Merge pull request #93 from sean-freeman/bastion_boolean

sap_vm_provision: bastion boolean

Author: sean-freeman

roles/sap_vm_provision/PLATFORM_GUIDANCE.md

@@ -5,6 +5,25 @@ Table of Contents:
 - [Recommended Infrastructure Platform authorizations](#recommended-infrastructure-platform-authorizations)
 - [Recommended Infrastructure Platform configuration](#recommended-infrastructure-platform-configuration)
 
+## Key note - Connectivity
+
+The Ansible Control Node AKA Controller (i.e. device where Ansible Playbook is executed), must be able to directly call the platform's API endpoints. For example:
+
+- AWS EC2 API endpoint `ec2.us-east-1.amazonaws.com`
+- VMware vSphere REST API endpoint `<VMware vCenter Server Appliance hostnamee>.:443`
+
+By default, a Cloud account will use Public internet endpoints which should be accessible in most cases. The Cloud account may utilise Private endpoints for security, as would an On-Premise Hypervisor. Examples include:
+
+- running an Ansible Playbook from a personal laptop, then the personal laptop acts as the Ansible Control Node and can access the platform's APIs using a Client-to-Site VPN Client (such as OpenVPN Connect) to provision Virtual Machines for deploying SAP software
+- running an Ansible Playbook from an existing host (e.g. VM) inside the platform's private network, then the existing host acts as the Ansible Control Node and can access the platform's APIs to provision Virtual Machines for deploying SAP software
+
+The subsequent provisioned Virtual Machine, must be accessible too - this can utilise a Bastion for SSH Proxy connection, which is common for Cloud IaaS.
+
+The Ansible Control Node AKA Controller (i.e. device where Ansible Playbook is executed), must be able to SSH to the Ansible Target Node (i.e. Virtual Machine) using:
+
+- DEFAULT: SSH Proxy connection from Ansible control node, via Bastion host, to target node (`sap_vm_provision_bastion_execution: true`); with SSH Private Keys for the host and the bastion (`sap_vm_provision_ssh_host_private_key_file_path: "/path"` and `sap_vm_provision_ssh_bastion_private_key_file_path: "/path"`)
+- Direct SSH connection from Ansible control node to target node (`sap_vm_provision_bastion_execution: false`); with SSH Private Key for the host (`sap_vm_provision_ssh_host_private_key_file_path: "/path"`).
+
 
 ## Required resources when Ansible provisioning VMs
 
@@ -118,7 +137,7 @@ See below for the drop-down list of required environment resources on an Infrast
     - `private_key`: Use the private ssh key at the location defined by `sap_vm_provision_ssh_host_private_key_file_path`.
     - `private_key_data`: use the private ssh key provided in `sap_vm_provision_ssh_host_private_key_data` and write it to the location defined in `sap_vm_provision_ssh_host_private_key_file_path`.
 
-- Optional: Execution host with access to OpenShift cluster. 
+- Optional: Ansible Control Node host with access to OpenShift cluster. 
 
 - Native Kubernetes with KubeVirt has not been tested.
 
@@ -474,8 +493,6 @@ The VM Template must be prepared with cloud-init. This process is subjective to
     - [cloud-init documentation - Reference - Datasources - VMware](https://cloudinit.readthedocs.io/en/latest/reference/datasources/vmware.html)
 
 
-In addition, the provisioned Virtual Machine must be accessible from the Ansible Controller (i.e. device where Ansible Playbook for SAP is executed must be able to reach the provisioned host).
-
 When VMware vCenter and vSphere clusters with VMware NSX virtualized network overlays using Segments (e.g. 192.168.0.0/16) connected to Tier-0/Tier-1 Gateways (which are bound to the backbone network subnet, e.g. 10.0.0.0/8), it is recommended to:
 - Use DHCP Server and attach to Subnet for the target VM. For example, create DHCP Server (e.g. NSX > Networking > Networking Profiles > DHCP Profile), set DHCP in the Gateway (e.g. NSX > Networking > Gateway > Edit > DHCP Config), then set for the Subnet (e.g. NSX > Networking > Segment > <<selected subnet>> > Set DHCP Config) which the VMware VM Template is attached to; this allows subsequent cloned VMs to obtain an IPv4 Address
 - Use DNAT configuration for any VMware NSX Segments (e.g. NSX-T Policy NAT Rule)

roles/sap_vm_provision/defaults/main.yml

@@ -30,6 +30,11 @@ sap_vm_provision_group_anydb_secondary: anydb_secondary
 # Only for use when 'ansible' is value provided for variable sap_vm_provision_iac_type
 ####
 
