Home

Awesome

<br /><br />

<p align="center"> <img width="230" src="assets/icon.png" /> </p> <br /><br />

ansible-ssm

An ansible role to provision physical and virtual hosts with the AWS SSM agent.

Build Status

Current version: 1.0.0

Lead Maintainer: Halim Qarroum

📋 Table of content

🚀 Install

In order to use this role, you can download it on your development machine using Ansible Galaxy.

ansible-galaxy install hqarroum.aws_ssm_agent

🔖 Features

🎒 Pre-requisites

🔰 Description

This Ansible playbook provides developers and system engineers with the ability to deploy at scale the AWS SSM Agent on remote Linux, Mac and Windows hosts across different architectures. The AWS SSM agent will be registered as a service on the target operating system.

When dealing with managed instances, AWS SSM requires you to create an activation for one or multiple hosts that you can pass to this playbook using Ansible variables.

🛠 Usage

The below sections gives you an overview of the different actions at your disposal by using this playbook. We highly recommend that you be familiar with Ansible before using it, here is a link to the Ansible Documentation.

Create a first deployment

It is possible to specify an existing AWS SSM activation to this playbook while deploying it on your instances. This allows you to restrict the roles of your deployment machine or deployment team(s) and have them rely on the activation identifier and code that you previously created.

Below is an example of how to pass an activation identifier and activation code to your instances.

ansible-playbook playbook.yml \
  -i <path-to-your-inventory> \
  --extra-vars "aws_ssm_activation_code=<code> aws_ssm_activation_id=<id> aws_ssm_ec2_region=<region>"

If you want to specify a different activation code and identifier to each of your instance, use your inventory to pass both variables for each one of them.

<details><summary>See the example</summary> <p>
[all]
<host-1> aws_ssm_activation_code=<code> aws_ssm_activation_id=<id> aws_ssm_ec2_region=<region>
<host-2> aws_ssm_activation_code=<code> aws_ssm_activation_id=<id> aws_ssm_ec2_region=<region>
</p> </details>

Enable auto-activation

You can delegate the creation of the activation to the playbook by enabling auto-activation (disabled by default) by setting the auto_activation variable to enabled. See the Playbook Variables section for more information.

This example will require the AWS CLI to be installed on your deployment machine provisioned with the appropriate IAM roles to create an activation code and an IAM Instance Role for your host(s) automatically. The AWS region will be inferred automatically from the AWS CLI.

ansible-playbook playbook.yml \
  -i <path-to-your-inventory> \
  --extra-vars "auto_activation=enabled"

Associate tags to your instances

If you do not specify an activation identifier and code for your instances, you must set the auto_activation variable to enabled which will cause this role to automatically create them using the AWS CLI on your deployment machine for each provisioned instance. While doing so, it is possible to bind tags to the created activations such that these tags gets automatically associated with your instance in AWS SSM.

Below is an example of how to bind tags to your activation identifier and activation code.

ansible-playbook playbook.yml \
  -i <path-to-your-inventory> \
  --extra-vars "auto_activation=enabled instance_tags\"Key=foo,Value=bar\""

Installing the AWS SSM Agent in a specific path

By default, the AWS SSM Agent will be installed using the package manager available on your system (for example, Ubuntu uses apt and RedHat uses yum). However, embedded operating systems such as Yocto often don't have a package manager available, in which case it can be challenging to install software in a portable and automated way. To address this issue, the ansible-ssm role will install AWS SSM by un-archiving its binaries (according to the architecture of your hosts) on the system.

The default root path in which the un-archiving process target will be the root directory (/). This can lead to some issues on some systems for which the root file-system is mounted as read-only. In that case, you can choose in which directory to install the AWS SSM Agent by specifying the aws_ssm_agent_install_directory such as in the following example.

ansible-playbook playbook.yml \
  -i <path-to-your-inventory> \
  --extra-vars "auto_activation=enabled aws_ssm_agent_install_directory=/var/ssm"

⚠️ Only specify this variable if you are deploying on hosts that do not have any supported package manager available.

