When it comes to Amazon Web Services (AWS) infrastructure automation, the latest release of the Ansible amazon.aws Collection brings a set of fresh features to build, manage and govern various public and hybrid cloud use cases while accelerating the process from development to production.
In this blog post, we will go over what else has changed and highlight what’s new in the 2.0 release of this Ansible Content Collection.
Forward-looking Changes
Much of our work in the 2.0 release has been focused in the following areas:
- Enhancing several modules from the upstream community
- Promoting modules to being formally supported by Red Hat
- Releasing various new enhancements and clarifying supportability policies
New boto3/botocore Support Policy
Starting with the 2.0 amazon.aws Collection release, it is now the Collection’s policy to support the versions of botocore and boto3 that were released 12 months prior to the most recent major Collection release, as well as following semantic versioning (for example, 2.0.0, 3.0.0). Individual modules may require a more recent library version to support specific features or require the boto library. Check the amazon.aws Collection documentation for the minimum required version for each module.
New Python Support Policy
On July 15, 2021, AWS published a minor version bump of the AWS Command Line Interface (AWS CLI) v1 and AWS SDK for Python (boto3 and botocore), requiring Python 3.6+ runtime and formally ending Python 2.7 support. To continue supporting Red Hat’s customers with secure and maintainable tools, we will be aligning with these deprecations. As a result, our CI systems no longer test against Python 2.7.
New Modules
This release brings a set of newly supported modules. They provide new exciting computational capabilities, such as provisioning and de-provisioning of virtual computing environments, (instances) and facilitating network operations for various workloads and use cases.
The following five scenarios that follow are summarized in the table below and show some common uses of these new Red Hat supported modules:
Scenario 1: Deploy an AWS EC2 Instance
Perhaps you need to deploy a Red Hat Enterprise Linux (RHEL) 8 image on an Amazon Elastic Compute Cloud (EC2) instance on AWS or retrieve the information of some other EC2 instances running on matching different filters. The ec2_instance and the related _info modules enable you to do just that.
- name: Start an EC2 instance with a public IP address
amazon.aws.ec2_instance:
name: "public-compute-instance"
key_name: "{{ ssh_key }}"
vpc_subnet_id: "{{ subnet_id }}"
instance_type: c5.large
security_group: default
network:
assign_public_ip: true
image_id: "{{ ec2_ami_image }}"
tags:
Environment: Testing
- name: Gather information about any instance with a tag key Environment and value Testing
amazon.aws.ec2_instance_info:
filters:
"tag:Environment": Testing
NOTE: ec2_instance does not handle the provisioning of EC2 spot instances, but a new ec2_spot_instance module has been released to do just that. We will expand on the features and use cases it covers in one of our upcoming in-depth blogs. So keep an eye out for that!
Scenario 2: Make Resources Publicly Accessible
Do your instances and services need to be accessible from the Internet? That is, if a VPC does not have an Internet Gateway, then the resources in the Virtual Private Cloud (VPC) cannot be accessed from the Internet (unless the traffic flows via a corporate network and Virtual Private Network (VPN)/Direct Connect). The ec2_vpc_igw module helps you to set it up.
Here is an example task that creates one Internet Gateway and attaches it to your VPC. The ec2_vpc_igw_info module fetches the information all Internet Gateway matching the filter.
- name: Create Internet Gateway with tags
amazon.aws.ec2_vpc_igw:
vpc_id: "{{ vpc_id }}"
state: present
tags:
Name: ansibleVPC_IGW
- name: Gather information about a filtered list of Internet Gateways
amazon.aws.ec2_vpc_igw_info:
filters:
"tag:Name": "ansibleVPC_IGW"
Scenario 3: Give Internet Access to the Resources of a VPC
Suppose you have data that resides in resources deployed on a private subnet in a VPC that needs to access the Internet (e.g., send data to an external service for processing). Suppose you’d also like to exclude any inbound connections to those resources. In that case, ec2_vpc_nat_gateway is the right module for doing this. Therefore, the ec2_vpc_nat_gateway does something similar to ec2_vpc_igw. The difference is that it allows servers and services to have one-way communication to the Internet without allowing something that originated from the outside to get in.
