Attempt To Pull EC2 Inventory Through Proxy Results In OpenSSL Error

[jsikarin]

Summary

When I attempt to pull an EC2 inventory through a corporate proxy in RHAAP I recieve the following SSL error.

ansible-inventory [core 2.17.1] config file = None configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.11/site-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections:/usr/share/automation-controller/collections executable location = /usr/local/bin/ansible-inventory python version = 3.11.9 (main, Apr 26 2024, 22:18:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3) jinja version = 3.1.4 libyaml = True No config file found; using defaults [DEPRECATION WARNING]: ANSIBLE_COLLECTIONS_PATHS option, does not fit var naming standard, use the singular form ANSIBLE_COLLECTIONS_PATH instead. This feature will be removed from ansible-core in version 2.19. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. setting up inventory plugins Loading collection ansible.builtin from redirecting (type: inventory) ansible.builtin.aws_ec2 to amazon.aws.aws_ec2 Loading collection amazon.aws from /usr/share/ansible/collections/ansible_collections/amazon/aws Using inventory plugin 'ansible_collections.amazon.aws.plugins.inventory.aws_ec2' to process inventory source '/runner/inventory/aws_ec2.yml' [WARNING]: * Failed to parse /runner/inventory/aws_ec2.yml with auto plugin: Failed to describe instances: SSL validation failed for https://ec2.us-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006) File "/usr/local/lib/python3.11/site-packages/ansible/inventory/manager.py", line 292, in parse_source plugin.parse(self._inventory, self._loader, source, cache=cache) File "/usr/local/lib/python3.11/site-packages/ansible/plugins/inventory/auto.py", line 58, in parse plugin.parse(inventory, loader, path, cache=cache) File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 816, in parse results = self._query(regions, include_filters, exclude_filters, strict_permissions, use_ssm_inventory) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 644, in _query for i in self._get_instances_by_region( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py", line 547, in _get_instances_by_region self.fail_aws("Failed to describe instances", exception=e) File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/plugin_utils/base.py", line 35, in fail_aws self._do_fail(f"{message}: {to_native(exception)}") File "/usr/share/ansible/collections/ansible_collections/amazon/aws/plugins/plugin_utils/base.py", line 28, in _do_fail raise AnsibleError(message) [WARNING]: Unable to parse /runner/inventory/aws_ec2.yml as an inventory source ERROR! No inventory was parsed, please check your configuration and options.

I'm attempting to populate an inventory in RHAAP using an execution environment built myself containing the amazon.aws collection. I am unable to replicate the AWS Inventory I made in RHAAP so I created a new inventory called someinventory.yml whose contents are below

`---
plugin: aws_ec2
aws_access_key: XXXXXXXXXXXXXXXX
aws_secret_key: xxxxxxxxxxxxxxxxxxxxxxxxxx
regions:

• us-west-1
  keyed_groups:
• key: tags
  prefix: tag`

I try to pull an inventory using my custom execution environment and the above .yml file using the following command

ansible-navigator inventory -i someinventory.yml --execution-environment-image=localhost/something_aws

which results in the following output

Warning ____________________________________________________________________________________________________________________________________________________________________ Errors were encountered while gathering the inventory: [WARNING]: * Failed to parse /var/lib/awx/dev/someinventory.yml with auto plugin: inventory source '/var/lib/awx/dev/someinventory.yml' could not be verified by inventory plugin 'aws_ec2' [WARNING]: * Failed to parse /var/lib/awx/dev/someinventory.yml with yaml plugin: Plugin configuration YAML file, not YAML inventory [WARNING]: * Failed to parse /var/lib/awx/dev/someinventory.yml with ini plugin: Invalid host pattern '---' supplied, '---' is normally a sign this is a YAML file. [WARNING]: Unable to parse /var/lib/awx/dev/someinventory.yml as an inventory source [WARNING]: No inventory was parsed, only implicit localhost is available ____________________________________________________________________________________________________________________________________________________________________ Ok

Issue Type

Bug Report

Component Name

ec2_instance

Ansible Version

$ ansible --version
ok: [localhost] => {
    "command_result.stdout_lines": [
        "ansible [core 2.17.1]",
        "  config file = /runner/project/ansible.cfg",
        "  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']",
        "  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible",
        "  ansible collection location = /runner/requirements_collections:/root/.ansible/collections:/usr/share/ansible/collections",
        "  executable location = /usr/local/bin/ansible",
        "  python version = 3.11.9 (main, Apr 26 2024, 22:18:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3)",
        "  jinja version = 3.1.4",
        "  libyaml = True"
    ]
}

Collection Versions

amazon.aws
community.aws
servicenow.itsm

AWS SDK versions

$ pip show boto boto3 botocore
NO OUTPUT!

Configuration

{
  "command_result.stdout_lines": [
    "\u001b[0;33mANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True\u001b[0m",
    "\u001b[0;33mCOLLECTIONS_PATHS(env: ANSIBLE_COLLECTIONS_PATH) = ['/runner/requirements_collections', '/root/.ansible/collections', '/usr/share/ansible/collections']\u001b[0m",
    "\u001b[0;33mCONFIG_FILE() = /runner/project/ansible.cfg\u001b[0m",
    "\u001b[0;33mDEFAULT_CALLBACK_PLUGIN_PATH(env: ANSIBLE_CALLBACK_PLUGINS) = ['/runner/artifacts/3856/callback']\u001b[0m",
    "\u001b[0;33mDEFAULT_ROLES_PATH(env: ANSIBLE_ROLES_PATH) = ['/runner/requirements_roles', '/root/.ansible/roles', '/usr/share/ansible/roles', '/etc/ansible/roles']\u001b[0m",
    "\u001b[0;33mDEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = awx_display\u001b[0m",
    "\u001b[0;33mHOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False\u001b[0m",
    "\u001b[0;33mINVENTORY_UNPARSED_IS_FAILED(env: ANSIBLE_INVENTORY_UNPARSED_FAILED) = True\u001b[0m",
    "\u001b[0;33mRETRY_FILES_ENABLED(env: ANSIBLE_RETRY_FILES_ENABLED) = False\u001b[0m"
  ],
  "_ansible_verbose_always": true,
  "_ansible_no_log": false,
  "changed": false
}

OS / Environment

RHEL 8

Steps to Reproduce

I believe this behavior will likely occur whenever trying to pull a list of EC2 instances through a proxy, but I am unable to prove it or create my own proxy at the moment. 

Expected Results

I expect to be able to pull a list of ec2 instances

Actual Results

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[gravesm]

If the proxy is rewriting the root cert, you'll likely have to add the new cert bundle to your EE. You should be able to set the AWS_CA_BUNDLE env var to point to this (https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#environment-variable-configuration).