ansible aws

Wouldn't you love to be able to simply wave a wand and layers of resources in your AWS account would suddenly - and magically - spring to perfectly configured life, ready to meet your complex infrastructure needs?

您是否不希望能够简单地挥动魔杖，而AWS账户中的资源层会突然(神奇地)跳入完美配置的生活，准备满足您复杂的基础架构需求？

If you already have experience with AWS, then you know how much of a pain it can be to work through web page after web page in the Amazon management console as you manually provision services. And even the AWS CLI - which is a huge step up - can add its own complexity and effort to the mix.

如果您已经有过使用AWS的经验，那么您会知道在手动设置服务时，在Amazon管理控制台中逐个页面浏览一个页面会带来多大的痛苦。 甚至AWS CLI(这是一个巨大的进步)也可以增加其自身的复杂性和工作量。

That's not to say that AWS itself doesn't address the problem with their own class of powerful orchestration tools, including CloudFormation and their Elastic Kubernetes Service (something I address at length in my "Using Docker on AWS" course at Pluralsight). But neither of those options lives quite so close to your existing infrastructure - or uses as familiar a way of operating - as Ansible.

这并不是说AWS本身并没有使用自己的一类强大的编排工具来解决该问题，包括CloudFormation和其Elastic Kubernetes服务(我在Pluralsight的“在AWS上使用Docker”课程中对此做了详细介绍 )。 但是，这些选择都离您现有的基础架构太近了，也没有像Ansible这样熟悉的操作方式。

If you're already using Ansible for your on-premises operations, plugging it into your AWS account can sometimes be the quickest and most painless way to migrate operations to the cloud.

如果您已经使用Ansible进行本地操作，则有时将其插入您的AWS账户可能是将操作迁移到云的最快，最轻松的方法。

了解Ansible / AWS的优势 (Understanding the Ansible/AWS Advantage)

My book "Manage AWS Resources Using Ansible" - from which this article is excerpted - is designed to quickly introduce you to applying Ansible's declarative approach to working with AWS resources. Being able to "declare" the precise configuration results you want and then produce them by getting Ansible to read a playbook is Ansible's magic wand. When properly planned, it's amazing how simple it can be to execute complex, layered AWS deployments.

我的书“ 使用Ansible管理AWS资源 ”(摘录自本文)旨在快速向您介绍如何应用Ansible的声明性方法来处理AWS资源。 能够“声明”所需的精确配置结果，然后通过让Ansible读一本剧本来产生它们是Ansible的魔杖。 如果计划合理，执行复杂的分层AWS部署会多么简单。

Before we launch a simple "Hello World" Ansible playbook, let's first make sure you've got a properly-configured working environment through which Ansible can communicate with all its new friends in your AWS account.

在发布简单的“ Hello World” Ansible剧本之前，首先要确保您具有正确配置的工作环境，Ansible可以通过该环境与您的AWS账户中的所有新朋友进行通信。

准备本地环境 (Preparing a Local Environment)

As you probably already know, Ansible is an orchestration tool that lets you write plain-text playbook files that declare the software profile and ideal state you'd like applied to a target server. Those servers - known as hosts - can be provisioned for just about any digital workload you can imagine, using just about any combination of application software, and running on just about any platform.

您可能已经知道，Ansible是一个编排工具，可让您编写纯文本的剧本文件，以声明要应用于目标服务器的软件配置文件和理想状态。 这些服务器(称为主机)可以配置为几乎可以想象的任何数字工作负载，几乎可以使用应用程序软件的任何组合，并且可以在任何平台上运行。

In the good old days, when a playbook was run against a physical server, Ansible would employ an existing SSH connection to securely login to the remote host and go about building your application. But that won't work for AWS workloads. You see, because the EC2 instances and other infrastructure you want to launch don't yet exist, there can be no "existing" SSH connections. Instead, Ansible will use Boto 3 - the software development kit (or SDK) used by AWS that allows Python code to communicate with the AWS API.

