aws_ec2 – EC2 inventory source

Synopsis

• Get inventory hosts from Amazon Web Services EC2.

• Uses a YAML configuration file that ends with aws_ec2.(yml|yaml).

Requirements

The below requirements are needed on the local master node that executes this inventory.

• boto3

• botocore

Parameters

Parameter	Choices/Defaults	Configuration	Comments
aws_access_key string		env:EC2_ACCESS_KEY env:AWS_ACCESS_KEY env:AWS_ACCESS_KEY_ID	The AWS access key to use. aliases: aws_access_key_id
aws_profile string		env:AWS_DEFAULT_PROFILE env:AWS_PROFILE	The AWS profile aliases: boto_profile
aws_secret_key string		env:EC2_SECRET_KEY env:AWS_SECRET_KEY env:AWS_SECRET_ACCESS_KEY	The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key
aws_security_token string		env:EC2_SECURITY_TOKEN env:AWS_SESSION_TOKEN env:AWS_SECURITY_TOKEN	The AWS security token if using temporary access and secret keys.
cache boolean	Choices: no ← yes	ini entries: [inventory] cache = no env:ANSIBLE_INVENTORY_CACHE	Toggle to enable/disable the caching of the inventory's source data, requires a cache plugin setup to work.
cache_connection string		ini entries: [defaults] fact_caching_connection = VALUE [inventory] cache_connection = VALUE env:ANSIBLE_CACHE_PLUGIN_CONNECTION env:ANSIBLE_INVENTORY_CACHE_CONNECTION	Cache connection data or path, read cache plugin documentation for specifics.
cache_plugin string	Default: "memory"	ini entries: [defaults] fact_caching = memory [inventory] cache_plugin = memory env:ANSIBLE_CACHE_PLUGIN env:ANSIBLE_INVENTORY_CACHE_PLUGIN	Cache plugin to use for the inventory's source data.
cache_prefix -	Default: "ansible_inventory_"	ini entries: [default] fact_caching_prefix = ansible_inventory_ [inventory] cache_prefix = ansible_inventory_ env:ANSIBLE_CACHE_PLUGIN_PREFIX env:ANSIBLE_INVENTORY_CACHE_PLUGIN_PREFIX	Prefix to use for cache plugin files/tables
cache_timeout integer	Default: 3600	ini entries: [defaults] fact_caching_timeout = 3600 [inventory] cache_timeout = 3600 env:ANSIBLE_CACHE_PLUGIN_TIMEOUT env:ANSIBLE_INVENTORY_CACHE_TIMEOUT	Cache duration in seconds
compose dictionary	Default: {}		Create vars from jinja2 expressions.
filters dictionary	Default: {}		A dictionary of filter value pairs. Available filters are listed here groups dictionary	Default: {}		Add hosts to group based on Jinja2 conditionals.
hostnames list	Default: []		A list in order of precedence for hostname variables. You can use the options specified in iam_role_arn - added in 2.9			The ARN of the IAM role to assume to perform the inventory lookup. You should still provide AWS credentials with enough privilege to perform the AssumeRole action.
include_extra_api_calls boolean added in 2.8	Choices: no ← yes		Add two additional API calls for every instance to include 'persistent' and 'events' host variables. Spot instances may be persistent and instances may have associated events.
keyed_groups list	Default: []		Add hosts to group based on the values of a variable.
plugin - / required	Choices: aws_ec2		Token that ensures this is a source file for the plugin.
regions list	Default: []		A list of regions in which to describe EC2 instances. If empty (the default) default this will include all regions, except possibly restricted ones like us-gov-west-1 and cn-north-1.
strict boolean	Choices: no ← yes		If yes make invalid entries a fatal error, otherwise skip and continue. Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default.
strict_permissions boolean	Choices: no yes ←		By default if a 403 (Forbidden) error code is encountered this plugin will fail. You can set this option to False in the inventory config file which will allow 403 errors to be gracefully skipped.
use_contrib_script_compatible_sanitization boolean added in 2.8	Choices: no ← yes		By default this plugin is using a general group name sanitization to create safe and usable group names for use in Ansible. This option allows you to override that, in efforts to allow migration from the old inventory script and matches the sanitization of groups when the script's ``replace_dash_in_groups`` option is set to ``False``. To replicate behavior of ``replace_dash_in_groups = True`` with constructed groups, you will need to replace hyphens with underscores via the regex_replace filter for those entries. For this to work you should also turn off the TRANSFORM_INVALID_GROUP_CHARS setting, otherwise the core engine will just use the standard sanitization on top. This is not the default as such names break certain functionality as not all characters are valid Python identifiers which group names end up being used as.

Notes

Note

• If no credentials are provided and the control node has an associated IAM instance profile then the role will be used for authentication.

Examples

# Minimal example using environment vars or instance role credentials
# Fetch all hosts in us-east-1, the hostname is the public DNS if it exists, otherwise the private IP address
plugin: aws_ec2
regions:
  - us-east-1

# Example using filters, ignoring permission errors, and specifying the hostname precedence
plugin: aws_ec2
boto_profile: aws_profile
# Populate inventory with instances in these regions
regions:
  - us-east-1
  - us-east-2
filters:
  # All instances with their `Environment` tag set to `dev`
  tag:Environment: dev
  # All dev and QA hosts
  tag:Environment:
    - dev
    - qa
  instance.group-id: sg-xxxxxxxx
# Ignores 403 errors rather than failing
strict_permissions: False
# Note: I(hostnames) sets the inventory_hostname. To modify ansible_host without modifying
# inventory_hostname use compose (see example below).
hostnames:
  - tag:Name=Tag1,Name=Tag2  # Return specific hosts only
  - tag:CustomDNSName
  - dns-name
  - private-ip-address

# Example using constructed features to create groups and set ansible_host
plugin: aws_ec2
regions:
  - us-east-1
  - us-west-1
# keyed_groups may be used to create custom groups
strict: False
keyed_groups:
  # Add e.g. x86_64 hosts to an arch_x86_64 group
  - prefix: arch
    key: 'architecture'
  # Add hosts to tag_Name_Value groups for each Name/Value tag pair
  - prefix: tag
    key: tags
  # Add hosts to e.g. instance_type_z3_tiny
  - prefix: instance_type
    key: instance_type
  # Create security_groups_sg_abcd1234 group for each SG
  - key: 'security_groups|json_query("[].group_id")'
    prefix: 'security_groups'
  # Create a group for each value of the Application tag
  - key: tags.Application
    separator: ''
  # Create a group per region e.g. aws_region_us_east_2
  - key: placement.region
    prefix: aws_region
  # Create a group (or groups) based on the value of a custom tag "Role" and add them to a metagroup called "project"
  - key: tags['Role']
    prefix: foo
    parent_group: "project"
# Set individual variables with compose
compose:
  # Use the private IP address to connect to the host
  # (note: this does not modify inventory_hostname, which is set via I(hostnames))
  ansible_host: private_ip_address

Status

• This inventory is not guaranteed to have a backwards compatible interface. [preview]

• This inventory is maintained by the Ansible Community. [community]

Authors

• Sloane Hertel (@s-hertel)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.