google-cloud-platform - Ansible GCP IAP 隧道

Question

我正在尝试通过 IAP 连接到 GCP 计算实例。我有一个具有权限的服务帐户。

我试过以下

基本的 ansible ping，ansible -vvvv GCP -m ping , 错误是因为找不到主机名 bc 我没有外部 ip

我设置了ssh_executeable=wrapper.sh喜欢 here

2 号几乎可以工作，但正则表达式命令很麻烦。

有原生的ansible解决方案吗？

编辑: gcp_compute 动态 list 确实适用于 ping 实例，但不适用于管理实例。

Ansible 在通过 IAP 进行隧道传输时不支持包或系统管理。

Answer 1

对于那些仍在寻找在内部 IP 上使用 IAP SSH 和 Ansible 的解决方案的人。我对列出的脚本进行了一些更改 here
我的主要问题是我必须添加 --zone 作为选项，如 gcloud通过 Ansible 运行时不会自动检测到这一点。
因为我不想调用 CLI，增加更多等待时间，所以我选择使用 group_vars 来设置我的 ssh 选项。这也允许我为 gcloud compute ssh 指定其他选项。命令。
以下是设置所需文件的内容:
ansible.cfg

[inventory]
enable_plugins = gcp_compute

[defaults]
inventory = misc/inventory.gcp.yml
interpreter_python = /usr/bin/python

[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required
# to execute a module on the remote server.
# This can result in a significant performance improvement 
# when enabled.
pipelining = True
scp_if_ssh = False
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None

杂项/gcp-ssh-wrapper.sh

#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP SSH option to connect
# to our servers.

# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"

# Unfortunately ansible has hardcoded ssh options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for ssh_arg in "${@: 1: $# -3}" ; do
        if [[ "${ssh_arg}" == --* ]] ; then
                opts+="${ssh_arg} "
        fi
done

exec gcloud compute ssh $opts "${host}" -- -C "${cmd}"

group_vars/all.yml

---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet

如您所见，通过使用 group_vars 中的 ansible_ssh_args，我们现在可以通过 list 中已知的区域。
如果您还希望能够通过 gcloud 命令复制文件，可以使用以下配置:
ansible.cfg

[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled.
pipelining = True
ssh_executable = misc/gcp-ssh-wrapper.sh
ssh_args = None
# Tell ansible to use SCP for file transfers when connection is set to SSH
scp_if_ssh = True
scp_executable = misc/gcp-scp-wrapper.sh

杂项/gcp-scp-wrapper.sh

#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP option to connect
# to our servers.

# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"

# Unfortunately ansible has hardcoded scp options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for scp_arg in "${@: 1: $# -3}" ; do
        if [[ "${scp_arg}" == --* ]] ; then
                opts+="${scp_arg} "
        fi
done

# Remove [] around our host, as gcloud scp doesn't understand this syntax
cmd=`echo "${cmd}" | tr -d []`

exec gcloud compute scp $opts "${host}" "${cmd}"

group_vars/all.yml

---
ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
ansible_scp_extra_args: --tunnel-through-iap --zone={{ zone }} --quiet