This role allows you to create VPCs in Amazon Web Services (AWS) following a number of different design patterns. It supports combinations of single or multi AZ, single or multi subnet. It will automatically create:
- the internet gateway for public subnets with associate route
- NAT gateways for private subnets with associate route
- security groups to allow SSH to these subnets from a given CIDR address/block
- network ACLs for public and private subnets to allow SSH
Optionally, it will create a private DNS hosted zone attached to the VPC. If DNS is created then a DHCP option set is associated with the VPC for the purposes of setting the domain_name and dns_servers. The AmazonProvidedDNS reserved word is used to specify Amazon DNS servers in this case and this cannot be changed. All objects, where possible will include a Name tag and a chosen Project tag. The terms "public" and "private" are used within this role as follows:
- Public objects relate to the internet facing subnet(s) and have assign public IP address set to true
- Private objects relate to the non-internet facing subnet(s)
Note that this role only works within a single AWS region.
Note that the following parameters of the ec2_vpc_net module are not supported by this role.
In order to use this role you need an AWS account and an AWS user with appropriate permissions. To make things easier an AWS policy document is included with this role.
As this role interfaces with the AWS API, the boto3 Python module is also required. One way to install boto is to use pip:
pip install boto
The role includes the following defaults:
Note that these credentials should be kept private as they can be used to gain access to your AWS environment. It is recommended that these variables be encrypted with Ansible Vault. See https://docs.ansible.com/ansible/2.4/ansible-vault.html for details.
Note that this default should be overridden as it is used in the security groups intended for SSH access. aws_vpc_cidr_for_access: "126.96.36.199/32"
aws_vpc_tag_project: "My Project"
The role includes no variables (vars). The role does not depend on any global variables or variables from other roles.
This role does not depend on any other Ansible roles.
Here is an example of how you might use the role. In this example, the default region is overriden as is the CIDR address used in the security group for access.
Given the defaults above, this example would yield a VPC in a single AZ us-east-1a, with a single internet facing subnet "sub_public_a" with a CIDR of 10.0.0.0/24.
No DNS would be created.
- hosts: localhost connection: local gather_facts: False tasks: - name: Create VPC include_role: level27tech.aws_vpc vars: aws_vpc_aws_access_key: "AVIBI4QDEWFZOC2T3K4A" aws_vpc_aws_secret_key: "Br9t-/gEN+OYfrbDmr7f63NyliCPIrDvTdcTUMHf" aws_vpc_region: "us-east-1" aws_vpc_cidr_for_access: "192.168.0.1/32"
Name: Dean Harris Organisation: Level 27 Technology Ltd