AWX to GCP VM : Establish and Maintain IAP Tunnel for Subsequent Playbook Execution

SaravanaSelvaraj · April 25, 2025, 3:30pm

AWX to GCP SSH connectivity is getting closed for subsequent playbook Execution.
Dear community,
My project

---
- name: Establish GCP connectivity using impersonated SA
  hosts: all
  gather_facts: false
  any_errors_fatal: true
  tasks:
    - name: Establish SSH tunnel via gcloud
      block:
        - name: Run GCP connectivity role
          include_role:
            name: gcp_connectivity_role
          vars:
            gcp_project: "{{ hostvars[inventory_hostname]['project'] }}"
            gcp_zone: "{{ hostvars[inventory_hostname]['zone'] }}"
            gcp_instance_name: "{{ hostvars[inventory_hostname]['name'] }}"
            gcp_impersonate_sa: "{{ hostvars[inventory_hostname]['gcp_impersonate_sa'] }}"
      delegate_to: localhost

- name: Run shell commands on connected GCP hosts
  hosts: all
  gather_facts: false
  tasks:
    - name: Run uname -a
      command: uname -a

    - name: Run uptime
      command: uptime

    - name: Show disk usage
      command: df -h

And my role is

---
- name: Run GCP tasks via gcloud
  block:
    - name: Set facts from credential and vars
      ansible.builtin.set_fact:
        gcp_sa_json_file: "{{ lookup('env', 'gcp_sa_json') }}"
        gcp_impersonate_sa: "{{ lookup('env', 'gcp_sa_user_id') }}"
        gcp_project: "{{ hostvars[inventory_hostname]['project'] }}"
        gcp_zone: "{{ hostvars[inventory_hostname]['zone'] }}"
        gcp_instance_name: "{{ hostvars[inventory_hostname]['name'] }}"
        gcp_commands: "{{ gcp_commands | default([]) }}"

    - name: Authenticate once
      shell: gcloud auth activate-service-account --key-file={{ gcp_sa_json_file }}
      #when: current_auth.stdout.strip() != gcp_impersonate_sa
      register: auth_result
      failed_when: auth_result.rc != 0
      run_once: true
      delegate_to: localhost

    - name: Run gcloud SSH with commands
      shell: >
        yes y | gcloud compute ssh {{ gcp_instance_name }} \
        --zone={{ zone }} \
        --project={{ project }} \
        --impersonate-service-account={{ gcp_impersonate_sa }} \
        --tunnel-through-iap \
        --quiet \
        --verbosity debug
      delegate_to: localhost
      register: gcp_ssh_result
      failed_when: gcp_ssh_result.rc != 0
      changed_when: false

I am using the role gcp_connectivity_role to establish the gcp connectivity. And then in the project I am running commands in the project starting from Run shell commands on connected GCP hosts . As expected the connection closes after the role finished its job and then the commands does not run on the hosts i am intended to do. Can you please check if I am following the correct process here ? Please help.

Thanks and Regards
Saravana Selvaraj

SaravanaSelvaraj · April 25, 2025, 3:42pm

@kurokobo , @wayt and @bcoca tagging you here . Please help if you have any idea in this topic.

Thanks and in advance.

Topic		Replies	Views
Delegate_to: localhost is not working as expected Get Help awx , playbook , gcp , ansible	10	21	April 25, 2025
Alternate SSH using ssh_executable AWX Project awx , gcp	1	17	July 15, 2020
GCP Tunnel through IAP Ansible Project gcp	2	47	February 9, 2021
Unable to SSH from Ansible AWX to GCP VM Instance Get Help awx , gcp	5	44	April 22, 2025
Issue deploying playbook through GCP IAP behind a bastion host using ssh config and ProxyCommand Get Help playbook , ansible-core , gcp , ssh	5	153	October 28, 2024

AWX to GCP VM : Establish and Maintain IAP Tunnel for Subsequent Playbook Execution

Related topics