I've been hacking around this for my AWS VPCs by having my VPC setup playbook drop an ansible.cfg in the playbook dir with the appropriate ProxyCommand ssh_args set to use the jump box. When it gets to provisioning, it fails (since it can't re-read ansible.cfg), then we re-run the VPC setup and provision playbooks and everything works through the jump box as expected. Hacky, but it's the cleanest thing I could come up with to work in a fully dynamic VPC env (where each dev can stand up/tear down their own multiple times a day).
If I were going to take this to the next level, I'd probably add ansible_ssh_proxy_host, _user, and _port vars and ssh.py support to generate the right ProxyCommand config. That part looks pretty straightforward, and would probably solve a lot of folks' issues (since you could then use set_fact to configure the jump box on the fly). The part that seems tougher to get a general-purpose solution for is getting ec2.py/ec2_vpc doing something sane for automatic proxy support on private VPC hosts. I think the cleanest approach would probably be to add first-class support for jump box provisioning to ec2_vpc (as has been discussed for NAT support), at which point ec2.py could have a mode to set the ansible_ssh_proxy_X vars to the jump box for hosts without a public IP. I think that would solve 99% of the issues people have with jump box/bastion host access for dynamic VPC environments. Thoughts? I can just push forward and kick out a PR, but if folks generally disagree with the approach, I'd rather spend my time elsewhere. -Matt On Friday, August 8, 2014 4:57:59 PM UTC-7, Michael DeHaan wrote: > > I think I rejected this in the past, when we were young, saying you could > set this in ~.ssh/config (as you can). > > I'm open to it now though, for exactly those reasons. > > Would need to be implemented in ssh.py and probably raise warnings if > found in paramiko.py. > > Code submissions would be great, otherwise file a feature idea in GitHub. > > > > > > On Fri, Aug 8, 2014 at 7:51 PM, Kevin Fox <[email protected] <javascript:> > > wrote: > >> I'd love a feature that let you set ansible_ssh_proxy in this way. I'd be >> able to set it from my openstack inventory module. >> >> >> On Wednesday, February 5, 2014 11:51:03 AM UTC-8, Adam Heath wrote: >>> >>> I've had musings on that too. Currently, I think you'd have to manually >>> configure $HOME/.ssh/config, with ProxyCommand. >>> >>> However, I just had a thought. What if there was an >>> ansible_ssh_proxy=$other_inventory_host feature? When set, ansible >>> would auto-add the -o ProxyCommand="$something". >>> >>> This is just some random brainstorm ramblings. >>> >>> On 02/05/2014 12:59 PM, Jeff Lord wrote: >>> > Hello, >>> > >>> > I am building out an env in AWS using ansible and would like to >>> > configure all of my hosts by running through a single bastion host >>> which >>> > has port 22 open. >>> > Laptop -> AWS Bastion -> AWS private network instances >>> > >>> > Is there a good example of how to configure the proxy around? >>> > >>> > Thank You in advance, >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/304538a4-182d-40f3-ae04-4504bdb0fec5%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/304538a4-182d-40f3-ae04-4504bdb0fec5%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9a291b81-90b5-4576-975a-078d0a60f458%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
