Using Ansible in Pull Mode With Credstash in AWS

Ansible is a powerful configuration management tool that is well known for its push-based model. Many users, however, are not aware that Ansible can be used in pull mode as well. The applications of Ansible-pull range from dynamically configuring instances in an Auto Scaling group to having nodes configure themselves automatically when stood up with Terraform. Ansible also has a nifty lookup function for Credstash in case you need to manage passwords/tokens in your playbook. Let's explore an example below.

I recently needed to stand up a CentOS 7 node with Terraform that would automatically join itself to an Active Directory domain. Standing up this node and manually running Ansible against it once is okay. In a large, dynamic environment, however, automating this type of process becomes necessary. Running Ansible in push mode is not ideal because it adds the extra step of having to initiate the configuration after the node is up. Using Ansible Vault with pull mode is also out of the question because it requires you to either input the decryption password as plain text via user_data or store it on a pre-baked image, neither of which is a secure option.

As you may have guessed by now, Ansible-pull with Credstash can be quite handy in the situation described above. Using Ansible-pull in a user_data script with Terraform will allow the newly provisioned node to configure itself and join the domain once it is up. The playbook I made to accomplish this can be found at my GitHub account. Please note that any node using Credstash will need an IAM role associated with it that allows it to read from DynamoDB (since Credstash stores credentials there). To read more about how Credstash works, you can check out their official GitHub page.

At this point, you may be wondering about everything the user_data script needs to contain. Here is what I used:

yum install -y epel-release
yum install -y ansible
yum install -y git
yum install -y python-pip
yum install -y gcc libffi-devel python-devel openssl-devel
pip install credstash
ansible-pull -i "localhost" -U https://github.com/Omar-Khawaja/Ansible-Pull_JoinAD

There's not much to the script above. Installing epel-release allows you to install ansible as well as python-pip (which in turn is used to install Credstash). Other required packages include git as well as gcc and some other components necessary to properly install Credstash. Finally, the ansible-pull command will allow the nodes to run the playbook against itself with any necessary configuration. You can use this user_data script as part of your launch configuration for an Auto Scaling group or simply as part of your Terraform template when creating nodes.

As you may have realized by now, Ansible-pull is a great feature and gives you more flexibility in provisioning/maintaining your infrastructure. You can also add it as a cron job to keep the configuration of your nodes up to date. In the end, the decision to use push vs pull mode (as with any other decision) will be based on the user's specific needs.