AWS Automation with Ansible

Bitbucket Repo: https://bitbucket.org/errigal/ansible-aws/

Other Available SDK's for AWS: https://aws.amazon.com/tools/

• This project covers the vast majority of playbooks needed in order to automate the server environment configuration for the IDMS on AWS.
• This project uses ansible with boto3 to automate resource generation and configuration for many aspects of our AWS environment setup aside from vpn and vpc.
• The project also handles the cleanup and deletion of these resources when the environment is not in use. These can be of benefit for qa environments that are not always needed.
• The original request for this project was so AmericanTower's QA system on AWS could be made scalable i.e. torn down in between qa cycles to reduce costs.

1. Provides a repository and means of change tracking to git for our AWS environments, alongside resource like AWS Config.
2. Follows AWS's Infrastructure as code management approach.
3. Forces user to think about what they are setting up and running by reading the playbooks and identifying what vars are needed for their resource setup.
4. Decreases likelihood of accidental resource deletion or mistaken additions which manual UI usage can cause.

https://docs.ansible.com/ansible/2.5/scenario_guides/guide_aws.html

The Following things need to be installed on your local machine prior to using this project

1. Clone the ansible-aws repository: git clone git@bitbucket.org:errigal/ansible-aws.git
2. Install python: sudo yum install python (Should be installed by default on mac osx)
3. Install ansible: sudo yum install ansible 2.5+
4. Install pip: sudo yum install python-pip
5. sudo python -m pip install boto3
6. Before running any playbooks ensure a group_vars directory is setup with the correct variables for your aws environment (e.g. qaatc, nvqa, newenv etc.). Take a look at the other group_vars files to determine what vars are needed to run the playbooks (these include things like the vpc-id, naming conventions for resources, tags for resources, subnet specifications etc.)

There are a number of ways to run ansible scripts against aws. The method chosen for this project was to package the credentials within the environment variables. As we have multiple AWS accounts currently, we also have multiple environments set up in the project (qaatc, nvqa). These each have a vault file containing the access key and secret key for that account. These are fully encrypted and require a password to run all scripts. Passwords can be found in PasswordSafe under AWS ANSIBLE VAULT ENVIRONMENTS.

Due to dependencies of certain things being created at certain stages, the following is the ordering in which to run the creation and deletion playbooks associated with this project.

1. createRDSInstance.yml
2. QA Transform scripts (separate project): https://bitbucket.org/errigal/database-setup/src/master/
3. createEC2Instance.yml
4. createTargetGroup.yml
5. createALBAndAssignRules.yml

1. deleteRDSInstance.yml
2. deleteEC2Instance.yml
3. deleteALB.yml
4. deleteTargetGroup.yml

https://docs.ansible.com/ansible/2.5/modules/rds_module.html?highlight=rds

Restore an RDS Instance from a snapshot and adds a route 53 entry for that rds instance to resolve the host name to its rds endpoint.

Command line Parameters:

• rds_snapshot(the snapshot name)
• add_route53='true' - if set to false will not add a route 53 entry. this is important in cases where we do not manage the dns entries through route 53 e.g. errigal.com

ansible-playbook createRDSInstance.yml -e "env=NAME_OF_AWS_ENV rds_snapshot=rds:atc-rds-instance-snapshot-name add_route53='true'" --ask-vault-pass

Delete an RDS instance from a specified name.

Command line Parameters:

• rds_instance_name=rds:atc-rds-instance-name-to-delete

ansible-playbook deleteRDSInstance.yml -e "env=NAME_OF_AWS_ENV rds_instance_name=rds:atc-rds-instance-name-to-delete" --ask-vault-pass

1. https://docs.ansible.com/ansible/2.5/modules/ec2_module.html?highlight=ec2
2. https://docs.ansible.com/ansible/2.5/modules/ec2_eip_module.html?highlight=ec2
3. https://docs.ansible.com/ansible/2.5/modules/ec2_tag_module.html?highlight=ec2_tag

Create an EC2 Instances inside a vpc assigned to a subnet group.

Command line Parameters:

• volume_size: size of root volume
• instance_type: instance specifications to be used for server
• region: the region to deploy in (n.virginia(us-east-1), ireland)
• subnet_id: the subnet to create and assign the ip to server in
• ami: the image to create the server from.
• name: the name to assign the ec2 instance.
• keypair: the .pem file name
• private_ip: the subnet private ip to assign the instance.
• add_elastic_ip: whether to allocate a public ip or not based on boolean.

