Completed documentation of the EC2 external inventory script

rst/api.rst

@@ -174,13 +174,13 @@ Example: AWS EC2 External Inventory Script
 
 If you use Amazon Web Services EC2, maintaining an inventory file might not be the best approach. For this reason, you can use the `EC2 external inventory  <https://github.com/ansible/ansible/blob/devel/examples/scripts/ec2_external_inventory.py>`_ script.
 
-You can use this script in one of two ways. The easiest is to use ansible's `-i` command line option and specify the path to the script.
+You can use this script in one of two ways. The easiest is to use Ansible's ``-i`` command line option and specify the path to the script.
 
     ansible -i examples/scripts/ec2_external_inventory.py -u ubuntu us-east-1d -m ping
 
-The second option is to copy the script to `/etc/ansible/hosts` and `chmod +x` it. You will also need to copy the `ec2.ini` file to `/etc/ansible/ec2.ini`. Then you can run ansible as you would normally.
+The second option is to copy the script to `/etc/ansible/hosts` and `chmod +x` it. You will also need to copy the ``ec2.ini`` file to `/etc/ansible/ec2.ini`. Then you can run ansible as you would normally.
 
-To successfully make an API call to AWS, you will need to configure Boto. There are a `variety of methods <http://docs.pythonboto.org/en/latest/boto_config_tut.html>`_, but the simplest is just to export two environment variables:
+To successfully make an API call to AWS, you will need to configure Boto (the Python interface to AWS). There are a `variety of methods <http://docs.pythonboto.org/en/latest/boto_config_tut.html>`_ available, but the simplest is just to export two environment variables:
 
     export AWS_ACCESS_KEY_ID='AK123'
     export AWS_SECRET_ACCESS_KEY='abc123'
@@ -192,7 +192,87 @@ You can test the script by itself to make sure your config is correct
 
 After a few moments, you should see your entire EC2 inventory across all regions in JSON.
 
-Since each region requires its own API call, if you are only using a small set of regions, feel free to edit `ec2.ini` and list just the regions you are interested in. There are other config options in `ec2.ini` including cache control.
+Since each region requires its own API call, if you are only using a small set of regions, feel free to edit ``ec2.ini`` and list only the regions you are interested in. There are other config options in ``ec2.ini`` including cache control, and destination variables.
+
+At their heart, inventory files are simply a mapping from some name to a destination address. The default ``ec2.ini`` settings are configured for running Ansible from outside EC2 (from your laptop for example). If you are running Ansible from within EC2, internal DNS names and IP addresses may make more sense than public DNS names. In this case, you can modify the ``destination_variable`` in ``ec2.ini`` to be the private DNS name of an instance. This is particularly important when running Ansible within a private subnet inside a VPC, where the only way to access an instance is via its private IP address. For VPC instances, `vpc_destination_variable` in ``ec2.ini`` provides a means of using which ever `boto.ec2.instance variable <http://docs.pythonboto.org/en/latest/ref/ec2.html#module-boto.ec2.instance>`_ makes the most sense for your use case.
+
+The EC2 external inventory provides mappings to instances from several groups:
+
+Instance ID
+  These are groups of one since instance IDs are unique.
+  e.g.
+  ``i-00112233``
+  ``i-a1b1c1d1`` 
+
+Region
+  A group of all instances in an AWS region.
+  e.g.
+  ``us-east-1``
+  ``us-west-2``
+
+Availability Zone
+  A group of all instances in an availability zone.
+  e.g.
+  ``us-east-1a``
+  ``us-east-1b``
+
+Security Group
+  Instances belong to one or more security groups. A group is created for each security group, with all characters except alphanumerics, dashes (-) converted to underscores (_). Each group is prefixed by ``security_group_``
+  e.g.
+  ``security_group_default``
+  ``security_group_webservers``
+  ``security_group_Pete_s_Fancy_Group``
+
+Tags
+  Each instance can have a variety of key/value pairs associated with it called Tags. The most common tag key is 'Name', though anything is possible. Each key/value pair is its own group of instances, again with special characters converted to underscores, in the format ``tag_KEY_VALUE``
+  e.g.
+  ``tag_Name_Web``
+  ``tag_Name_redis-master-001``
+  ``tag_aws_cloudformation_logical-id_WebServerGroup``
+
+When the Ansible is interacting with a specific server, the EC2 inventory script is called again with the ``--host HOST`` option. This looks up the HOST in the index cache to get the instance ID, and then makes an API call to AWS to get information about that specific instance. It then makes information about that instance available as variables to your playbooks. Each variable is prefixed by ``ec2_``. Here are some of the variables available:
+
+- ec2_architecture
+- ec2_description
+- ec2_dns_name
+- ec2_id
+- ec2_image_id
+- ec2_instance_type
+- ec2_ip_address
+- ec2_kernel
+- ec2_key_name
+- ec2_launch_time
+- ec2_monitored
+- ec2_ownerId
+- ec2_placement
+- ec2_platform
+- ec2_previous_state
+- ec2_private_dns_name
+- ec2_private_ip_address
+- ec2_public_dns_name
+- ec2_ramdisk
+- ec2_region
+- ec2_root_device_name
+- ec2_root_device_type
+- ec2_security_group_ids
+- ec2_security_group_names
+- ec2_spot_instance_request_id
+- ec2_state
+- ec2_state_code
+- ec2_state_reason
+- ec2_status
+- ec2_subnet_id
+- ec2_tag_Name
+- ec2_tenancy
+- ec2_virtualization_type
+- ec2_vpc_id
+
+Both ``ec2_security_group_ids`` and ``ec2_security_group_names`` are comma-separated lists of all security groups. Each EC2 tag is a variable in the format ``ec2_tag_KEY``.
+
+To see the complete list of variables available for an instance, run the script by itself:
+
+    cd examples/scripts
+    ./ec2_external_inventory.py --host ec2-12-12-12-12.compute-1.amazonaws.com
 
 
 .. seealso::