worked and the instances would start.