--- # To run: # 1. Ensure Ansible and Boto are installed (pip install ansible boto). # 2. Ensure you have AWS credentials stored where Boto can find them, and they # are under the profile 'mm'. # 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub. # 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml # Play 1: Provision EC2 instance and A record. - hosts: localhost connection: local gather_facts: false tasks: - name: Configure EC2 Security Group. ec2_group: profile: mm name: certbot_test_http description: HTTP security group for Certbot testing. region: "us-east-1" state: present rules: - proto: tcp from_port: 80 to_port: 80 cidr_ip: 0.0.0.0/0 - proto: tcp from_port: 443 to_port: 443 cidr_ip: 0.0.0.0/0 - proto: tcp from_port: 22 to_port: 22 cidr_ip: 0.0.0.0/0 rules_egress: [] - name: Add EC2 Key Pair. ec2_key: profile: mm region: "us-east-1" name: certbot_test key_material: "{{ item }}" with_file: - ~/.ssh/id_rsa.pub - name: Provision EC2 instance. ec2: profile: mm key_name: certbot_test instance_tags: Name: "certbot-standalone-nginx-test" group: ['default', 'certbot_test_http'] instance_type: t2.micro # CentOS Linux 7 x86_64 HVM EBS image: ami-02e98f78 region: "us-east-1" wait: true wait_timeout: 500 exact_count: 1 count_tag: Name: "certbot-standalone-nginx-test" register: created_instance - name: Add A record for the new EC2 instance IP in Route53. route53: profile: mm command: create zone: servercheck.in record: certbot-test.servercheck.in type: A ttl: 300 value: "{{ created_instance.tagged_instances.0.public_ip }}" wait: true overwrite: true - name: Add EC2 instance to inventory groups. add_host: name: "certbot-test.servercheck.in" groups: "aws,aws_nginx" ansible_ssh_user: centos host_key_checking: false when: created_instance.tagged_instances.0.id is defined # Play 2: Configure EC2 instance with Certbot and Nginx. - hosts: aws_nginx gather_facts: true become: true vars: certbot_admin_email: https@servercheck.in certbot_create_if_missing: true certbot_create_standalone_stop_services: [] certbot_certs: - domains: - certbot-test.servercheck.in nginx_vhosts: - listen: "443 ssl http2" server_name: "certbot-test.servercheck.in" root: "/usr/share/nginx/html" index: "index.html index.htm" state: "present" template: "{{ nginx_vhost_template }}" filename: "certbot_test.conf" extra_parameters: | ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; pre_tasks: - name: Update apt cache. apt: update_cache=true cache_valid_time=600 when: ansible_os_family == 'Debian' changed_when: false - name: Install dependencies (RedHat). yum: name={{ item }} state=present when: ansible_os_family == 'RedHat' with_items: - cronie - epel-release - name: Install cron (Debian). apt: name=cron state=present when: ansible_os_family == 'Debian' roles: - geerlingguy.certbot - geerlingguy.nginx tasks: - name: Flush handlers in case any configs have changed. meta: flush_handlers - name: Test secure connection to SSL domain. uri: url: https://certbot-test.servercheck.in/ status_code: 200 delegate_to: localhost become: false # Play 3: Tear down EC2 instance and A record. - hosts: localhost connection: local gather_facts: false tasks: - name: Destroy EC2 instance. ec2: profile: mm instance_ids: ["{{ created_instance.tagged_instances.0.id }}"] region: "us-east-1" state: absent wait: true wait_timeout: 500 - name: Delete Security Group. ec2_group: profile: mm name: certbot_test_http region: "us-east-1" state: absent - name: Delete Key Pair. ec2_key: profile: mm name: certbot_test region: "us-east-1" state: absent - name: Delete Route53 record. route53: profile: mm state: delete zone: servercheck.in record: certbot-test.servercheck.in type: A ttl: 300 # See: https://github.com/ansible/ansible/pull/32297 value: []