📗 Playbook Variables

As seen in previous sections, this playbook exposes different variables which you can pass to the ansible-playbook command when creating a deployment to customize it, or specify them in your Ansible inventory file on a host-by-host basis. Below are descriptions of all the supported variables by this playbook.

VariableDescriptionExample values
aws_ssm_activation_codeDefines an AWS SSM activation code to provide to the playbook when provisioning your instances. Required if you don't enable auto-activation.a1b2c3d4e5f6g7h8i1j2
aws_ssm_activation_idDefines an AWS SSM activation identifier to provide to the playbook when provisioning your instances. Required if you don't enable auto-activation.62275ac1-276f-47f0-9309-ef382c710b25
aws_ssm_ec2_regionSets the AWS region to use.us-east-1
auto_activationEnables or disables automatic creation of an activation code for your instances using the AWS CLI.enabled or disabled
aws_ssm_iam_roleThe Amazon Identity and Access Management (IAM) role name that you want to assign to the managed instance. This IAM role must provide AssumeRole permissions for the Systems Manager service principal ssm.amazonaws.com . For more information, see Create an IAM service role for a hybrid environment in the AWS Systems Manager User Guide (if not provided, will be automatically created). Only valid when auto-activation is enabled.AWSSSMInstanceRole
instance_tagsDefines tags to associate with AWS SSM activations created by this playbook. Only valid when auto-activation is enabled.Key=foo,Value=bar Key=bar,Value=baz
aws_ssm_agent_install_directoryDefines the target installation directory for AWS SSM when no package managers are available on your system./var/ssm

🏷 Playbook Tags

In addition to the Ansible variables it makes available, this playbook has the different parts of the deployment process tagged so that you can either cherry-pick the processes that interests you or rather exclude some of the tagged processes part of the deployment. Below is a table of the available tags associated with each deployment processes exposed by this playbook.

Tag nameProcessDescription
install-agentAWS SSM Agent InstallationThe process associated with this tag will install the AWS SSM agent in the target host given its current architecture and operating system.
register-serviceAWS SSM Agent Service RegistrationThe process associated with this tag will register the provisioned AWS SSM Agent as a service on the host operating system, such that the agent will automatically start and run in the background when the host system starts.
register-agentAWS SSM Agent RegistrationThe process associated with this tag will automatically register the provisioned AWS SSM Agent with the AWS SSM service using either the provided activation code and identifier, or if not provided, by auto-generating a new activation code and identifier locally using the AWS CLI. If you skip this tag, only the AWS SSM Agent will be provisioned on the host, but no activations will be performed.

🏁 Compatibility Matrix

Below is a matrix of the operating systems, architectures that have been tested with this Ansible playbook.

OSArchitectureCompatible
Ubuntu 20.04x86_64:white_check_mark:
Ubuntu 18.04x86_64 and arm64:white_check_mark:
Ubuntu Server 14.04 LTSx86_64:white_check_mark:
Ubuntu Server 16.04 LTSx86_64:white_check_mark:
MacOS Big Surx86_64:white_check_mark:
Amazon Linuxx86_64:white_check_mark:
Amazon Linux 2x86_64:white_check_mark:
SUSE Linux Enterprise Server 15x86_64:white_check_mark:
OpenSUSE Leap 42.1x86_64:white_check_mark:
Red Hat Enterprise Linuxx86_64 and arm64:white_check_mark:
Debian Stretchx86_64:white_check_mark:
CentOSx86_64:white_check_mark:
Fedorax86_64:white_check_mark:
Raspbian Stretcharmv7l:white_check_mark:
Microsoft Windows Server 2019x86_64:white_check_mark:
Yocto Linux Distributionx86_32:white_check_mark:

Contributions are welcome if you have reported a successful or unsuccessful deployment of the AWS SSM Agent using this Ansible playbook on an operating system that is not listed above.

👀 See also