What’s New: The Ansible AWS Collection 2.0 Release

When it comes to Amazon Web Services (AWS) infrastructure automation, the latest release of the Ansible amazon.aws Collection brings a set of fresh features to build, manage and govern various public and hybrid cloud use cases while accelerating the process from development to production.

In this blog post, we will go over what else has changed and highlight what’s new in the 2.0 release of this Ansible Content Collection.

 

Forward-looking Changes

Much of our work in the 2.0 release has been focused in the following areas:

  • Enhancing several modules from the upstream community
  • Promoting modules to being formally supported by Red Hat 
  • Releasing various new enhancements and clarifying supportability policies

New boto3/botocore Support Policy

Starting with the 2.0 amazon.aws Collection release, it is now the Collection’s policy to support the versions of botocore and boto3 that were released 12 months prior to the most recent major Collection release, as well as following semantic versioning (for example, 2.0.0, 3.0.0). Individual modules may require a more recent library version to support specific features or require the boto library. Check the amazon.aws Collection documentation for the minimum required version for each module. 

New Python Support Policy

On July 15, 2021, AWS published a minor version bump of the AWS Command Line Interface (AWS CLI) v1 and AWS SDK for Python (boto3 and botocore), requiring Python 3.6+ runtime and formally ending Python 2.7 support. To continue supporting Red Hat’s customers with secure and maintainable tools, we will be aligning with these deprecations. As a result, our CI systems no longer test against Python 2.7.

New Modules

This release brings a set of newly supported modules. They provide new exciting computational capabilities, such as provisioning and de-provisioning of virtual computing environments, (instances) and facilitating network operations for various workloads and use cases.

The following five scenarios that follow are summarized in the table below and show some common uses of these new Red Hat supported modules: 

Screen Shot 2021-10-21 at 2.04.24 PM

Scenario 1: Deploy an AWS EC2 Instance

Perhaps you need to deploy a Red Hat Enterprise Linux (RHEL) 8 image on an Amazon Elastic Compute Cloud (EC2) instance on AWS or retrieve the information of some other EC2 instances running on matching different filters. The ec2_instance and the related _info modules enable you to do just that. 

- name: Start an EC2 instance with a public IP address
  amazon.aws.ec2_instance:
     name: "public-compute-instance"
     key_name: "{{ ssh_key }}"
     vpc_subnet_id: "{{ subnet_id }}"
     instance_type: c5.large
     security_group: default
     network:
        assign_public_ip: true
     image_id: "{{ ec2_ami_image }}"
     tags:
        Environment: Testing

- name: Gather information about any instance with a tag key Environment and value Testing
  amazon.aws.ec2_instance_info:
     filters:
       "tag:Environment": Testing

NOTE: ec2_instance does not handle the provisioning of EC2 spot instances, but a new ec2_spot_instance module has been released to do just that. We will expand on the features and use cases it covers in one of our upcoming in-depth blogs. So keep an eye out for that!

Scenario 2: Make Resources Publicly Accessible

Do your instances and services need to be accessible from the Internet? That is, if a VPC does not have an Internet Gateway, then the resources in the Virtual Private Cloud (VPC) cannot be accessed from the Internet (unless the traffic flows via a corporate network and Virtual Private Network (VPN)/Direct Connect). The ec2_vpc_igw module helps you to set it up.

Here is an example task that creates one Internet Gateway and attaches it to your VPC. The ec2_vpc_igw_info module fetches the information all Internet Gateway matching the filter.

- name: Create Internet Gateway with tags
  amazon.aws.ec2_vpc_igw:
     vpc_id: "{{ vpc_id }}"
     state: present
     tags:
        Name: ansibleVPC_IGW

- name: Gather information about a filtered list of Internet Gateways
  amazon.aws.ec2_vpc_igw_info:
     filters:
        "tag:Name": "ansibleVPC_IGW"

Scenario 3: Give Internet Access to the Resources of a VPC

Suppose you have data that resides in resources deployed on a private subnet in a VPC that needs to access the Internet (e.g., send data to an external service for processing). Suppose you’d also like to exclude any inbound connections to those resources. In that case, ec2_vpc_nat_gateway is the right module for doing this. Therefore, the ec2_vpc_nat_gateway does something similar to ec2_vpc_igw. The difference is that it allows servers and services to have one-way communication to the Internet without allowing something that originated from the outside to get in.

