I've been hacking around this for my AWS VPCs by having my VPC setup playbook drop an ansible.cfg in the playbook dir with the appropriate ProxyCommand ssh_args set to use the jump box. When it gets to provisioning, it fails (since it can't re-read ansible.cfg), then we re-run the VPC setup and provision playbooks and everything works through the jump box as expected. Hacky, but it's the cleanest thing I could come up with to work in a fully dynamic VPC env (where each dev can stand up/tear down their own multiple times a day).
If I were going to take this to the next level, I'd probably add ansible_ssh_proxy_host, _user, and _port vars and ssh.py support to generate the right ProxyCommand config. That part looks pretty straightforward, and would probably solve a lot of folks' issues (since you could then use set_fact to configure the jump box on the fly). The part that seems tougher to get a general-purpose solution for is getting ec2.py/ec2_vpc doing something sane for automatic proxy support on private VPC hosts. I think the cleanest approach would probably be to add first-class support for jump box provisioning to ec2_vpc (as has been discussed for NAT support), at which point ec2.py could have a mode to set the ansible_ssh_proxy_X vars to the jump box for hosts without a public IP. I think that would solve 99% of the issues people have with jump box/bastion host access for dynamic VPC environments. Thoughts? I can just push forward and kick out a PR, but if folks generally disagree with the approach, I'd rather spend my time elsewhere. -Matt On Friday, August 8, 2014 4:57:59 PM UTC-7, Michael DeHaan wrote: > > I think I rejected this in the past, when we were young, saying you could > set this in ~.ssh/config (as you can). > > I'm open to it now though, for exactly those reasons. > > Would need to be implemented in ssh.py and probably raise warnings if > found in paramiko.py. > > Code submissions would be great, otherwise file a feature idea in GitHub. > > > > > > On Fri, Aug 8, 2014 at 7:51 PM, Kevin Fox <kfox...@gmail.com <javascript:> > > wrote: > >> I'd love a feature that let you set ansible_ssh_proxy in this way. I'd be >> able to set it from my openstack inventory module. >> >> >> On Wednesday, February 5, 2014 11:51:03 AM UTC-8, Adam Heath wrote: >>> >>> I've had musings on that too. Currently, I think you'd have to manually >>> configure $HOME/.ssh/config, with ProxyCommand. >>> >>> However, I just had a thought. What if there was an >>> ansible_ssh_proxy=$other_inventory_host feature? When set, ansible >>> would auto-add the -o ProxyCommand="$something". >>> >>> This is just some random brainstorm ramblings. >>> >>> On 02/05/2014 12:59 PM, Jeff Lord wrote: >>> > Hello, >>> > >>> > I am building out an env in AWS using ansible and would like to >>> > configure all of my hosts by running through a single bastion host >>> which >>> > has port 22 open. >>> > Laptop -> AWS Bastion -> AWS private network instances >>> > >>> > Is there a good example of how to configure the proxy around? >>> > >>> > Thank You in advance, >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com <javascript:>. >> To post to this group, send email to ansible...@googlegroups.com >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/304538a4-182d-40f3-ae04-4504bdb0fec5%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/304538a4-182d-40f3-ae04-4504bdb0fec5%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9a291b81-90b5-4576-975a-078d0a60f458%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
