Terraform 0.12, Ansible and AWS setup

Our AWS setup is automated using Terraform and Ansible. We recently upgraded to the next major release Terraform 0.12 and needed to refactor our setup in order to support this new major version. This post is a write up of how to setup Terraform 0.12, AWS and Ansible using dynamic inventory.


Before the upgrade our setup was as follows: - Ansible - Terraform 0.11 - terraform-inventory

Terraform-inventory was used in order to use the terraform state as dynamic inventory for Ansible. Unfortunately the terraform-inventory library has multiple issues with the latest terraform release. Therefor we needed to figure out how to setup the dynamic inventory again.

Upgrading Terraform

There is a pretty good upgrade guide from Terraform describing which steps to take in order to upgrade to the latest 0.12 version. Since we needed to deal with multiple terraform version we started using Terraform version manager, inspired by rbenv, to easily manage terraform multiple versions. In the end following the upgrade guide did not give us many problems, other than fixing some deprecation warnings.

Terraform setup

We have Terraform and Ansible code in the same git repository. The terraform structure is basically as follows:

# Modules

# Config per environment

The simplified version of the web-server terraform module:

resource "aws_instance" "web_server" {
 ami = "abc"
 key_name = "ben"
 tags = {
  Name = var.server_name
  ServerRole = "web"
  Env = var.environment

Then we can create instances per environment as follows:

In terraform/acceptance/ terraform module "web-server" { source = "../modules/web-server" environment = "acceptance" server_name = "" } In terraform/production/ terraform module "web-server" { source = "../modules/web-server" environment = "production" server_name = "" }

Ansible setup

Next we want to connect the Terraform setup with our Ansible playbooks in order to provision the servers. The Ansible setup is roughly:

# Ansible setup

The app-web.yml


  • hosts: app_web

rest omitted

The `app-web.yml` is the playbook, the `group_vars/app-web.yml` contains shared variables which can be overridden by the more specific `group_vars/app-web-***.yml`. This is not something that works out of the box when using dynamic inventory.

In order to have dynamic inventory we choose to use the [aws_ec2 inventory source plugin](

To use the `aws_ec2` plugin you need to enable the plugins in your `ansible.cfg` file:

enable_plugins = host_list, script, auto, yaml, ini, toml

Then create a file ending with aws_ec2.yml in your inventory directory. In our case in terraform/acceptance/inventory/

The ```yaml plugin: aws_ec2 strict: True regions: - eu-central-1 boto_profile: my-aws-profile-corresponding-to-aws-credentials keyed_groups: - key: tags.ServerRole prefix: app filters: tag:Env: acceptance vpc-id: vpc-123456 compose: ansible_host: private_ip_address

hostnames: - tag:Name - private-ip-address ```

The boto_profile points to the name of your aws-profile typically defined in your ~/.aws/credentials file.

The keyed_groups will create groups to be used by Ansible to target multiple hosts at once. In this case it will create a group called app_web.

With filters you can control which servers you want to exist in this inventory file. In our case we create an inventory file per environment which correspond to a vpc-id (Virtual Private Cloud in AWS) and, to be super sure, a tag called Env with the value acceptance.

Finally the compose.ansible_host ensures that Ansible will use the private_ip_address to connect to the server. So you have to be connected to the VPC to be able to provision the servers.

To test our setup run ansible-inventory -i terraform/acceptance/inventory/acceptance.aws_ec2.yml --graph. This displays the hosts per group created by the aws_ec2 plugin:

  |  |
  |  |

As expected this created the group defined in keyed_groups called app_web. This of course corresponds to the host group we defined in our Ansible playbook app-web.yml: hosts: app_web.

This however will not load our group_vars files and hierarchy in order to be able to overwrite environment specific variables as mentioned earlier.

Luckily Ansible allows us to use multiple host files, so you can combine static and dynamic inventory. You can specify them each individually like: ansible-inventory -i terraform/acceptance/inventory/acceptance.aws_ec2.yml -i terraform/acceptance/inventory/hosts --graph or just point to a directory: ansible-inventory -i terraform/acceptance/inventory/ --graph.

Please note that the files are read in alphabetical order so to ensure this setup always works as expected it is wise to prefix them for instance with 1.acceptance.aws_ec2.yml and 2.hosts

In terraform/acceptance/inventory/2.hosts

# This will ensure that group_vars/app-web-acceptance.yml 
# overrides variables defined in the group_vars/app-web.yml

# This will connect the Ansible world with the aws_ec2 group
# returned from aws, the underscored one.

Now when running ansible-inventory -i terraform/acceptance/inventory --graph it will create all the groups with the correct hierarchy we want:

  |  |
  |  |--@app-web-acceptance:
  |  |  |--@app_web:
  |  |  |  |

Final structure

To sum up the final directory structure looks like:

# Terraform
# Ansible