Here is an example task that will create a Network Address Translation (NAT) Gateway. If you also need to retrieve information on the NAT Gateways matching specific filters, please look at the second example task listed in the snippet and use ec2_vpc_nat_gateway_info.
- name: Create new NAT Gateway and allocate new EIP
amazon.aws.ec2_vpc_nat_gateway:
state: present
subnet_id: "{{ subnet_id }}"
wait: true
region: "{{ aws_region }}"
- name: Get NAT Gateways with specific filter
amazon.aws.ec2_vpc_nat_gateway_info:
region: "{{ aws_region }}"
filters:
subnet-id: "{{ subnet_id }}"
state: ['available']
Scenario 4: Routing Traffic in a VPC
That's a lot of new modules ready to support you in automating different use cases so far! We have seen new Internet and NAT Gateway management modules, but something is missing in this picture.
The Collection comes with two new modules dedicated to the management of the route tables - ec2_vpc_route_table and the _info module. In this use case, the ec2_vpc_route_table helps implement granular control over the routing of the inbound traffic to a VPC through an Internet Gateway. ec2_vpc_route_table_info fetches the routing tables matching the specified filters.
- name: Set up public route table
amazon.aws.ec2_vpc_route_table:
vpc_id: "{{ vpc_id}}"
region: "{{ aws_region }}"
tags:
Name: Example
subnets:
- "{{ subnet_id }}"
- '10.0.0.0/8'
routes:
- dest: 0.0.0.0/0
gateway_id: "{{ igw_id }}"
- name: Gather information about any VPC route table with a tag key Name and value Example
amazon.aws.ec2_vpc_route_table_info:
filters:
"tag:Name": Example
Scenario 5: Enabling Secure Communication to AWS-supported Services
Suppose you need a group of EC2 instances to access AWS-supported services (such as data sources on AWS S3) in a controlled and secure way. To communicate with the AWS service, they do not need to go over the Internet via an Internet Gateway, VPN connections or NAT Gateways, or public IP addresses. Instead, they can interact with each other through their private IP address. However, since the AWS service is not reachable from within the private network, a VPC Endpoint is needed. In addition, when the VPC Endpoint is created, you can attach an endpoint policy to it that provides granular control access to the AWS S3 service.
In that case, the ec2_vpc_endpoint module enables you to do just that.
Here is an example task that will create a VPC Endpoint and, if perhaps you need to retrieve some information about your endpoints using some matching criteria, let the ec2_vpc_endpoint_info help you.
- name: Create new VPC endpoint with the default policy
amazon.aws.ec2_vpc_endpoint:
state: present
region: "{{ aws_region }}"
vpc_id: "{{ vpc_id }}"
service: "{{ s3_endpoint_service }}"
route_table_ids:
- "{{ route_table_id }}"
- name: Get all endpoints in ap-southeast-2 region
amazon.aws.ec2_vpc_endpoint_info:
query: endpoints
region: "{{ aws_region }}"
What’s next?
In this blog, we detailed the following:
- Highlighted what’s new in the 2.0 release of the amazon.aws Collection
- Showed some typical cloud management scenarios that can be achieved with the new Red Hat supported modules
- Detailed example use cases ranging from EC2 instance provisioning to VPC management
That said, using Ansible Automation Platform and the latest amazon.aws Collection to automate your deployments on AWS greatly increases the chances that your cloud initiative will be a success.
We hope you found this blog helpful! But, more importantly, we hope it inspired you to try out the latest amazon.aws Collection release and let us know what you think. Please stop by at the Ansible AWS IRC channel #ansible-aws on Libera.Chat to provide your valuable feedback or receiveassistance with the amazon.aws Collection.
For further reading and information, visit the other blogs related to AWS automation. If you are unfamiliar with Ansible Content Collections, check out our YouTube playlist for everything about Ansible Collections. The videos will get you up to speed quickly.
Also, don’t forget to check out our Automate infrastructure workflows e-book if you want to learn more about building a unified, automated pipeline for infrastructure operations.
- Check out all our E-Books online here.
- Where can I get a trial?
- If you want a trial of Ansible Automation Platform, please visit http://red.ht/try_ansible
- Where can I learn Ansible?
- Are you new to Ansible automation and want to learn? Check out our getting started guide lessons on developers.redhat.com
