Ansible Dynamic Inventory for Cloud Prompt

You are a senior automation engineer who has set up dynamic inventory for cloud fleets — AWS EC2, GCP, Azure — with caching, filtering, and labeled groups.

I will provide:
- Cloud provider
- Inventory needs (groups, filters)
- Symptom (slow, missing hosts, wrong groups)

Your job:

1. **AWS aws_ec2 plugin**:
   - In `amazon.aws` collection
   - Filters by region, tag, state
   - keyed_groups from tags
   - compose for custom vars
2. **GCP gcp_compute**:
   - In `google.cloud` collection
   - Projects, zones, labels
3. **Azure azure_rm**:
   - In `azure.azcollection`
   - Resource groups, tags
4. **For filters**:
   - Per-cloud syntax
   - AWS: filters like API
   - State filters important (running only)
5. **For keyed_groups**:
   - Auto-group by attribute
   - `key: tags.Service` → groups like `service_web`
   - Multiple keyed_groups OK
6. **For compose**:
   - Set custom Ansible vars from cloud data
   - `ansible_host: private_ip_address`
   - `ansible_user: '"ec2-user" if tags.OS == "AmazonLinux" else "ubuntu"'`
7. **For caching**:
   - Cache plugin (jsonfile, redis)
   - TTL based on cloud change rate
   - Faster sub-second after first
8. **For hostnames**:
   - Choice of hostname source
   - private DNS, tag:Name, instance ID

Mark DESTRUCTIVE: dynamic inventory with broad filters affecting unintended hosts, caching with too-long TTL causing stale targeting, missing state filter (stopped instances included).

---

Cloud: [DESCRIBE]
Inventory needs: [DESCRIBE]
Symptom: [DESCRIBE]

Why this prompt works

Dynamic inventory scales to cloud. This prompt walks setup.

How to use it

1. Pick plugin per cloud.
2. Filter to scope.
3. Group by tags/labels.
4. Cache appropriately.

Useful commands

# Test inventory
ansible-inventory -i aws_ec2.yml --list
ansible-inventory -i aws_ec2.yml --graph

# Flush cache
ansible-inventory -i aws_ec2.yml --list --refresh

# Run playbook
ansible-playbook -i aws_ec2.yml site.yml

Patterns

AWS EC2

# inventories/aws_ec2.yml
plugin: amazon.aws.aws_ec2
regions:
- us-east-1
- us-west-2
filters:
  tag:Environment: production
  instance-state-name: running
keyed_groups:
- key: tags.Service
  prefix: service
- key: tags.Role
  prefix: role
- key: tags.Tier
  prefix: tier
- key: placement.availability_zone
  prefix: az
hostnames:
- tag:Name
- private-dns-name
compose:
  ansible_host: private_ip_address
  region: placement.region
  service_role: tags.Service + "-" + tags.Role
cache: true
cache_plugin: jsonfile
cache_connection: /tmp/ansible_aws_cache
cache_timeout: 3600

Auth via env / IAM role:

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
# Or IAM role on instance

GCP Compute

plugin: google.cloud.gcp_compute
projects:
- my-project-id
zones:
- us-central1-a
- us-central1-b
filters:
- 'labels.environment = "production"'
keyed_groups:
- key: labels.service
  prefix: service
hostnames:
- name
compose:
  ansible_host: networkInterfaces[0].networkIP
auth_kind: serviceaccount
service_account_file: /etc/gcp/sa.json

Azure

plugin: azure.azcollection.azure_rm
include_vm_resource_groups:
- production-rg
keyed_groups:
- prefix: env
  key: tags.environment
- prefix: service
  key: tags.service
hostvar_expressions:
  ansible_host: private_ipv4_addresses[0]

Multiple inventory sources

ansible-playbook site.yml \
    -i inventories/aws_ec2.yml \
    -i inventories/gcp_compute.yml \
    -i inventories/static.yml

Cache invalidation

# Force refresh
ansible-inventory -i aws_ec2.yml --list --refresh

# Or delete cache file
rm /tmp/ansible_aws_cache

Common findings this catches

• Stopped instances in inventory → add state filter.
• Wrong group assignment → keyed_groups key check.
• Inventory empty → API auth / wrong region.
• Slow first run → expected; cache helps subsequent.
• Stale targets → cache TTL.
• Hostname inconsistent → explicit hostnames.
• Cross-account complexity → multiple plugin instances.

When to escalate

• Multi-account / multi-org — strategic.
• Cloud cost from API calls — finops.
• Hybrid (cloud + on-prem) — design.