ACSD Lab - adean20csc/Files GitHub Wiki

ACSD AWS Development Lab

This project contains the Ansible playbooks and roles to deploy a:

  • Bastion Host (Ubuntu - used for access to lab resources)
  • Management Host (Ubuntu - hosts Jenkins and other management tools)
  • CAM Host (Ubuntu - provides all CAM capabilities)
  • Red Hat Enterprise Linux 6.x Host
  • Red Hat Enterprise Linux 7.x Host
  • Windows 2008R2 Host
  • Windows 2012R2 Host

It uses the following Amazon Web Services:

Prerequisites

This project has the following prerequisites:

  • Ansible => 2.2.0
  • AWS EC2 Credentials for the account
  • EC2 Credentials vaulted into file group_vars/all/aws_vault.yml

AWS Credentials

Access to AWS requires the use of an access and secret key. These are stored as variables in an Ansible Vault file. First, create a aws_vault.yml file.

vim group_vars/all/aws_vault.yml

Add the following variables:

---
ec2_access_key: 'your ec2 access key'
ec2_secret_key: 'your ec2 secret key'

Next encrypt the aws_vault.yml file.

ansible-vault encrypt group_vars/all/aws_vault.yml

Finally create a .vault_pass.txt in the ansible user's home folder that contains a single line with the password used to create the vault.

echo 'your_vault_password' > ~/.vault_pass.txt

Keep the vaulted credentials file out of Git using the .gitignore file in that folder.

  • Optionally a ~/.vault_pass.txt file chmod 600 ... with your vault password (only use this option if you can ensure its security - i.e. NOT on a shared system)

Prepare to run the Ansible Playbooks

This project follows the default Ansible inventory hierarchy.

    -- hosts
    -- /group_vars
       -- /all
            main.yml
          bastion.yml
          buildcam.yml
          manager.yml
          redhat6.yml
          redhat7.yml
          win2008.yml
          win2012.yml
    -- /host_vars
          bastion-1.yml
          buildcam-1.yml
          manager-1.yml
          redhat6-1.yml
          redhat7-1.yml
          win2008-1.yml
          win2012-1.yml
          vpc-ap-south-1.yml

hosts

The inventory is managed by the hosts file. It contains the hosts and host groups to deploy. Edit it as needed for the deployment. This file should contain the DNS resolvable names of the hosts being deployed.

NOTE: The Red Hat and Windows host groups were not combined because there are differences in how things are done in each version. The default deployment of this project is the same for each version, however, they can be customized easily since they are independent.

group_vars/all/main.yml

The group_vars/all/main.yml file contains variables global to all hosts in the inventory. These variables are specific to the deployment and should be reviewed and edited as needed.

The variables include:

  • AWS EC2 resources
  • AWS Site and VPC
  • AWS AMI versions

group_vars/groupname.yml

The name of the files found in the group_vars/ folder should match the [group] name from the hosts inventory file. The file will only exist if there are variables specific to that group that are not in the group_vars/all/main.yml file.

The variables include:

  • AWS instance details

host_vars/hostname.yml

The host_vars/hostname.yml file contains variables specific to that host.

The variables include:

  • EC2 instance tags
  • EC2 private / public IPs

Running the ACSDLAB playbook

The site.yml playbook will build the entire lab as defined by the hosts in the inventory. Run it from the root of the project.

ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt

Accessing the Deployed Instances

The AWS EC2 instances deployed by this project are accessed via ssh tunnels and proxy.

SSH Tunneling and Proxy Access

Actual shell sessions are disabled on the Bastion host, tunnel to endpoints in the Lab using:

For ssh sessions:

ssh -i username/id_rsa bastion_public_ip -l username -L port:*targethost*:22 -N

and then ssh to localhost -p port

For RDP sessions:

ssh -i username/id_rsa bastion_public_ip -l username -L port:*targethost*:3389 -N

and point remote desktop at localhost and port number

Bastion Host

ssh -F ssh.cfg bastion.acsdlab

Manager Host

ssh -F ssh.cfg manager1.acsdlab -l ubuntu

Jenkins on the Manager Host

Establish an ssh tunnel on a free local port (e.g. 8081):

ssh -F ssh.cfg bastion.slmlab -l ubuntu -L 8081:172.16.2.10:8080 -N

Then point your browser as http://127.0.0.1:8081 and create a user.

Build CAM Host

ssh -F ssh.cfg buildcam1.acsdlab -l ubuntu

Git Subtrees

This project uses git subtrees to pull in roles from CSC GitHub.

Pull updates from Automation/ansible-slmcam-role

$ git subtree pull --prefix=roles/slmcam [email protected]:Automation/ansible-slmcam-role.git master --squash

Pull updates from Automation/ansible-slmawsinstance-role

$ git subtree pull --prefix=roles/slmawsinstance [email protected]:Automation/ansible-slmawsinstance-role.git master --squash