在过去的好日子里，当针对物理服务器运行剧本时，Ansible将使用现有的SSH连接来安全地登录到远程主机并着手构建应用程序。 但这不适用于AWS工作负载。 您会看到，由于您要启动的EC2实例和其他基础结构尚不存在，因此不会存在“现有” SSH连接。 相反，Ansible将使用Boto 3-AWS使用的软件开发套件(或SDK)，该套件允许Python代码与AWS API进行通信。

使用AWS CLI连接Ansible (Using the AWS CLI to Connect Ansible)

You don't have to know how all that works, but it has to be there so it can work. For that reason you're going to install the AWS command line interface (CLI). We won't be using the CLI itself for anything important, but installing it will give us all the dependencies we'll need. You can find out how to make this work on the latest version of whatever OS you're using from the AWS documentation page.

你不必知道如何所有的作品，但它必须是有那么它可以工作。 因此，您将要安装AWS命令行界面(CLI)。 我们不会将CLI本身用于任何重要的事情，但是安装它会为我们提供所需的所有依赖关系。 您可以从AWS文档页面中找到如何在正在使用的任何操作系统的最新版本上执行此操作。

Working with the Python package manager, PIP, is a popular way to get all this done. Here's how you would install PIP itself and then the AWS CLI on an Ubuntu machine:

与Python包管理器PIP一起使用是完成所有这些工作的一种流行方法。 这是在Ubuntu计算机上安装PIP本身，然后安装AWS CLI的方法：

sudo apt update
sudo apt install python3-pip
pip3 install awscli

I should note that, as I write this, Python 2 is still alive...but only just. So there might sometimes still be separate Python 2 and Python 3 versions installed on your system. Since Python 2 will soon be fully deprecated, you probably won't have to worry about specifying python3 or pip3 with your commands: that should be automatic.

我应该注意的是，在撰写本文时，Python 2仍然活着……但仅仅是。 因此，有时您的系统上仍可能安装了单独的Python 2和Python 3版本。 由于Python 2即将被弃用，因此您可能不必担心使用命令指定python3或pip3：这应该是自动的。

Once the CLI is installed, run aws configure and enter your AWS access key ID and secret access key.

一旦安装了CLI，请运行aws configure并输入您的AWS访问密钥ID和秘密访问密钥。

aws configure
cat .aws/credentials

You can get keys from the Your Security Credentials page in the AWS Management Console. Here's how those keys will look (don't get any naughty ideas, these aren't valid):

您可以从AWS管理控制台中的“您的安全凭证”页面获取密钥。 这些键的外观如下(不要有任何顽皮的想法，这些都是无效的)：

AccessKeyId: AKIALNZTQW6H3EFBRLHQ
SecretAccessKey: f26B8touguUBELGpdyCyc9o0ZDzP2MEUWNC0JNwA

Just remember that a pair of keys issued to the root user of your AWS account provides full access to your entire AWS account. Anyone in possession of those credentials would be quickly able to run up six and even seven figure services charges, so be very careful how you use and store them. Ideally, you would be better off limiting your risk exposure by creating an admin user in the AWS Identify and Access Management (IAM) service with limited powers and using a key issued to that user.

只需记住，颁发给您的AWS账户根用户的一对密钥就可以完全访问您的整个AWS账户。 任何人都拥有这些证书将很快能够运行六个甚至七位数字服务收费，所以要非常小心你如何使用和保存。 理想情况下，最好通过在AWS Identify and Access Management(IAM)服务中创建具有有限权限的管理员用户并使用发给该用户的密钥来限制风险敞口。

At any rate, why am I doing this? The value of populating my AWS credentials file is that Ansible is smart enough to look for it and, if no other authentication keys are available in the system environment, it'll use these. You'll soon see how mighty convenient that will be. However, you should be aware of other ways to manage authentication for Ansible playbooks, like using ansible-vault or by creating and then invoking an aws_keys.yml file. But one thing you should definitely NOT do is hardcode the keys in your playbook files - especially if you plan to push them to an online repository like GitHub. I'll quickly test the CLI to make sure we can properly connect to AWS. This simple command will list any S3 buckets I happen to have within this account.