+# For security purposes, assume usage of SSH Proxy connection from Ansible control node, via Bastion host to the Target host/s:
+# - This is a common pattern for Cloud IaaS, using a Bastion for connectivity
+# - When using VPN or in On-Premise/Hosted Datacenters, this can be disabled if there is direct connectivity
+sap_vm_provision_bastion_execution: true
+
 sap_vm_provision_bastion_public_ip: ""
 
 sap_vm_provision_bastion_ssh_port: 50222

roles/sap_vm_provision/tasks/platform_ansible/aws_ec2_vs/execute_main.yml

@@ -53,6 +53,16 @@
           #   # AWS_SECRET_ACCESS_KEY: "{{ sap_vm_provision_aws_secret_access_key }}"
           #   AWS_REGION: "{{ sap_vm_provision_aws_region }}"
 
+    - name: Set fact when using Bastion SSH Proxy connection from Ansible control node to target node/s
+      ansible.builtin.set_fact:
+        __ssh_args_bastion: -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+      when:
+        - sap_vm_provision_bastion_execution
+        - sap_vm_provision_bastion_user is defined or not sap_vm_provision_bastion_user == ''
+        - sap_vm_provision_bastion_public_ip is defined or not sap_vm_provision_bastion_public_ip == ''
+        - sap_vm_provision_bastion_ssh_port is defined or not sap_vm_provision_bastion_ssh_port == ''
+        - sap_vm_provision_ssh_bastion_private_key_file_path is defined or not sap_vm_provision_ssh_bastion_private_key_file_path == ''
+
     - name: Add hosts provisioned to the Ansible Inventory
       register: __sap_vm_provision_task_provision_host_all_add
       no_log: "{{ __sap_vm_provision_no_log }}"
@@ -62,7 +72,7 @@
         ansible_host: "{{ add_item[0].instances[0].private_ip_address }}"
         ansible_user: "root"
         ansible_ssh_private_key_file: "{{ sap_vm_provision_ssh_host_private_key_file_path }}"
-        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no {{ __ssh_args_bastion if __ssh_args_bastion is defined else '' }}
       loop: "{{ ansible_play_hosts | map('extract', hostvars, 'register_provisioned_host_all')  }}"
       loop_control:
         label: "{{ add_item[0].host_node }}"

roles/sap_vm_provision/tasks/platform_ansible/aws_ec2_vs/execute_provision.yml

@@ -167,14 +167,22 @@
   delegate_to: "{{ provisioned_private_ip }}"
   delegate_facts: true
   ansible.builtin.set_fact:
-    delegate_sap_vm_provision_bastion_user: "{{ sap_vm_provision_bastion_user }}"
-    delegate_sap_vm_provision_bastion_public_ip: "{{ sap_vm_provision_bastion_public_ip }}"
-    delegate_sap_vm_provision_bastion_ssh_port: "{{ sap_vm_provision_bastion_ssh_port }}"
-    delegate_sap_vm_provision_ssh_bastion_private_key_file_path: "{{ sap_vm_provision_ssh_bastion_private_key_file_path }}"
     delegate_sap_vm_provision_ssh_host_private_key_file_path: "{{ sap_vm_provision_ssh_host_private_key_file_path }}"
-    delegate_private_ip: "{{ __sap_vm_provision_task_provision_host_single.instances[0].private_ip_address }}"
-    delegate_hostname: "{{ inventory_hostname }}"
-    delegate_sap_vm_provision_dns_root_domain_name: "{{ sap_vm_provision_dns_root_domain }}"
+    # delegate_private_ip: "{{ __sap_vm_provision_task_provision_host_single.instances[0].private_ip_address }}"
+    # delegate_hostname: "{{ inventory_hostname }}"
+    # delegate_sap_vm_provision_dns_root_domain_name: "{{ sap_vm_provision_dns_root_domain }}"
+
+- name: Copy facts to delegate host - when using Bastion SSH Proxy connection from Ansible control node to target node/s
+  delegate_to: "{{ provisioned_private_ip }}"
+  delegate_facts: true
+  ansible.builtin.set_fact:
+    delegate_ssh_args_bastion: -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+  when:
+    - sap_vm_provision_bastion_execution
+    - sap_vm_provision_bastion_user is defined or not sap_vm_provision_bastion_user == ''
+    - sap_vm_provision_bastion_public_ip is defined or not sap_vm_provision_bastion_public_ip == ''
+    - sap_vm_provision_bastion_ssh_port is defined or not sap_vm_provision_bastion_ssh_port == ''
+    - sap_vm_provision_ssh_bastion_private_key_file_path is defined or not sap_vm_provision_ssh_bastion_private_key_file_path == ''
 
