Best Way to Manage Multiple Environments and Multiple AWS Accounts

datsun80 · August 12, 2015, 4:03pm

I am looking for ways that others have organized their inventory files when they have multiple aws accounts.

Little background, today we have one folder with all inventory files in it. The inventory directory is a mix between static and a dynamic inventory files. I am tagging the ec2 instances so I can call a playbook specifying hosts, stage_website or prod_website for example.

We are switching moving all of our separate instances to their own AWS accounts however and this is where I need to find an elegant way to model this. I will have one AWS account for dev, qa, stage, and production. I would like to use the dynamic inventory approach as that supports auto scaling nicely. I looked up using profiles in boto config but it doesn’t look like the ec2.py file supports it.

I did find this: https://github.com/jjneely/ansible/tree/multiple-aws-accounts/plugins/inventory which someone rewrote to support multiple aws accounts which I can use but I wanted to get input on how others have done this before I do.

datsun80 · August 13, 2015, 2:36pm

Nobody?

Martin2 · August 13, 2015, 3:03pm

I don’t have input on the actual question but I’m interested to hear why one would have multiple AWS account for a given domain (as in responsibility domain, not in DNS domain).

It seems to me that a single domain can be managed by using single account. Combining the accounts into a single ansible managed thing defeats the whole purpose of separating stuff. So the conclusion would be to either have a single account or mutliple ansible “things” that each manage their own responsibility domain. Then again I don’t know the whole picture and my POV is probably very naive.

/Martin

Brian_Coca · August 13, 2015, 3:05pm

I've seen 2 ways to approach this, using boto's builtin profiles to
manage multiple accounts or create multiple instances of ec2.py and
ec2.ini for each account and then use -i to point at individual ones
or keep them in a directory and point at that with ansible.cfg

datsun80 · August 13, 2015, 3:07pm

It is a business decision to separate the environments for billing reasons.

datsun80 · August 13, 2015, 3:16pm

I have read about that way too. I like the approach of just specifying a directory with -i and having ansible look at all inventory files but I might have to switch back to specifying the exact inventory I want to work with.

datsun80 · August 13, 2015, 9:44pm

On second thought, the approach that uses separate directories for each account would not work because the credentials to connect to said accounts are not stored in the ec2.ini file but rather the boto.conf file or environment variables.

Topic		Replies	Views
Setup Ansible server to manage several AWS Accounts using dynamic inventory? Ansible Project aws	1	1	January 11, 2017
Create multiple dynamic inventories or custom dynamic inventory? Ansible Project aws	2	0	December 22, 2016
How can I use ansible and ec2.py to manage multiple aws accounts Ansible Project aws	1	0	August 10, 2016
Manage multiple aws accounts with ansible playbook using ec2.py/ec2.ini Ansible Project aws	2	3	March 20, 2019
Ansible + AWS documentation Ansible Project aws	2	0	November 22, 2015

Best Way to Manage Multiple Environments and Multiple AWS Accounts

Related topics