The first thing we need to discuss is how we can pass our access key ID and also the secret access key to Ansible in a safe and secure way. As I will be sharing the final playbooks in a public repository on GitHub, I do not want to share my AWS keys with the world as that could get expensive! Typically, if it were a private repository, I would use Ansible Vault to encrypt the keys and include them in there with other potentially sensitive data such as deployment keys and so on.

In this case, I don't want to include any encrypted information in the repository as it would mean that people would need to unencrypt it, edit the values, and then re-encrypt it. Luckily, the AWS modules provided by Ansible allows you to set two environment variables on your Ansible controller; those variables will then be read as part of the playbook execution.

To set the variables, run the following commands to make sure that you replace the content with your own access key and secret (the information listed as follows is just placeholder values):

$ export AWS_ACCESS_KEY=AKIAI5KECPOTNTTVM3EDA
$ export AWS_SECRET_KEY=Y4B7FFiSWl0Am3VIFc07lgnc/TAtK5+RpxzIGTr

Once set, you can view the contents by running:

$ echo $AWS_ACCESS_KEY

As you can see from the output, this will display the content of the AWS_ACCESS_KEY variable:

Now that we have a way to pass our credentials to Ansible, we can create the playbook structure by running the following commands:

$ mkdir vpc vpc/group_vars vpc/roles
$ touch vpc/production vpc/site.yml vpc/group_vars/common.yml
$ cd vpc

Now that we have the basics in place, we can make a start at creating the roles; unlike previous chapters, we are going to be running the playbook after we have added each role so we can discuss in more detail what has happened.