Initial commit

README.md

@@ -0,0 +1,26 @@
+# Ansible on Google Cloud using IAP
+
+## Install
+
+```shell
+python3 -m venv venv
+. venv/bin/activate
+python3 -m pip install -r requirements.txt
+```
+
+## Usage
+
+Edit `inventory.gcp.yml` and list your projects under `projects:`
+
+```shell
+ansible-playbook -v -i inventory.gcp.yml test.playbook.yml
+```
+
+## Documentation
+
+- [Google Cloud Platform Guide - Ansible Documentation](https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html)
+- [Google.Cloud - Ansible Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/index.html)
+
+## Thanks
+
+- [binx.io - How to tell Ansible to use GCP IAP tunneling](https://binx.io/2021/03/10/how-to-tell-ansible-to-use-gcp-iap-tunneling/)

ansible.cfg

@@ -0,0 +1,9 @@
+[inventory]
+enable_plugins = gcp_compute
+
+[ssh_connection]
+pipelining = True
+ssh_executable = ./gcp-ssh-wrapper.sh
+ssh_args = None
+scp_if_ssh = True
+scp_executable = ./gcp-scp-wrapper.sh

gcp-scp-wrapper.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# Thanks https://binx.io/2021/03/10/how-to-tell-ansible-to-use-gcp-iap-tunneling/
+# This is a wrapper script allowing to use GCP's IAP option to connect
+# to our servers.
+
+# Ansible passes a large number of SSH parameters along with the hostname as the
+# second to last argument and the command as the last. We will pop the last two
+# arguments off of the list and then pass all of the other SSH flags through
+# without modification:
+HOST="${@: -2: 1}"
+CMD="${@: -1: 1}"
+
+# Unfortunately ansible has hardcoded scp options, so we need to filter these out
+# It's an ugly hack, but for now we'll only accept the options starting with '--'
+declare -a OPTS
+for SCP_ARG in "${@: 1: $# -3}" ; do
+        if [[ "${SCP_ARG}" == --* ]] ; then
+                OPTS+="${SCP_ARG} "
+        fi
+done
+
+# Remove [] around our host, as gcloud scp doesn't understand this syntax
+CMD=`echo "${CMD}" | tr -d []`
+
+exec gcloud compute scp $OPTS "${HOST}" "${CMD}"
+

gcp-ssh-wrapper.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Thanks https://binx.io/2021/03/10/how-to-tell-ansible-to-use-gcp-iap-tunneling/
+# This is a wrapper script allowing to use GCP's IAP SSH option to connect
+# to our servers.
+
+# Ansible passes a large number of SSH parameters along with the hostname as the
+# second to last argument and the command as the last. We will pop the last two
+# arguments off of the list and then pass all of the other SSH flags through
+# without modification:
+HOST="${@: -2: 1}"
+CMD="${@: -1: 1}"
+
+# Unfortunately ansible has hardcoded ssh options, so we need to filter these out
+# It's an ugly hack, but for now we'll only accept the options starting with '--'
+declare -a OPTS
+for SSH_ARG in "${@: 1: $# -3}" ; do
+        if [[ "${SSH_ARG}" == --* ]] ; then
+                OPTS+="${SSH_ARG} "
+        fi
+done
+
+exec gcloud compute ssh $OPTS "${HOST}" -- -C "${CMD}"

group_vars/all.yml

@@ -0,0 +1,3 @@
+---
+ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} #--no-user-output-enabled --quiet
+ansible_scp_extra_args: --tunnel-through-iap --zone={{ zone }} #--quiet

inventory.gcp.yml

@@ -0,0 +1,17 @@
+---
+plugin: gcp_compute
+projects:
+  - ab-heaton-dev
+auth_kind: application
+keyed_groups:
+  - key: labels
+    prefix: label
+  - key: zone
+    prefix: zone
+  - key: (tags.items|list)
+    prefix: tag
+groups:
+  gke: "'gke' in name"
+compose:
+  # set the ansible_host variable to connect with the private IP address without changing the hostname
+  ansible_host: name

pyvenv.cfg

@@ -0,0 +1,3 @@
+home = /bin
+include-system-site-packages = false
+version = 3.10.4

requirements.txt

@@ -0,0 +1,4 @@
+ansible
+google-auth
+pywinrm
+requests

test.playbook.yml

@@ -0,0 +1,14 @@
+---
+- name: Test
+  hosts: all
+
+  tasks:
+  - name: Test | Verify connection and usable Python
+    ansible.builtin.ping:
+
+  - name: Test | Hostname from Shell
+    ansible.builtin.shell: |
+      hostname
+    args:
+      executable: /bin/bash
+    changed_when: False