Add dynamic ansible inventory from prometheus server and restrict access of /api/metrics to public

lukazuljevic · lukazuljevic · commit 526379ffb0dc · 2025-11-23T19:32:13.000+01:00
diff --git a/infrastructure/ansible/inventories/prometheus.aws_ec2.yml b/infrastructure/ansible/inventories/prometheus.aws_ec2.yml
@@ -0,0 +1,17 @@
+---
+plugin: aws_ec2
+profile: dump-monitoring
+
+regions:
+  - eu-central-1
+
+hostnames:
+  - ip-address
+
+filters:
+  tag:Project: dump-monitoring
+  tag:Environment: production
+
+keyed_groups:
+  - key: tags.Role
+leading_separator: false
diff --git a/infrastructure/ansible/playbooks/api/roles/api/tasks/main.yml b/infrastructure/ansible/playbooks/api/roles/api/tasks/main.yml
@@ -11,6 +11,10 @@
     group: '{{ ansible_user }}'
     mode: 0600
 
+- name: Get the ip address of the prometheus production server
+  command: cd $(git rev-parse --show-toplevel); ansible-inventory -i infrastructure/ansible/inventories/prometheus.aws_ec2.yml --list | jq -r '.aws_ec2.hosts[0]'
+  register: production_ip
+
 - name: Create new api docker container
   docker_container:
     name: '{{ container_name }}'
@@ -30,8 +34,11 @@
       traefik.http.middlewares.api-cors.headers.accesscontrolmaxage: '100'
       traefik.http.middlewares.api-cors.headers.addvaryheader: 'true'
       traefik.http.routers.api.middlewares: 'api-retry, api-cors'
-      # Setting a service property ensures that the generated service name will be consistent between versions
       traefik.http.services.api.loadbalancer.server.scheme: 'http'
+      # Router specifically for /api/metrics with IP restriction
+      traefik.http.middlewares.metrics-whitelist.ipwhitelist.sourcerange: '{{ production_ip.stdout }}'
+      traefik.http.routers.api-metrics.rule: 'Host(`{{ api_domain }}`) && PathPrefix(`/api/metrics`)'
+      traefik.http.routers.api-metrics.middlewares: metrics-whitelist
 
 - name: Swap docker containers if new one is healthy
   block:
