Terraform 0.12, Ansible and AWS setup

Our AWS setup is automated using Terraform and Ansible. We recently upgraded to the next major release Terraform 0.12 and needed to refactor our setup in order to support this new major version. This post is a write up of how to setup Terraform 0.12, AWS and Ansible using dynamic inventory.


Before the upgrade our setup was as follows: - Ansible - Terraform 0.11 - terraform-inventory

Terraform-inventory was used in order to use the terraform state as dynamic inventory for Ansible. Unfortunately the terraform-inventory library has multiple issues with the latest terraform release. Therefor we needed to figure out how to setup the dynamic inventory again.

Upgrading Terraform

There is a pretty good upgrade guide from Terraform describing which steps to take in order to upgrade to the latest 0.12 version. Since we needed to deal with multiple terraform version we started using Terraform version manager, inspired by rbenv, to easily manage terraform multiple versions. In the end following the upgrade guide did not give us many problems, other than fixing some deprecation warnings.

Terraform setup

We have Terraform and Ansible code in the same git repository. The terraform structure is basically as follows:

# Modules

# Config per environment

The simplified version of the web-server terraform module:

resource "aws_instance" "web_server" {
 ami = "abc"
 key_name = "ben"
 tags = {
  Name = var.server_name
  ServerRole = "web"
  Env = var.environment

Then we can create instances per environment as follows:

In terraform/acceptance/

module "web-server" {
  source      = "../modules/web-server"
  environment = "acceptance"
  server_name = ""

In terraform/production/

module "web-server" {
  source      = "../modules/web-server"
  environment = "production"
  server_name = ""

Ansible setup

Next we want to connect the Terraform setup with our Ansible playbooks in order to provision the servers. The Ansible setup is roughly:

# Ansible setup

The app-web.yml

- hosts: app_web

# rest omitted

The app-web.yml is the playbook, the group_vars/app-web.yml contains shared variables which can be overridden by the more specific group_vars/app-web-***.yml. This is not something that works out of the box when using dynamic inventory.

In order to have dynamic inventory we choose to use the aws_ec2 inventory source plugin.

To use the aws_ec2 plugin you need to enable the plugins in your ansible.cfg file:

enable_plugins = host_list, script, auto, yaml, ini, toml

Then create a file ending with aws_ec2.yml in your inventory directory. In our case in terraform/acceptance/inventory/


plugin: aws_ec2
strict: True
  - eu-central-1
boto_profile: my-aws-profile-corresponding-to-aws-credentials
  - key: tags.ServerRole
    prefix: app
  tag:Env: acceptance
  vpc-id: vpc-123456
  ansible_host: private_ip_address

  - tag:Name
  - private-ip-address

The boto_profile points to the name of your aws-profile typically defined in your ~/.aws/credentials file.

The keyed_groups will create groups to be used by Ansible to target multiple hosts at once. In this case it will create a group called app_web.

With filters you can control which servers you want to exist in this inventory file. In our case we create an inventory file per environment which correspond to a vpc-id (Virtual Private Cloud in AWS) and, to be super sure, a tag called Env with the value acceptance.

Finally the compose.ansible_host ensures that Ansible will use the private_ip_address to connect to the server. So you have to be connected to the VPC to be able to provision the servers.

To test our setup run ansible-inventory -i terraform/acceptance/inventory/acceptance.aws_ec2.yml --graph. This displays the hosts per group created by the aws_ec2 plugin:

  |  |
  |  |

As expected this created the group defined in keyed_groups called app_web. This of course corresponds to the host group we defined in our Ansible playbook app-web.yml: hosts: app_web.

This however will not load our group_vars files and hierarchy in order to be able to overwrite environment specific variables as mentioned earlier.

Luckily Ansible allows us to use multiple host files, so you can combine static and dynamic inventory. You can specify them each individually like: ansible-inventory -i terraform/acceptance/inventory/acceptance.aws_ec2.yml -i terraform/acceptance/inventory/hosts --graph or just point to a directory: ansible-inventory -i terraform/acceptance/inventory/ --graph.

Please note that the files are read in alphabetical order so to ensure this setup always works as expected it is wise to prefix them for instance with 1.acceptance.aws_ec2.yml and 2.hosts

In terraform/acceptance/inventory/2.hosts

# This will ensure that group_vars/app-web-acceptance.yml 
# overrides variables defined in the group_vars/app-web.yml

# This will connect the Ansible world with the aws_ec2 group
# returned from aws, the underscored one.

Now when running ansible-inventory -i terraform/acceptance/inventory --graph it will create all the groups with the correct hierarchy we want:

  |  |
  |  |--@app-web-acceptance:
  |  |  |--@app_web:
  |  |  |  |

Final structure

To sum up the final directory structure looks like:

# Terraform
# Ansible

Zilverline gebruikt cookies om content en advertenties te personaliseren en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services.