AWS Systems Manager lets you run Ansible Playbook on any number of servers(without Ansible Tower), without an SSH connection. We will see how to execute configuration management directives using Ansible on your instances using State Manager and Run Command, and the new AWS-RunAnsiblePlaybook public document.

1. Pre-Requisities

   1. IAM Role - i.e ManagedInstanceRole - with managed permissions Get Help for setting up IAM Role
      • AmazonEC2RoleforSSM - To allow Lambda to log events

2. Prepare Target Instances

   Lets use a RedHat 7.x Linux instances as our target instance.

   1. Assign the IAM Role created in the prerequisite
   2. Install SSM Agent

      sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
      sudo systemctl enable amazon-ssm-agent
      sudo systemctl start amazon-ssm-agent
      sudo systemctl status amazon-ssm-agent

   3. Install Ansible in Redhat 7

      sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
      sudo yum -y install ansible

   4. Tag the instance

      TagKey:OS
      TagValue:RedHat
      

3. Create SSM State Manager

   • Choose State Manager from the System Manager Services
   • Click on Create Association
   • Select the AWS-RunAnsiblePlaybook
   • For Targets Choose Specifying tags
   • Choose appropriate schedule.
   • In the Parameters Section, paste the playbook YAML directly.
   • Define the max errors as 1. This means that if the execution encounters 1 error it will stop on the remaining targets.

4. Testing the solution

   Create an adhoc run using the Run Command manually, check the S3 Logs for execution results.

5. ToDo

   1. Load the playbook into CodeCommit and bring it under version control.
   2. or Use S3 version control for the playbook(s) to be stored.

[1] - AWS Docs - Ansible from SSM