ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-09-29 21:13:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adding README for plugin

Browse source
This commit is contained in:
Jorge Gallegos 2025-09-03 22:36:58 -07:00
commit 8b68a484e8
No known key found for this signature in database
1 changed files with 73 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

73
plugins/connection/README.md Normal file
View file

@ -0,0 +1,73 @@
# Identity Aware Proxy Connection Plugin
This plugin uses the gcloud cli [start-iap-tunnel](https://cloud.google.com/sdk/gcloud/reference/compute/start-iap-tunnel)
method to prepare TCP forwarding to your compute instances, and then uses the
builtin ansible SSH connection plugin to communicate ansible commands to the
target nodes.
This makes it possible to start using ansible without the need to expose your
instances to the open web, or configure stringent firewall rules to ensure no
bad actors can potentially login to your infrastructure.
## Requisites
1. The [gcloud cli tool](https://cloud.google.com/sdk/gcloud?authuser=0) installed
2. Firewall rules in places for [IAP TCP Forwarding](https://cloud.google.com/iap/docs/using-tcp-forwarding)
## Configuring the connection plugin
The connection plugin can be configured by setting some values in the
`[gcloud]` section of your ansible.cfg, here's an example:
```ini
[gcloud]
account = my-service-account@my-project.iam.gserviceaccount.com
project = my-project
region = us-central1
zone = us-central1-a
```
With the above, you can now connect to all your instances in a single
`us-central1-a` zone via IAP.
You can also couple this with the GCP dynamic inventory like so:
```yaml
plugin: google.cloud.gcp_compute
zones:
- us-central1-a
- us-central1-b
- us-central1-c
- us-central1-f
projects:
- my-project
service_account_file: /path/to/my/service-account.json
auth_kind: serviceaccount
scopes:
- 'https://www.googleapis.com/auth/cloud-platform'
- 'https://www.googleapis.com/auth/compute.readonly'
# Create groups from labels e.g.
keyed_groups:
- prefix: gcp
key: labels.gcp_role
# inventory_hostname needs to be the actual name of the instance
hostnames:
- name
# fetch zone dynamically to feed IAP plugin
compose:
ansible_gcloud_zone: zone
# maybe add some filters
filters:
- 'status = RUNNING'
- 'labels.my-special-label:some-value'
```
with the above, you don't need to statically set the zone, they will be
populated accordingly.
The rest of the connection behavior can be configured just like the builtin SSH
ansible plugin, e.g. remote user, etc.