 
 ### begin block, parameters will be applied to each task within the block
@@ -186,7 +194,7 @@
   delegate_facts: true
   vars:
     ansible_ssh_private_key_file: "{{ delegate_sap_vm_provision_ssh_host_private_key_file_path }}"
-    ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no -o ProxyCommand='ssh -W %h:%p {{ delegate_sap_vm_provision_bastion_user }}@{{ delegate_sap_vm_provision_bastion_public_ip }} -p {{ delegate_sap_vm_provision_bastion_ssh_port }} -i {{ delegate_sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+    ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no {{ delegate_ssh_args_bastion if delegate_ssh_args_bastion is defined else '' }}
   block:
 
     - name: Wait until SSH connection is available

roles/sap_vm_provision/tasks/platform_ansible/gcp_ce_vm/execute_main.yml

@@ -101,6 +101,16 @@
         #     GCP_AUTH_KIND: "serviceaccount"
         #     GCP_SERVICE_ACCOUNT_FILE: "{{ sap_vm_provision_gcp_credentials_json }}"
 
+    - name: Set fact when using Bastion SSH Proxy connection from Ansible control node to target node/s
+      ansible.builtin.set_fact:
+        __ssh_args_bastion: -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+      when:
+        - sap_vm_provision_bastion_execution
+        - sap_vm_provision_bastion_user is defined or not sap_vm_provision_bastion_user == ''
+        - sap_vm_provision_bastion_public_ip is defined or not sap_vm_provision_bastion_public_ip == ''
+        - sap_vm_provision_bastion_ssh_port is defined or not sap_vm_provision_bastion_ssh_port == ''
+        - sap_vm_provision_ssh_bastion_private_key_file_path is defined or not sap_vm_provision_ssh_bastion_private_key_file_path == ''
+
     - name: Add hosts provisioned to the Ansible Inventory
       register: __sap_vm_provision_task_provision_host_all_add
       ansible.builtin.add_host:
@@ -109,7 +119,7 @@
         ansible_host: "{{ add_item[0].networkInterfaces[0].networkIP }}"
         ansible_user: "root"
         ansible_ssh_private_key_file: "{{ sap_vm_provision_ssh_host_private_key_file_path }}"
-        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no {{ __ssh_args_bastion if __ssh_args_bastion is defined else '' }}
       loop: "{{ ansible_play_hosts | map('extract', hostvars, 'register_provisioned_host_all')  }}"
       loop_control:
         label: "{{ add_item[0].host_node }}"

