Extend ec2_metadata_facts to get instance tags

[rcousens]

Summary

AWS recently added support for retrieving instance tags from the instance metadata service, see: https://aws.amazon.com/about-aws/whats-new/2022/01/instance-tags-amazon-ec2-instance-metadata-service/

A natural fit for including this functionality would be to extend ec2_metadata_facts to support retrieving instance tags, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-ex-7 for details on how that is done.

I'd like to add the functionality, but I'm unclear what would be more acceptable to the community with regards to handling whether or not this functionality is enabled. There's two options I see:

• A flag passed to ec2_metadata_facts to tell it to attempt to retrieve tags, and fail with error when it can't

OR

• Assume the instance tag metadata functionality is enabled, attempt to retrieve tags, and fail silently when it's not

Which makes more sense and is in keeping with the "ethos" of the modules? My hunch is the 1st option.

Issue Type

Feature Idea

Component Name

ec2_metadata_facts.py

Additional Information

I'd be happy to write the code.

- amazon.aws.ec2_metadata_facts:
    tags: yes

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• [plugins/modules/ec2_metadata_facts.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/ec2_metadata_facts.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @roadmapper @s-hertel @silviud @tremble
click here for bot help

[alinabuzachis]

@rcousens Thank you for this feature idea. I think the second option you listed - "Assume the instance tag metadata functionality is enabled, attempt to retrieve tags, and fail silently when it's not" makes more sense to me. Don't know what @tremble @jillr @markuman think about.

[markuman]

AWS recently added support for retrieving instance tags from the instance metadata service, see: https://aws.amazon.com/about-aws/whats-new/2022/01/instance-tags-amazon-ec2-instance-metadata-service/

Yes, and community.aws supports this already for ec2_launch_template since 3.1.0 and amazon.aws for ec2_instance the support is already in the main branch, but not released yet 🚀🚀🚀

"Assume the instance tag metadata functionality is enabled, attempt to retrieve tags, and fail silently when it's not" makes more sense to me.

Yes, +1 for the second option.

Just a few words more about accessing metadata from the instances itself

workaround

You can do it already using ansible buildin modules - more or less comfortable

    - name: get metadata token
      uri:
        url: "http://169.254.169.254/latest/api/token"
        headers:
          X-aws-ec2-metadata-token-ttl-seconds: 60
        method: PUT
        return_content: yes
      register: METADATA_TOKEN


    - name: get tag name
      uri:
        url: "http://169.254.169.254/latest/meta-data/tags/instance/Name"
        headers:
          X-aws-ec2-metadata-token: "{{ METADATA_TOKEN.content }}"
        return_content: yes
      register: TAG_NAME

prod and cons

The ec2 instances that runs ec2_metadata_facts in believing they receive their tags, must have botocore >= 1.23.30.
I think you might need this feature when you're using ansible-pull or run some plays via systemd-timer.

Another possibility to access all instance tags is via a control node that is using the dynamical aws_ec2 inventory. They are accessable via host_vars.

[tremble]

+1, assume it's enabled, drop a warning if it fails, and continue cleanly.

[tremble]

support was added by #1186 and should be available in release 5.1.0