-
-
Save nitzmahone/aaf4340ea8d87c7fa578 to your computer and use it in GitHub Desktop.
Ansible Provision Windows in AWS with Stock AMIs (Part 2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello from <%= Environment.MachineName %> at <%= DateTime.UtcNow %> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| localhost ansible_connection=local | |
| [win] | |
| [win:vars] | |
| ansible_connection=winrm | |
| ansible_ssh_port=5986 | |
| ansible_ssh_user=Administrator | |
| ansible_ssh_pass={{ win_initial_password }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| win_initial_password: myFinalPassword123! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <powershell> | |
| $admin = [adsi]("WinNT://./administrator, user") | |
| $admin.PSBase.Invoke("SetPassword", "{{ win_initial_password }}") | |
| Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1')) | |
| </powershell> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - hosts: localhost | |
| gather_facts: no | |
| vars: | |
| target_aws_region: us-west-2 | |
| vars_files: | |
| - secret.yml | |
| tasks: | |
| - name: find current Windows AMI in this region | |
| ec2_ami_find: | |
| region: "{{ target_aws_region }}" | |
| platform: windows | |
| virtualization_type: hvm | |
| owner: amazon | |
| name: Windows_Server-2012-R2_RTM-English-64Bit-Base-* | |
| no_result_action: fail | |
| sort: name | |
| sort_order: descending | |
| register: found_amis | |
| - set_fact: | |
| win_ami_id: "{{ (found_amis.results | first).ami_id }}" | |
| - name: ensure security group is present | |
| ec2_group: | |
| name: WinRM RDP | |
| description: Inbound WinRM and RDP | |
| region: "{{ target_aws_region }}" | |
| rules: | |
| - proto: tcp | |
| from_port: 80 | |
| to_port: 80 | |
| cidr_ip: 0.0.0.0/0 | |
| - proto: tcp | |
| from_port: 5986 | |
| to_port: 5986 | |
| cidr_ip: 0.0.0.0/0 | |
| - proto: tcp | |
| from_port: 3389 | |
| to_port: 3389 | |
| cidr_ip: 0.0.0.0/0 | |
| rules_egress: | |
| - proto: -1 | |
| cidr_ip: 0.0.0.0/0 | |
| register: sg_out | |
| - name: ensure instances are running | |
| ec2: | |
| region: "{{ target_aws_region }}" | |
| image: "{{ win_ami_id }}" | |
| instance_type: t2.micro | |
| group_id: "{{ sg_out.group_id }}" | |
| wait: yes | |
| wait_timeout: 500 | |
| exact_count: 1 | |
| count_tag: | |
| Name: stock-win-ami-test | |
| instance_tags: | |
| Name: stock-win-ami-test | |
| user_data: "{{ lookup('template', 'userdata.txt.j2') }}" | |
| register: ec2_result | |
| - name: wait for WinRM to answer on all hosts | |
| wait_for: | |
| port: 5986 | |
| host: "{{ item.public_ip }}" | |
| timeout: 300 | |
| with_items: ec2_result.tagged_instances | |
| - name: add hosts to groups | |
| add_host: | |
| name: "win-temp-{{ item.id }}" | |
| ansible_ssh_host: "{{ item.public_ip }}" | |
| groups: win | |
| changed_when: false | |
| with_items: ec2_result.tagged_instances | |
| - name: web app setup | |
| hosts: win | |
| gather_facts: no | |
| vars_files: [ "secret.yml" ] | |
| tasks: | |
| - name: ensure IIS and ASP.NET are installed | |
| win_feature: | |
| name: AS-Web-Support | |
| - name: ensure application dir exists | |
| win_file: | |
| path: c:\inetpub\foo | |
| state: directory | |
| - name: ensure default.aspx is present | |
| win_copy: | |
| src: default.aspx | |
| dest: c:\inetpub\foo\default.aspx | |
| - name: ensure that the foo web application exists | |
| win_iis_webapplication: | |
| name: foo | |
| physical_path: c:\inetpub\foo | |
| site: Default Web Site | |
| - name: ensure that application responds properly | |
| uri: | |
| url: http://{{ ansible_ssh_host}}/foo | |
| return_content: yes | |
| register: uri_out | |
| delegate_to: localhost | |
| until: uri_out.content | search("Hello from") | |
| retries: 3 | |
| - debug: | |
| msg: web application is available at http://{{ ansible_ssh_host}}/f |
Thanks for a great resource!
Two changes I had to make (in addition to the cert_validation above):
Before: with_items: ec2_result.tagged_instances
After: with_items: "{{ ec2_result.tagged_instances }}"
Also had to specifically allow outbound HTTP connections. I think the default may at some point have been to allow all outgoing connections, but the default changed since the time of writing. Without this, the instance can't download ConfigureRemotingForAnsible.ps1. It's probably possible to use a narrower list than this but I didn't investigate further. Just enabling outbound HTTP wasn't quite sufficient.
rules_egress:
- proto: all
from_port: 0
to_port: 65535
cidr_ip: 0.0.0.0/0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the tutorial, I use ansible 2.2.0 and I had to add add
to make it work.
thanks.