roles/sap_vm_provision/tasks/platform_ansible/gcp_ce_vm/execute_provision.yml

@@ -150,14 +150,22 @@
   delegate_to: "{{ provisioned_private_ip }}"
   delegate_facts: true
   ansible.builtin.set_fact:
-    delegate_sap_vm_provision_bastion_user: "{{ sap_vm_provision_bastion_user }}"
-    delegate_sap_vm_provision_bastion_public_ip: "{{ sap_vm_provision_bastion_public_ip }}"
-    delegate_sap_vm_provision_bastion_ssh_port: "{{ sap_vm_provision_bastion_ssh_port }}"
-    delegate_sap_vm_provision_ssh_bastion_private_key_file_path: "{{ sap_vm_provision_ssh_bastion_private_key_file_path }}"
     delegate_sap_vm_provision_ssh_host_private_key_file_path: "{{ sap_vm_provision_ssh_host_private_key_file_path }}"
-    delegate_private_ip: "{{ __sap_vm_provision_task_provision_host_single.networkInterfaces[0].networkIP }}"
-    delegate_hostname: "{{ inventory_hostname }}"
-    delegate_sap_vm_provision_dns_root_domain_name: "{{ sap_vm_provision_dns_root_domain }}"
+    # delegate_private_ip: "{{ __sap_vm_provision_task_provision_host_single.networkInterfaces[0].networkIP }}"
+    # delegate_hostname: "{{ inventory_hostname }}"
+    # delegate_sap_vm_provision_dns_root_domain_name: "{{ sap_vm_provision_dns_root_domain }}"
+
+- name: Copy facts to delegate host - when using Bastion SSH Proxy connection from Ansible control node to target node/s
+  delegate_to: "{{ provisioned_private_ip }}"
+  delegate_facts: true
+  ansible.builtin.set_fact:
+    delegate_ssh_args_bastion: -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+  when:
+    - sap_vm_provision_bastion_execution
+    - sap_vm_provision_bastion_user is defined or not sap_vm_provision_bastion_user == ''
+    - sap_vm_provision_bastion_public_ip is defined or not sap_vm_provision_bastion_public_ip == ''
+    - sap_vm_provision_bastion_ssh_port is defined or not sap_vm_provision_bastion_ssh_port == ''
+    - sap_vm_provision_ssh_bastion_private_key_file_path is defined or not sap_vm_provision_ssh_bastion_private_key_file_path == ''
 
 
 ### begin block, parameters will be applied to each task within the block
@@ -169,7 +177,7 @@
   delegate_facts: true
   vars:
     ansible_ssh_private_key_file: "{{ delegate_sap_vm_provision_ssh_host_private_key_file_path }}"
-    ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no -o ProxyCommand='ssh -W %h:%p {{ delegate_sap_vm_provision_bastion_user }}@{{ delegate_sap_vm_provision_bastion_public_ip }} -p {{ delegate_sap_vm_provision_bastion_ssh_port }} -i {{ delegate_sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+    ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no {{ delegate_ssh_args_bastion if delegate_ssh_args_bastion is defined else '' }}
   block:
 
     # Required as state: present on Ansible Module gcp_compute_instance does not allow for waiting until VM has booted

roles/sap_vm_provision/tasks/platform_ansible/ibmcloud_powervs/execute_main.yml

@@ -269,6 +269,16 @@
             IC_REGION: "{{ sap_vm_provision_ibmcloud_powervs_region }}"
             IC_ZONE: "{{ sap_vm_provision_ibmcloud_powervs_location }}" # Required only for IBM Power VS, to set IBM Power VS location
 
+    - name: Set fact when using Bastion SSH Proxy connection from Ansible control node to target node/s
+      ansible.builtin.set_fact:
+        __ssh_args_bastion: -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+      when:
+        - sap_vm_provision_bastion_execution
+        - sap_vm_provision_bastion_user is defined or not sap_vm_provision_bastion_user == ''
+        - sap_vm_provision_bastion_public_ip is defined or not sap_vm_provision_bastion_public_ip == ''
+        - sap_vm_provision_bastion_ssh_port is defined or not sap_vm_provision_bastion_ssh_port == ''
+        - sap_vm_provision_ssh_bastion_private_key_file_path is defined or not sap_vm_provision_ssh_bastion_private_key_file_path == ''
+
     - name: Add hosts provisioned to the Ansible Inventory
       register: __sap_vm_provision_task_provision_host_all_add
       ansible.builtin.add_host:
@@ -277,7 +287,7 @@
         ansible_host: "{{ add_item[0].resource.networks[0].ip }}"
         ansible_user: "root"
         ansible_ssh_private_key_file: "{{ sap_vm_provision_ssh_host_private_key_file_path }}"
-        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no -o ProxyCommand='ssh -W %h:%p {{ sap_vm_provision_bastion_user }}@{{ sap_vm_provision_bastion_public_ip }} -p {{ sap_vm_provision_bastion_ssh_port }} -i {{ sap_vm_provision_ssh_bastion_private_key_file_path }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+        ansible_ssh_common_args: -o ConnectTimeout=180 -o ControlMaster=auto -o ControlPersist=3600s -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ForwardX11=no {{ __ssh_args_bastion if __ssh_args_bastion is defined else '' }}
       loop: "{{ ansible_play_hosts | map('extract', hostvars, 'register_provisioned_host_all')  }}"
       loop_control:
         label: "{{ add_item[0].host_node }}"