无论如何，我为什么要这样做？ 填充我的AWS凭证文件的价值在于，Ansible足够聪明来查找它，并且如果系统环境中没有其他身份验证密钥可用，它将使用它们。 您很快就会看到那将有多么方便。 但是，您应该知道其他方法来管理Ansible剧本的身份验证，例如使用ansible-vault或通过创建然后调用aws_keys.yml文件。 但是，您绝对不应该做的一件事就是硬编码剧本文件中的密钥-特别是如果您计划将其推送到GitHub等在线存储库中时。 我将快速测试CLI，以确保我们可以正确连接到AWS。 这个简单的命令将列出我在该帐户中碰巧拥有的所有S3存储桶。

aws s3 ls

We're now ready to install ansible. I'll go with pip3 for that. I could use the regular Ubuntu apt repository just as easily, but it will most likely install a slightly older version. Depending on your network connection, that'll take a minute or two, but I'll skip most of that.

我们现在准备安装ansible。 为此，我将使用pip3。 我可以轻松地使用常规的Ubuntu apt存储库，但是它很可能会安装稍旧的版本。 根据您的网络连接，这可能需要一两分钟的时间，但是我将跳过大部分。

$ pip3 install ansible

I'll confirm that it's properly installed by running ansible --version. This shows us the version that was built, that configured Ansible modules will, by default, be saved in either one of these two locations in the file system, that other modules would be available here and - most importantly - that the Ansible executable is located within the /local/bin/ directory beneath my user's home directory. My user here, by the way, is called ubuntu. You can also see that we're using a nice, up-to-date version of Python 3.

我将通过运行ansible --version确认它已正确安装。 这向我们显示了所构建的版本，默认情况下，配置了Ansible模块的版本将保存在文件系统中这两个位置之一中，其他模块将在此处可用，并且-最重要的是-Ansible可执行文件位于在用户主目录下的/ local / bin /目录中。 顺便说一句，我在这里的用户称为ubuntu。 您还可以看到我们正在使用一个不错的最新版本的Python 3。

$ ansible --version
ansible 2.8.5config file = Noneconfigured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']ansible python module location = /home/ubuntu/.local/lib/python3.6/site-packages/ansibleexecutable location = /home/ubuntu/.local/bin/ansiblepython version = 3.6.8 (default, Aug 20 2019, 17:12:48) [GCC 8.3.0]

One more step. As I mentioned earlier, Ansible will connect to AWS using the boto SDK. So we'll need to install the boto and boto 3 packages. I'll go with PIP for this one, too.

再一步。 如前所述，Ansible将使用boto SDK连接到AWS。 因此，我们需要安装boto和boto 3软件包。 我也将采用PIP。

$ pip3 install boto boto3

Once that one has been brought on board, we'll be ready to get some real stuff done. That'll begin in the next section.

一旦将其带入董事会，我们将准备好完成一些实际工作。 这将在下一部分开始。

用简单的剧本测试Ansible (Testing Ansible with a Simple Playbook)

This is going to be very simple proof of concept demo. I'll create a couple of files, walk you through the syntax, and then fire it up. First off, I'll use any plain text editor to create a hosts file. Normally, the hosts file tells Ansible where it can find the remote servers you want to provision. But since, in the case of AWS, the resources that will be our hosts don't yet exist, we'll simply point Ansible to localhost and boto will handle connections behind the scenes. Here's what the contents of that file will look like:

这将是概念演示的非常简单的证明。 我将创建几个文件，逐步介绍语法，然后启动它。 首先，我将使用任何纯文本编辑器来创建一个hosts文件。 通常，hosts文件告诉Ansible在哪里可以找到您要配置的远程服务器。 但是，由于在AWS的情况下，将无法用作主机的资源，因此我们只需将Ansible指向localhost，而boto将在后台处理连接。 该文件的内容如下所示：

[local]
localhost

Next, I'll create a playbook file that I'll call test-ansible.yml. The yml extension, of course, indicates that this file must be formatted using YAML markup language syntax. As you can see from the file text I've pasted just below, that'll begin with three dashes marking the start of the file and then an indented dash introducing a set of definitions. The value of "hosts" could be one or more remote computers but, as I've said, we'll leave that up to the local system to figure out. The same goes for our connection.

