Skip to main content

Teleport driven ansible inventory script.

Project description

Teleport Inventory Documentation

This is a very simple package which will use Teleport as a dynamic inventory source for Ansible. The script assumes you've logged in and have access to the teleport service. Examples of all the base requirements are provided within this readme.

Checkout https://cloudnull.io/2022/09/ansible-inventory-via-teleport for a more indepth review of integrating Teleport with Ansible.

Using the teleport-ansible inventory script

The script will read machines and return JSON information from teleport. Once the return information is sourced, it will format the inventory using the node name as the target host and the labels as hostvars and groups.

Using teleport-ansible requires a little setup, mostly client side for Teleport itself.

Installing teleport-ansible and using it

Installing the teleport-ansible inventory script can be accomplished with pip.

pip install teleport-ansible

The teleport-inventory script can also be installed using the git repository directly.

pip install git+https://github.com/cloudnull/teleport-ansible

If you don't want to install the script, you can also simply download the script using the hard link and run it from wherever you want.

curl https://raw.githubusercontent.com/cloudnull/teleport-ansible/master/teleport-inventory.py -o teleport-inventory.py

Example SSH configuration connect through Teleport

Create a compatible SSH configuration for Teleport.

export TELEPORT_DOMAIN=teleport.example.com
export TELEPORT_USER=cloudnull
cat > ~/.ssh/teleport.cfg <<EOF
Host * !${TELEPORT_DOMAIN}
    UserKnownHostsFile "${HOME}/.tsh/known_hosts"
    IdentityFile "${HOME}/.tsh/keys/${TELEPORT_DOMAIN}/${TELEPORT_USER}"
    CertificateFile "${HOME}/.tsh/keys/${TELEPORT_DOMAIN}/${TELEPORT_USER}-ssh/${TELEPORT_DOMAIN}-cert.pub"
    PubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com
    Port 3022
    CheckHostIP no
    ProxyCommand "$(which tsh)" proxy ssh --cluster=${TELEPORT_DOMAIN} --proxy=${TELEPORT_DOMAIN} %r@%h:%p
EOF

The above ssh configuration needs to have all variables replaced to work.

Example Ansible Setup

When running this inventory, Ansible requires some basic instructions which can be set via environment variables or through an Ansible config file.

export ANSIBLE_SCP_IF_SSH=False
export ANSIBLE_SSH_ARGS="-F ${HOME}/.ssh/teleport.cfg"
export ANSIBLE_INVENTORY_ENABLED=script
export ANSIBLE_HOST_KEY_CHECKING=False
export ANSIBLE_INVENTORY="$(command -v teleport-ansible)"

The ${HOME}/.ssh/teleport.cfg file is generated by using the tsh config command then customized based on individual needs.

Example login process

tsh login --proxy=teleport.example.com --user=teleport-admin

If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:42337/83facfc0-e899-44dc-aa6c-32179e3d5b0b
> Profile URL:        https://teleport.example.com:443
  Logged in as:       teleport-admin
  Cluster:            teleport.example.com
  Roles:              access
  Logins:             root, ubuntu, debian, fedora, centos, -teleport-internal-join
  Kubernetes:         enabled
  Valid until:        2022-09-16 08:03:05 -0500 CDT [valid for 12h0m0s]
  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty

The above tsh login will provide access to the teleport cluster, which will allow you to run inventory script which will return an Ansible inventory JSON.

Example inventory return

Running the teleport inventory command teleport-inventory will return something like this.