Here is an example task that will create a Network Address Translation (NAT) Gateway. If you also need to retrieve information on the NAT Gateways matching specific filters, please look at the second example task listed in the snippet and use ec2_vpc_nat_gateway_info. 

- name: Create new NAT Gateway and allocate new EIP
  amazon.aws.ec2_vpc_nat_gateway:
     state: present
     subnet_id: "{{ subnet_id }}"
     wait: true
     region: "{{ aws_region }}"

- name: Get NAT Gateways with specific filter
  amazon.aws.ec2_vpc_nat_gateway_info:
     region: "{{ aws_region }}"
     filters:
        subnet-id: "{{ subnet_id }}"
        state: ['available']

Scenario 4: Routing Traffic in a VPC 

That’s a lot of new modules ready to support you in automating different use cases so far! We have seen new Internet and NAT Gateway management modules, but something is missing in this picture. 

The Collection comes with two new modules dedicated to the management of the route tables – ec2_vpc_route_table and the _info module. In this use case, the ec2_vpc_route_table helps implement granular control over the routing of the inbound traffic to a VPC through an Internet Gateway. ec2_vpc_route_table_info fetches the routing tables matching the specified filters.

- name: Set up public route table
  amazon.aws.ec2_vpc_route_table:
     vpc_id: "{{ vpc_id}}"
     region: "{{ aws_region }}"
     tags:
        Name: Example
     subnets:
        - "{{ subnet_id }}"
        - '10.0.0.0/8'
     routes:
        - dest: 0.0.0.0/0
          gateway_id: "{{ igw_id }}"

- name: Gather information about any VPC route table with a tag key Name and value Example
 amazon.aws.ec2_vpc_route_table_info:
    filters:
       "tag:Name": Example

Scenario 5: Enabling Secure Communication to AWS-supported Services

Suppose you need a group of EC2 instances to access AWS-supported services (such as data sources on AWS S3) in a controlled and secure way. To communicate with the AWS service, they do not need to go over the Internet via an Internet Gateway, VPN connections or NAT Gateways, or public IP addresses. Instead, they can interact with each other through their private IP address. However, since the AWS service is not reachable from within the private network, a VPC Endpoint is needed. In addition, when the VPC Endpoint is created, you can attach an endpoint policy to it that provides granular control access to the AWS S3 service.

In that case, the ec2_vpc_endpoint module enables you to do just that.

Here is an example task that will create a VPC Endpoint and, if perhaps you need to retrieve some information about your endpoints using some matching criteria, let the ec2_vpc_endpoint_info help you.

- name: Create new VPC endpoint with the default policy
  amazon.aws.ec2_vpc_endpoint:
     state: present
     region: "{{ aws_region }}"
     vpc_id: "{{ vpc_id }}"
     service: "{{ s3_endpoint_service }}"
     route_table_ids:
        - "{{ route_table_id }}"

- name: Get all endpoints in ap-southeast-2 region
  amazon.aws.ec2_vpc_endpoint_info:
     query: endpoints
     region: "{{ aws_region }}"

 

What’s next?

In this blog, we detailed the following:

  • Highlighted what’s new in the 2.0 release of the amazon.aws Collection 
  • Showed some typical cloud management scenarios that can be achieved with the new Red Hat supported modules 
  • Detailed example use cases ranging from EC2 instance provisioning to VPC management

That said, using Ansible Automation Platform and the latest amazon.aws Collection to automate your deployments on AWS greatly increases the chances that your cloud initiative will be a success.

We hope you found this blog helpful! But, more importantly, we hope it inspired you to try out the latest amazon.aws Collection release and let us know what you think. Please stop by at the Ansible AWS IRC channel  #ansible-aws on Libera.Chat to provide your valuable feedback or receiveassistance with the amazon.aws Collection.

For further reading and information, visit the other blogs related to AWS automation. If you are unfamiliar with Ansible Content Collections, check out our YouTube playlist for everything about Ansible Collections. The videos will get you up to speed quickly.

Also, don’t forget to check out our Automate infrastructure workflows e-book if you want to learn more about building a unified, automated pipeline for infrastructure operations.

Originally posted on Ansible Blog
Author: Alina Buzachis

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *