aws_ec2 – EC2 inventory source

Synopsis

  • Get inventory hosts from Amazon Web Services EC2.
  • Uses a YAML configuration file that ends with aws_ec2.(yml|yaml).

Requirements

The below requirements are needed on the local master node that executes this inventory.

  • boto3
  • botocore

Parameters

Parameter Choices/Defaults Configuration Comments
aws_access_key
string
env:EC2_ACCESS_KEY
env:AWS_ACCESS_KEY
env:AWS_ACCESS_KEY_ID
The AWS access key to use.

aliases: aws_access_key_id
aws_profile
string
env:AWS_DEFAULT_PROFILE
env:AWS_PROFILE
The AWS profile

aliases: boto_profile
aws_secret_key
string
env:EC2_SECRET_KEY
env:AWS_SECRET_KEY
env:AWS_SECRET_ACCESS_KEY
The AWS secret key that corresponds to the access key.

aliases: aws_secret_access_key
aws_security_token
string
env:EC2_SECURITY_TOKEN
env:AWS_SESSION_TOKEN
env:AWS_SECURITY_TOKEN
The AWS security token if using temporary access and secret keys.
cache
boolean
    Choices:
  • no ←
  • yes
ini entries:

[inventory]
cache = no

env:ANSIBLE_INVENTORY_CACHE
Toggle to enable/disable the caching of the inventory's source data, requires a cache plugin setup to work.
cache_connection
string
ini entries:

[defaults]
fact_caching_connection = VALUE

[inventory]
cache_connection = VALUE

env:ANSIBLE_CACHE_PLUGIN_CONNECTION
env:ANSIBLE_INVENTORY_CACHE_CONNECTION
Cache connection data or path, read cache plugin documentation for specifics.
cache_plugin
string
Default:
"memory"
ini entries:

[defaults]
fact_caching = memory

[inventory]
cache_plugin = memory

env:ANSIBLE_CACHE_PLUGIN
env:ANSIBLE_INVENTORY_CACHE_PLUGIN
Cache plugin to use for the inventory's source data.
cache_prefix
-
Default:
"ansible_inventory_"
ini entries:

[default]
fact_caching_prefix = ansible_inventory_

[inventory]
cache_prefix = ansible_inventory_

env:ANSIBLE_CACHE_PLUGIN_PREFIX
env:ANSIBLE_INVENTORY_CACHE_PLUGIN_PREFIX
Prefix to use for cache plugin files/tables
cache_timeout
integer
Default:
3600
ini entries:

[defaults]
fact_caching_timeout = 3600

[inventory]
cache_timeout = 3600

env:ANSIBLE_CACHE_PLUGIN_TIMEOUT
env:ANSIBLE_INVENTORY_CACHE_TIMEOUT
Cache duration in seconds
compose
dictionary
Default:
{}
Create vars from jinja2 expressions.
filters
dictionary
Default:
{}
A dictionary of filter value pairs.
groups
dictionary
Default:
{}
Add hosts to group based on Jinja2 conditionals.
hostnames
list
Default:
[]
A list in order of precedence for hostname variables.
To use tags as hostnames use the syntax tag:Name=Value to use the hostname Name_Value, or tag:Name to use the value of the Name tag.
iam_role_arn
-
added in 2.9
The ARN of the IAM role to assume to perform the inventory lookup. You should still provide AWS credentials with enough privilege to perform the AssumeRole action.
include_extra_api_calls
boolean
added in 2.8
    Choices:
  • no ←
  • yes
Add two additional API calls for every instance to include 'persistent' and 'events' host variables.
Spot instances may be persistent and instances may have associated events.
keyed_groups
list
Default:
[]
Add hosts to group based on the values of a variable.
plugin
- / required
    Choices:
  • aws_ec2
Token that ensures this is a source file for the plugin.
regions
list
Default:
[]
A list of regions in which to describe EC2 instances.
If empty (the default) default this will include all regions, except possibly restricted ones like us-gov-west-1 and cn-north-1.
strict
boolean
    Choices:
  • no ←
  • yes
If yes make invalid entries a fatal error, otherwise skip and continue.
Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default.
strict_permissions
boolean
    Choices:
  • no
  • yes ←
By default if a 403 (Forbidden) error code is encountered this plugin will fail.
You can set this option to False in the inventory config file which will allow 403 errors to be gracefully skipped.
use_contrib_script_compatible_sanitization
boolean
added in 2.8
    Choices:
  • no ←
  • yes
By default this plugin is using a general group name sanitization to create safe and usable group names for use in Ansible. This option allows you to override that, in efforts to allow migration from the old inventory script and matches the sanitization of groups when the script's ``replace_dash_in_groups`` option is set to ``False``. To replicate behavior of ``replace_dash_in_groups = True`` with constructed groups, you will need to replace hyphens with underscores via the regex_replace filter for those entries.
For this to work you should also turn off the TRANSFORM_INVALID_GROUP_CHARS setting, otherwise the core engine will just use the standard sanitization on top.
This is not the default as such names break certain functionality as not all characters are valid Python identifiers which group names end up being used as.

Notes

Note

  • If no credentials are provided and the control node has an associated IAM instance profile then the role will be used for authentication.

Examples

# Minimal example using environment vars or instance role credentials
# Fetch all hosts in us-east-1, the hostname is the public DNS if it exists, otherwise the private IP address
plugin: aws_ec2
regions:
  - us-east-1

# Example using filters, ignoring permission errors, and specifying the hostname precedence
plugin: aws_ec2
boto_profile: aws_profile
# Populate inventory with instances in these regions
regions:
  - us-east-1
  - us-east-2
filters:
  # All instances with their `Environment` tag set to `dev`
  tag:Environment: dev
  # All dev and QA hosts
  tag:Environment:
    - dev
    - qa
  instance.group-id: sg-xxxxxxxx
# Ignores 403 errors rather than failing
strict_permissions: False
# Note: I(hostnames) sets the inventory_hostname. To modify ansible_host without modifying
# inventory_hostname use compose (see example below).
hostnames:
  - tag:Name=Tag1,Name=Tag2  # Return specific hosts only
  - tag:CustomDNSName
  - dns-name
  - private-ip-address

# Example using constructed features to create groups and set ansible_host
plugin: aws_ec2
regions:
  - us-east-1
  - us-west-1
# keyed_groups may be used to create custom groups
strict: False
keyed_groups:
  # Add e.g. x86_64 hosts to an arch_x86_64 group
  - prefix: arch
    key: 'architecture'
  # Add hosts to tag_Name_Value groups for each Name/Value tag pair
  - prefix: tag
    key: tags
  # Add hosts to e.g. instance_type_z3_tiny
  - prefix: instance_type
    key: instance_type
  # Create security_groups_sg_abcd1234 group for each SG
  - key: 'security_groups|json_query("[].group_id")'
    prefix: 'security_groups'
  # Create a group for each value of the Application tag
  - key: tags.Application
    separator: ''
  # Create a group per region e.g. aws_region_us_east_2
  - key: placement.region
    prefix: aws_region
  # Create a group (or groups) based on the value of a custom tag "Role" and add them to a metagroup called "project"
  - key: tags['Role']
    prefix: foo
    parent_group: "project"
# Set individual variables with compose
compose:
  # Use the private IP address to connect to the host
  # (note: this does not modify inventory_hostname, which is set via I(hostnames))
  ansible_host: private_ip_address

Status

Authors

  • Sloane Hertel (@s-hertel)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.