Ansible gcp - ghdrako/doc_snipets GitHub Wiki
-
https://www.bionconsulting.com/blog/gcp-iap-tunnelling-on-ansible-with-dynamic-inventory
-
https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html
-
https://blog.devgenius.io/gcp-vm-instances-provisioning-and-configuring-using-ansible-bb58e40f01cd
-
https://xebia.com/blog/how-to-tell-ansible-to-use-gcp-iap-tunneling/
-
https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html
-
https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_inventory.html
$ pip install requests google-auth
$ ansible-galaxy collection install google.cloud
Authentication
There are three different approaches to obtaining a working set of credentials in GCP:
- The service account using environment variables
- The service account using a JSON file
- The machine account
The first approach is, once you have created the service account, set the following environmental variables:
- GCP_AUTH_KIND
- GCP_SERVICE_ACCOUNT_EMAIL
- GCP_SERVICE_ACCOUNT_FILE
- GCP_SCOPES
Playbook gce.yaml:
---
- hosts: localhost
tasks:
- name: create a instance
google.cloud.gcp_compute_instance:
name: TestMachine
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
initialize_params:
source_image: family/centos-stream-9
disk_size_gb: 10
zone: eu-west1-c
auth_kind: serviceaccount
service_account_file: "~/sa.json"
state: present
-
Make sure the Service Account attached to the instance that runs Ansible have both the roles/iam.serviceAccountUser and roles/compute.osLoginAdmin permissions.
-
Configure Ansible to use the Service Account's user name and the private key which corresponds to the public key uploaded via the gcloud command. For example by overriding the ansible_user and ansible_ssh_private_key_file inventory parameters, or by passing --private-key and --user parameters to ansible-playbook.
-
Utworzenie pliku konfiguracyjnego Ansible: Stwórz lub zaktualizuj plik
ansible.cfg
w swoim projekcie Ansible, aby zawierał odpowiednie ustawienia SSH:
[defaults]
host_key_checking = False
remote_user = nazwa_użytkownika_na_vm
inventory = ./inventory.ini
transport = ssh
ssh_args = -o ProxyCommand="gcloud compute ssh --project=project_name --zone=zone_name vm_name --internal-ip --command 'nc %h %p'"
[inventory]
enable_plugins = gcp_compute, host_list, yaml, ini, script
Providing Credentials as Environment Variables
GCP_AUTH_KIND
GCP_SERVICE_ACCOUNT_EMAIL
GCP_SERVICE_ACCOUNT_FILE
GCP_SCOPES
- Utworzenie pliku inventory:
Stwórz plik inventory.ini lub użyj dynamicznego źródła danych, aby zarządzać listą maszyn wirtualnych na GCP. Jeśli używasz pliku inventory.ini, dodaj w nim nazwę hosta VM:
[gcp]
vm_name
plugin: gcp_compute
projects:
- graphite-playground
auth_kind: serviceaccount
service_account_file: /home/alexstephen/my_account.json
plugin: gcp_compute
projects:
- my-gcp-project-id
filters:
scopes:
- https://www.googleapis.com/auth/compute
service_account_file: /path/to/ansible-inventory-plugin-service-account.json
auth_kind: serviceaccount
- Napisanie playbooka Ansible
---
- name: Przykładowy playbook GCP z osLogin
hosts: gcp
tasks:
- name: Wykonanie polecenia na maszynie wirtualnej
command: uptime
- Uruchomienie playbooka Ansible:
ansible-playbook twoj_playbook.yml