...

Empower Ansible Configuration: IAP Tunneling in 4 Simple Steps

by
5/5 - (1 vote)

Introduction: IAP Tunneling

IAP Tunneling eliminates the manual addition of SSH details for each GCP VM in .ssh/config or .ssh/config.d/<custom_file>. This alleviates the need for attaching an external IP address to a VM, thereby enhancing security. Ansible typically relies on system SSH for connecting to remote servers and executing commands. However, this method requires the remote server to have an external IP address.

Adhering to security protocols, external IP addresses are removed from GCP VMs, preventing Ansible from connecting via an external IP. In such scenarios, alternatives like using cloud compute ssh for VM login or employing gcloud compute scp for file transfers to or from the VM become essential.

Prerequisites

  • Learn the basics of the Ansible Getting Started Guide.
  • Your account or service account (account associated with the system on which you execute the gcloud compute ssh/scp command) should have sufficient permissions or roles to execute the gcloud compute ssh/scp command.
  • Learn about GCP IAP Tunnelling.

In this post you will learn how to configure ansible to use cloud compute ssh/scp.

Configure Ansible for IAP Tunneling

Step1 – Create the required directory and files

Go to the root directory of your Ansible repo and create a network directory.

cd /path/to/ansible
# create network directory
mkdir network

create a gssh.sh file inside the network with the below content.

#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP SSH option to connect
# to our servers.

# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"

# Unfortunately ansible has hardcoded ssh options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for ssh_arg in "${@: 1: $# -3}" ; do
        if [[ "${ssh_arg}" == --* ]] ; then
                opts+="${ssh_arg} "
        fi
done

exec gcloud compute ssh $opts "${host}" -- -C "${cmd}"

Make the above file executable

chmod 0755 network/gssh.sh

Create gscp.sh file inside the network folder with the below content.

#!/bin/bash
# This is a wrapper script allowing to use GCP's IAP option to connect
# to our servers.
# Ansible passes a large number of SSH parameters along with the hostname as the
# second to last argument and the command as the last. We will pop the last two
# arguments off of the list and then pass all of the other SSH flags through
# without modification:
host="${@: -2: 1}"
cmd="${@: -1: 1}"
# Unfortunately ansible has hardcoded scp options, so we need to filter these out
# It's an ugly hack, but for now we'll only accept the options starting with '--'
declare -a opts
for scp_arg in "${@: 1: $# -3}" ; do
        if [[ "${scp_arg}" == --* ]] ; then
                opts+="${scp_arg} "
        fi
done
# Remove [] around our host, as gcloud scp doesn't understand this syntax
cmd=`echo "${cmd}" | tr -d []`
exec gcloud compute scp $opts "${host}" "${cmd}"

Make the above file executable

chmod 0755 network/gscp.sh

Step 2 – Update ansible.cfg to use custom ssh and scp scripts

Add the below configurations in ansible.cfg

[ssh_connection]
# Enabling pipelining reduces the number of SSH operations required
# to execute a module on the remote server.
# This can result in a significant performance improvement 
# when enabled.
pipelining = True
ssh_executable = network/gssh.sh
ssh_args = None
# Tell ansible to use SCP for file transfers when connection is set to SSH
scp_if_ssh = True
scp_executable = network/gscp.sh

Step 3 – Add common group vars to use IAP Tunnelling and specify a zone in the inventory file

Add the below variables under all group_vars:

ansible_ssh_args: --tunnel-through-iap --zone={{ zone }} --no-user-output-enabled --quiet
ansible_scp_extra_args: --tunnel-through-iap --zone={{ zone }} --quiet

Please ensure the zone variable is set at the group or instance level.

Step 4 – Install acl package if you want to transfer files to another user (not login user or root) home directory

Transferring a file to a different user (other than the login user)

This fails due to a lack of permission issue on a folder.

Please install the acl package first on target.

Manual through command line

sudo apt install acl

Through Ansible tasks or roles or playbook

- name: Install acl package
   apt:
     name: acl
     update_cache: yes

The issue using IAP tunneling in ansible

It is very slow since it has to go through extra network hops and do additional validation, There are some hacks to speed it up but not recommended by GCP.

FAQs on IAP tunneling

1. Does the above configuration for IAP tunneling replace default ssh with gcloud compute ssh?

Answer – Yes, you can see that we are using gcloud compute ssh command at the end of gssh.sh script.

2. Does the above configuration for IAP tunneling replace default scp with gcloud compute scp?

Answer – Yes, you can see that we are using gcloud compute scp command at the end of gscp.sh script.

3. Will the above script work for IAP tunneling if we have enforced to use of only tunnel-through-iap using IAM roles

Answer – Yes, in step 3, we are specifically mentioning --tunnel-through-iap to use the same.

Conclusion

In this post, you learned about how to use IAP tunneling effortlessly. You can customize the above script even further to fine-tune it for performance gains but that depends on your comfort level with the script. This will also strengthen your skills for customizing ansible for your use case.

In conclusion, while Ansible’s default method involves using system SSH to communicate with remote servers, certain security measures within GCP VMs often necessitate the removal of external IP addresses which can only be achieved through IAP tunneling. Consequently, Ansible encounters challenges in establishing connections to these VMs via external IPs. To address this limitation, alternative approaches become imperative.

Leveraging IAP Tunneling (gcloud compute ssh for logging into the VMs or utilizing gcloud compute SCP for file transfer operations) presents viable solutions. These methods circumvent the reliance on external IP addresses, allowing for effective interaction with GCP VMs despite the security restrictions in place. As technology evolves and security measures continue to tighten, adapting to alternative connection methods becomes crucial for seamless remote server management and file transfer operations using Ansible within GCP environments.

Enjoy the post!!

Spread the love

Leave a Comment

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.