Ice Ansible Playbook

View code on GitHub

Ice provides a birds-eye view of your AWS usage and costs. Before running the playbook, there are a few things we need to do:


You need Ansible and AWS set up an configured. This is a 10 minute process, and you can watch Episode 2 to see how to do it.

Launch EC2 instance for Ice

  1. Create an Ice security group
    • Allow port 22 for SSH
    • Allow port 80 for HTTP
  2. If you don't already have one, create a new Key Pair, and add it to your keychain or SSH agent so you don't need to specify it later:

    $ ssh-add mykey.pem
  3. Enable programmatic billing access on your AWS account, and take note of the bucket name

  4. Create another S3 bucket that will be used as a workspace for Ice.
  5. Create an Ice IAM Role that allows S3 read access to your billing bucket, and read and write access to the S3 working space bucket. It will also need read-only access to EC2 for things like describing reserved instance offerings. A samply policy (that probably gives more access than necessary) is available in this repository.
  6. Launch a new EC2 instance using the above Security Group, key pair and IAM role. You can use either Ubuntu or Amazon Linux.
  7. Set the Name tag of the instance to Ice
  8. Confirm you can see the instance using the Ansible EC2 inventory

    $ /etc/ansible/hosts | grep 'Ice'
  9. OK, the instance is now ready. Before running the playbook, edit the variables file and fill in the values for bucket names and the like. The file is documented.

Run Ansible playbook

Now you can run the playbook

$ ansible-playbook playbooks/ice-amazon-linux.yml -l 'tag_Name_Ice'

This will configure the instance to be running the latest snapshot build of Ice. If you prefer to build your own WAR file yourself, just specify the path to the WAR file:

$ ansible-playbook playbooks/ice-amazon-linux.yml -l 'tag_Name_Ice' -e "local_war=$HOME/Downloads/ice.war"

Access Ice

Once the playbook is finished, you will have Ice running inside Tomcat on your EC2 instance. You can access it via HTTP. Example:


This playbook does nothing for security. It is highly recommended that you put some kind of restrictions on who can access Ice. At the very minimum, please make sure your security group only allows port 80 access from your IP address only.

Adding authentication, running over SSL, and/or putting it on a private subnet is also recommended.


If you have feedback, comments or suggestions, please feel free to contact Peter at Answers for AWS, create an Issue, or submit a pull request.

View code on GitHub