Connect SSH nodes to Teleport in IoT mode with Ansible

[deusxanima]

Below is an example of an Ansible playbook that can be repurposed and used to connect any number of SSH nodes to Teleport in IoT mode by having the nodes dial directly to the existing Teleport Proxy. This can simplify Teleport Cloud deployments and allow users to connect and protect entire environments with Teleport through a single command.

Prerequisites

• Ansible configured for all remote hosts you want to join to Teleport.
• Ability to execute commands with sudo on remote hosts.
• Access to Teleport Proxy WebUI to obtain the join script

Obtain Join Script

First thing you will want to do is navigate to the Teleport Proxy in the WebUI and log in. Once logged in you will want to click the "Add Server" button on the top right of the page and then copy the temporary join script that is generated.

Once you have the script you will want to remove everything other than the actual URL as this will be the only thing we'll use in our playbook below.

Example: The full script I've copied from my Teleport Proxy is sudo bash -c "$(curl -fsSL https://proxy.example.com/scripts/xxx/install-node.sh)" but I want to remove and discard everything other than thehttps://proxy.example.com/scripts/xxx/install-node.sh url. I will then add this url to my playbook as shown below.

Ansible Playbook

- hosts: all
  tasks:
    - name: get join script
      uri:
        url: https://proxy.example.com/scripts/xxx/install-node.sh
        dest: ~/install-node.sh
    - name: execute join script and dial to Teleport proxy
      command: "{{ item }}"
      loop:
        - "sudo bash ~/install-node.sh"
    - name: start Teleport service
      become: True
      command: "{{ item }}"
      loop:
        - "systemctl start teleport"

Once you have the playbook saved you run it as you would any other with ansible-playbook playbook_name

Note: The dynamic install script will expire after a certain period of time for security purposes so you will have to either manually change it in the playbook if re-runing the playbook after the script expires, or account for it and handle it dynamically by passing the url via cli flag.

To pass the script url dynamically you will start by modifying the first task in the above playbook to the following:

    - name: get join script
      uri:
        url: "{{ url }}"
        dest: ~/install-node.sh

Now, when you run the playbook you will also have to pass the --extra vars "url=your_url_here" flag.

The full command would look something like this:
ansible-playbook playbook_name --extra-vars "url=https://proxy.example.com/scripts/xxx/install-node.sh"

Using this method to join nodes in IoT mode helps avoid OS inconsistencies that have to be accounted for in the ansible playbook when joining nodes directly to the auth server, as well as lowers the number of touch points and variables you have to pass to the playbook.