Ansible gcp - ghdrako/doc_snipets GitHub Wiki

• https://alex.dzyoba.com/blog/gcp-ansible-service-account/

• https://www.bionconsulting.com/blog/gcp-iap-tunnelling-on-ansible-with-dynamic-inventory

• https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html

• https://blog.devgenius.io/gcp-vm-instances-provisioning-and-configuring-using-ansible-bb58e40f01cd

• https://xebia.com/blog/how-to-tell-ansible-to-use-gcp-iap-tunneling/

• https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html

• https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_inventory.html

• https://github.com/vincepower/gcp-ansible-sample

$ pip install requests google-auth
$ ansible-galaxy collection install google.cloud

Authentication

There are three different approaches to obtaining a working set of credentials in GCP:

• The service account using environment variables
• The service account using a JSON file
• The machine account

The first approach is, once you have created the service account, set the following environmental variables:

• GCP_AUTH_KIND
• GCP_SERVICE_ACCOUNT_EMAIL
• GCP_SERVICE_ACCOUNT_FILE
• GCP_SCOPES

Playbook gce.yaml:

---
- hosts: localhost
  tasks:
  - name: create a instance
    google.cloud.gcp_compute_instance:
      name: TestMachine
      machine_type: n1-standard-1
      disks:
      - auto_delete: 'true'
        boot: 'true'
        initialize_params:
          source_image: family/centos-stream-9
          disk_size_gb: 10
      zone: eu-west1-c
      auth_kind: serviceaccount
      service_account_file: "~/sa.json"
      state: present

1. Make sure the Service Account attached to the instance that runs Ansible have both the roles/iam.serviceAccountUser and roles/compute.osLoginAdmin permissions.

2. Configure Ansible to use the Service Account's user name and the private key which corresponds to the public key uploaded via the gcloud command. For example by overriding the ansible_user and ansible_ssh_private_key_file inventory parameters, or by passing --private-key and --user parameters to ansible-playbook.

3. Utworzenie pliku konfiguracyjnego Ansible: Stwórz lub zaktualizuj plik ansible.cfg w swoim projekcie Ansible, aby zawierał odpowiednie ustawienia SSH:

[defaults]
host_key_checking = False
remote_user = nazwa_użytkownika_na_vm
inventory = ./inventory.ini
transport = ssh
ssh_args = -o ProxyCommand="gcloud compute ssh --project=project_name --zone=zone_name vm_name --internal-ip --command 'nc %h %p'"

[inventory]
enable_plugins = gcp_compute, host_list, yaml, ini, script

Providing Credentials as Environment Variables

GCP_AUTH_KIND
GCP_SERVICE_ACCOUNT_EMAIL
GCP_SERVICE_ACCOUNT_FILE
GCP_SCOPES

4. Utworzenie pliku inventory:

Stwórz plik inventory.ini lub użyj dynamicznego źródła danych, aby zarządzać listą maszyn wirtualnych na GCP. Jeśli używasz pliku inventory.ini, dodaj w nim nazwę hosta VM:

[gcp]
vm_name

plugin: gcp_compute
projects:
  - graphite-playground
auth_kind: serviceaccount
service_account_file: /home/alexstephen/my_account.json

plugin: gcp_compute
projects:
  - my-gcp-project-id
filters:
scopes:
  - https://www.googleapis.com/auth/compute
service_account_file: /path/to/ansible-inventory-plugin-service-account.json
auth_kind: serviceaccount

5. Napisanie playbooka Ansible

---
- name: Przykładowy playbook GCP z osLogin
  hosts: gcp
  tasks:
    - name: Wykonanie polecenia na maszynie wirtualnej
      command: uptime

6. Uruchomienie playbooka Ansible:

ansible-playbook twoj_playbook.yml