Command LB1:	ansible-playbook -i local createEC2Instance.yml -e "env=NAME_OF_AWS_ENV volume_size=55 instance_type=r3.large region=us-east-1 count=1 subnet_id=subnet-2660a37a ami=ami-6468041b name=qa_atc_lb1 keypair=atc-prod private_ip=10.91.202.197 add_elasticip='true'" --ask-vault-pass

Command APPS1:	ansible-playbook -i local createEC2Instance.yml -e "env=NAME_OF_AWS_ENV volume_size=55 instance_type=r3.xlarge region=us-east-1 count=1 subnet_id=subnet-2660a37a ami=ami-19690566 name=qa_atc_apps1 keypair=atc-prod private_ip=10.91.202.198 add_elasticip='true'" --ask-vault-pass

Command APPS2:	ansible-playbook -i local createEC2Instance.yml -e "env=NAME_OF_AWS_ENV volume_size=55 instance_type=r3.xlarge region=us-east-1 count=1 subnet_id=subnet-2660a37a ami=ami-126a066d name=qa_atc_apps2 keypair=atc-prod private_ip=10.91.202.199 add_elasticip='true'" --ask-vault-pass																																																																								

Delete an EC2 Instances by specifying its id.

Command line Parameters:

• specified_instance_id: the ec2 id of the instance to delete.

ansible-playbook deleteEC2Instance.yml -e "env=NAME_OF_AWS_ENV specified_instance_id='ID-OF-EC2-INSTANCE-TO-DELETE'" --ask-vault-pass

Reboot an EC2 Instances by specifying its id.

Command line Parameters:

• specified_instance_id: the ec2 id of the instance to reboot.

ansible-playbook rebootEC2.yml -e "env=NAME_OF_AWS_ENV specified_instance_id='ID-OF-INSTANCE-TO-REBOOT'" --ask-vault-pass

1. https://docs.ansible.com/ansible/2.5/modules/elb_application_lb_module.html?highlight=elb_application_lb
2. https://docs.ansible.com/ansible/2.5/modules/route53_module.html?highlight=route53

Create Application Load Balancer, assign the SSL Certificate from its ARN id (the cert should be uploaded to AWS prior to this) and Assign Target Group forwarding Rules to the ALB.

ansible-playbook -e "env=NAME_OF_AWS_ENV" createALBAndAssignRules.yml --ask-vault-pass

Delete the Application Load Balancer(name is specified in the group_vars for the appropriate environment). This deletion step must be run before deleting the target groups.

ansible-playbook -e "env=NAME_OF_AWS_ENV" deleteALB.yml --ask-vault-pass

https://docs.ansible.com/ansible/2.5/modules/elb_target_group_module.html?highlight=elb_target_group

Create Application Load Balancer Target Groups for Applications and EC2 Handlers to forward traffic for different apps between the correct handlers and distribute load.

ansible-playbook -e "env=NAME_OF_AWS_ENV" createTargetGroup.yml --ask-vault-pass

Deletes application load balancer target groups.

ansible-playbook -e "env=NAME_OF_AWS_ENV" deleteTargetGroup.yml --ask-vault-pass

Repository url: https://bitbucket.org/errigal/env-snapshot-manager/src This project covers all the playbooks needed in order to automate the volume snapshot process for our AWS EC2 servers. This provides us with a means of failover for server storage if a recovery scenario was needed.

Details: - Runs on NVQALB1 & ATCLB1 currently - Permissions to run this ansible script are handled through IAM role assignments on the instance so no API keys are stored for security reasons. This also allevaited the problem of not being able to use a password with the cronjob.

## Scheduling The process is be scheduled to run via cron using the create_ec2_snapshots.sh file (ensure this file is executable using chmod +x) The correct environment playbook should be specified in the bash script ansible command (i.e. nvqa, atcprod). The tag options for create and deleting snapshots must be set to true in order for the process to work.

ansible-playbook playbooks/nvqa/ec2-snapshot.yml $TAGS_OPTION -e"name=standalone_name_server del_snapshot='true' add_snapshot='true'" --verbose

01 00 * * * /export/home/scotty/env-snapshot-manager/create_ec2_snapshots.sh

https://docs.google.com/spreadsheets/d/1rWQ-JOUawEPsPq2o_WjJlCm10CcySiMW8LLioNmkVPU/edit#gid=0

1. SSL - Load SSL certs directly to aws, server keystores and to tomcat containers via ansible.
2. VPC - Create a VPC (virtual private cloud) with assigned security groups and subnet definitions via ansible.
3. VPN - Create a VPN for aws via ansible and associated all static routes and rules with a vpc.
4. Security Group Rules - Automate the creation and maintenance of security group rules so that we have a central repository from which changes can be applied and tracked.
5. IAM Roles - Automate the creation and management of IAM roles and policies.
6. CloudWatch - Automate the creation and management of Cloudwatch Monitoring Rules for various scenarios.