Quick and dirty demo ansible role that uses the aws_ec2 ansible plugin to execute against a group of EC2s. Written as a proof-of-concept of an InSpec runner that can execute multiple InSpec scans simultaneously against a group of EC2s.

Before you start, make sure:

• You have AWS CLI configured locally to access your desired AWS account.
• You have aws_ec2 plugin enabled in ansible.cfg (usually in /etc/ansible/ansible.cfg).

[inventory]
enable_plugins = aws_ec2

• You have a group of EC2s in AWS which are:
  • accessible via a single SSH key
  • tagged with something unique to target with Ansible (ex. 'test_group')

The role runs on your localhost and loops through the inventory list given by aws_ec2.

aws_ec2 groups EC2s depending on what you specify in the groups attribute in aws_ec2.yml:

groups:
  test_group: "'test' in tags['Name']"

You can edit aws_ec2.yml to create different groups in the Ansible inventory by whatever tag you like.

You can see what aws_ec2 can see and how it is grouped by running:

$> ansible-inventory -i aws_ec2.yml --graph

@all:
  |--@aws_ec2:
  |  |--ec2-3-145-176-61.us-east-2.compute.amazonaws.com
  |  |--ec2-3-15-31-155.us-east-2.compute.amazonaws.com
  |--@test_group:
  |  |--ec2-3-145-176-61.us-east-2.compute.amazonaws.com
  |  |--ec2-3-15-31-155.us-east-2.compute.amazonaws.com
  |--@ungrouped:

Run: ansible-playbook playbook.yml -i aws_ec2.yml --ask-vault-pass -v

You'll be prompted for the password you set for the Ansible Vault. The task will run InSpec against the EC2s that are part of test_group.

The task will execute all the scans simultaneously using Ansible's asynchronous feature. This means Ansible will execute each scan in the loop and not wait for a result before moving on.

As such, the next task in the role will wait until each asynchronous InSpec scan registered to inspec_results has completed before continuing.

Will Dower