>>> {
...     "_meta": {
...         "hostvars": {
...             "alluvial-0": {
...                 "ansible_user": "ubuntu",
...                 "teleport_id": 1663292578982084621,
...                 "arch": "x86_64",
...                 "codename": "jammy",
...                 "environment": "dev"
...             },
...             "compute-0": {
...                 "ansible_user": "carter",
...                 "teleport_id": 1663292546493240726,
...                 "arch": "x86_64",
...                 "codename": "jammy",
...                 "environment": "prod"
...             },
...             "curator-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292584620339609,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "plexmediaserver-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292540612813467,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "rtmprelay-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292583673456110,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "teleport-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292588270337453,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "thelounge-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292533524229273,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "unbound-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292535344206453,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "unifi-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292528952201832,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             },
...             "wireguard-0": {
...                 "ansible_user": "debian",
...                 "teleport_id": 1663292535570354336,
...                 "arch": "x86_64",
...                 "codename": "bullseye",
...                 "environment": "prod"
...             }
...         }
...     },
...     "all": {
...         "hosts": [
...             "alluvial-0",
...             "compute-0",
...             "curator-0",
...             "plexmediaserver-0",
...             "rtmprelay-0",
...             "teleport-0",
...             "thelounge-0",
...             "unbound-0",
...             "unifi-0",
...             "wireguard-0"
...         ],
...         "children": []
...     },
...     "x86_64": {
...         "hosts": [
...             "alluvial-0",
...             "compute-0",
...             "curator-0",
...             "plexmediaserver-0",
...             "rtmprelay-0",
...             "teleport-0",
...             "thelounge-0",
...             "unbound-0",
...             "unifi-0",
...             "wireguard-0"
...         ],
...         "children": []
...     },
...     "jammy": {
...         "hosts": [
...             "alluvial-0",
...             "compute-0"
...         ],
...         "children": []
...     },
...     "dev": {
...         "hosts": [
...             "alluvial-0"
...         ],
...         "children": []
...     },
...     "teleport_cloudnull_dev": {
...         "hosts": [
...             "wireguard-0"
...         ],
...         "children": []
...     },
...     "prod": {
...         "hosts": [
...             "compute-0",
...             "curator-0",
...             "plexmediaserver-0",
...             "rtmprelay-0",
...             "teleport-0",
...             "thelounge-0",
...             "unbound-0",
...             "unifi-0",
...             "wireguard-0"
...         ],
...         "children": []
...     },
...     "bullseye": {
...         "hosts": [
...             "curator-0",
...             "plexmediaserver-0",
...             "rtmprelay-0",
...             "teleport-0",
...             "thelounge-0",
...             "unbound-0",
...             "unifi-0",
...             "wireguard-0"
...         ],
...         "children": []
...     }
... }

Once the ssh config is in place, the Ansible configuration is set, and teleport is logged in, Ansible can be run natively.

Example Ansible Ad-Hoc command

You'll notice that the command is SUPER basic. There's nothing special here.

ansible -m ping all

Example Ansible Playbook command

Just like the ad-hoc command, there's nothing special when running playbooks either.

ansible-playbook example-playbook.yaml

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

teleport-ansible-0.0.1.tar.gz (9.0 kB view details)

Uploaded Source

Built Distribution

teleport_ansible-0.0.1-py3-none-any.whl (9.8 kB view details)

Uploaded Python 3

File details

Details for the file teleport-ansible-0.0.1.tar.gz.

File metadata

  • Download URL: teleport-ansible-0.0.1.tar.gz
  • Upload date:
  • Size: 9.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.8.2 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.8.10

File hashes

Hashes for teleport-ansible-0.0.1.tar.gz
Algorithm Hash digest
SHA256 d2a4fcc8b1b08016b70bef2d84c8bb256a823730c937f2851cde18740cc1854e
MD5 33f4991957592f345c473661046c38c2
BLAKE2b-256 3be51cf9648ab7536388cbba91db7e000047366521b69c50006c5a0496b56c78

See more details on using hashes here.

File details

Details for the file teleport_ansible-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: teleport_ansible-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 9.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.8.2 pkginfo/1.8.2 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.8.10

File hashes

Hashes for teleport_ansible-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 44ab731bef2bb0d10e9b2ca5d274a888ca2b793da850ac17b2053723c180eb71
MD5 1bdf145f28ae6e46046c72628430a4fa
BLAKE2b-256 c53cc0ad2524e2a6e20998fd67f0d43ff6cd69300089e6212816d6bcf8bcb65d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page