接下来，我将创建一个名为test-ansible.yml的剧本文件。 当然，yml扩展名指示此文件必须使用YAML标记语言语法进行格式化。 正如您从我下面粘贴的文件文本中看到的那样，它将以三个破折号开始标记文件的开始，然后是一个缩进的破折号来引入一组定义。 “主机”的价值可能是一台或多台远程计算机，但是，正如我已经说过的那样，我们将把它留给本地系统来确定。 我们的连接也是如此。

The next section includes the tasks we want Ansible to perform. This one will use the aws_s3 module to create a new bucket on Amazon's S3 Simple Storage Service in the us-east-1 region. I have to give it this ugly name because S3 buckets require globally unique names - if a name you choose clashes with any one of the countless millions of names already out there, the operation will fail.

下一部分包括我们希望Ansible执行的任务 。 这将使用aws_s3模块在us-east-1区域的Amazon S3简单存储服务上创建一个新存储桶。 我必须给它起这个丑陋的名字，因为S3存储桶需要全局唯一的名字-如果您选择的名字与已经存在的数百万个名字中的任何一个发生冲突，操作将失败。

---- name: Test s3hosts: localconnection: localtasks:- name: Create new bucketaws_s3:bucket: testme817275bmode: createregion: us-east-1

I run the playbook by calling the ansible-playbook command using -i to specify the hosts file, and then pointing to the test.yml file. Ansible should give us some feedback in just a moment or two. If we're successful, you'll see "0" as the value of "failed" and at least "1" as the value of "ok".

我通过使用-i调用ansible-playbook命令来指定主机文件，然后指向test.yml文件来运行该剧本。 Ansible应该在一两分钟内给我们一些反馈。 如果成功，您将看到“ 0”作为“失败”的值，至少看到“ 1”作为“ ok”的值。

$ ansible-playbook -i hosts test-ansible.yml
PLAY [Test s3] ******************************************************TASK [Create new bucket] ********************************************changed: [localhost]PLAY RECAP **********************************************************
localhost: ok=1    changed=1    unreachable=0    failed=0   skipped=0rescued=0    ignored=0

If I check my list of buckets once more, I should - and do - see the new one:

如果我再次检查我的存储桶列表，则应该-并且要执行-查看新的存储桶：

$ aws s3 ls
2018-12-30 15:19:24 elasticbeanstalk-us-east-1-297972716276
2018-10-12 04:09:37 mysite548.com
2019-09-24 15:53:26 testme817275b

That's a very brief intro to setting up an Ansible environment. We saw how using Ansible with Amazon's automatically provisioned resources is going to work differently than it would with traditional Ansible hosts. You're going to require a different set of authentication and inventory control tools. We walked through the process of setting up an Ansible environment and connecting it to AWS, and then running a simple playbook. Short and sweet.

这是设置Ansible环境的非常简短的介绍。 我们看到了将Ansible与Amazon自动调配资源一起使用的方式与传统Ansible主机的使用方式将有不同。 您将需要一套不同的身份验证和库存控制工具。 我们逐步完成了设置Ansible环境并将其连接到AWS的过程，然后运行一个简单的剧本。 简短而甜美。

This article comes from my book "Manage AWS Resources Using Ansible". There's more technology goodness - in the form of books, courses, and articles - available on my website, bootstrap-it.com.

本文来自我的《 使用Ansible管理AWS资源 》一书。 在我的网站bootstrap-it.com上，还有书籍，课程和文章形式的更多技术优势。

翻译自: https://www.freecodecamp.org/news/ansible-manage-aws/

ansible aws