A cluttered and naive rundown of what's happening in our Ansible playbook


First, launchcluster exports region variables, keypair name, mgmt ip, bastion_id, and 3 zones, then launches stage 1

Stage 1

stage one does pre_tasks, creating region config and eip if needed, then updating vpn ip.

then stage 1 runs 1 role:

  • launch cloudformation which changes the id of each dmz and private instance to a custom ip, to make it easier to work with. It does this with the fact attrtibute. As a sibling, these tasks have a json that describes zones, sshlocation, owner, CIDR, and our 6 servers in VPC, and mappings...?etc...

Stage 2

stage 2 declares some vars, runs include_vars as a pre_task, then runs 2 roles:

  • ec2-provision groups:

    • create or modify security groups in {{vpc_id}}

  • ec2-provision-bastion:

    • find ami,
    • launch an ec2 instance,
    • debug,
    • add_host,
    • debug,
    • update bastion_instance to {{bastion_instance}},
    • wait for instances to listen on port:22

then stage2 configures the natvpn, then includes vars again, then runs 4 roles:

  • webmin:

    • create webmin user,
    • add webmin repo key,
    • add webmin repo,
    • install webmin deb,
    • check stat???,
    • download webmmin openvpn module,
    • install webmin openvpn,
    • ensure webmin is running (and enable it at boot)

  • iptables:

    • enable ip_forward,
    • persist ip_forward,
    • add ipfw rules,
    • enable ipfw rules on boot,
    • enable firewall

  • makevpn:

    • make openvpn keys dir,
    • make openvpn clients dir,
    • make openvpn dirs,
    • create CA dir,
    • install ca.config for webmin,
    • install openvpn,
    • write openvpn vars,
    • write openvpn-ssl.cnf,
    • check stats?,
    • generate DH params (takes a while),
    • make certificate authority,
    • convert ca.crt to ca.pen,
    • initialize {{ca_name}} serial,
    • initialize {{ca_name}},
    • makr crl,
    • request serverKey,
    • sign serverKey,
    • make {{vpn_name}}ServerKey.server for webmin,
    • make ta,
    • install {{vpn_name}}.conf,
    • ensrue openvpn is running (and enable at boot)

  • vpnusers:

    • make client request,
    • make client cert,
    • make openvpn dirs,
    • make client dir,
    • make ovpn client,
    • make conf client,
    • touch ccd

Stage 3

stage 3 declares some vars, and does pre-tasks: include vars, assign elastic ip, NAT Oregon private networks.

then stage 3 runs 1 role:

  • ec2-provision-ecs:

    • create ELB security group,
    • create instance security group,
    • create ecs cluster,
    • create ELB,
    • create ECS Service Schedule IAM Role,
    • create ECS Container Instance IAM Role,
    • set ECS Service Policy,
    • set ECS Instance Policy,
    • find ami,
    • create launch config,
    • create ASG,


DestroyCluster uses teardown.yml which runs these tasks:

  • destroy ASG destroy launch config,
  • destroy elb,
  • terminate ECS cluster,
  • terminate bastion instance,
  • pause to let bastion die,
  • release eip,
  • destroy security groups,
  • destroy igw,
  • pause to let igw die,
  • destroy vpc,
  • destroy cloudformation stack,
  • remove local vars,
  • then logs: "Dont forget to increment bastion ID manually!"

stray observations

ec2.py is huge...is it boilerplate? ditto ec2.ini

apparently unused roles (did I miss them or are they glimpses of the future?): snap-ami, users