Skip to content

Instantly share code, notes, and snippets.

@nitzmahone
Last active October 4, 2022 20:15
Show Gist options
  • Save nitzmahone/aaf4340ea8d87c7fa578 to your computer and use it in GitHub Desktop.
Save nitzmahone/aaf4340ea8d87c7fa578 to your computer and use it in GitHub Desktop.
Ansible Provision Windows in AWS with Stock AMIs (Part 2)
Hello from <%= Environment.MachineName %> at <%= DateTime.UtcNow %>
localhost ansible_connection=local
[win]
[win:vars]
ansible_connection=winrm
ansible_ssh_port=5986
ansible_ssh_user=Administrator
ansible_ssh_pass={{ win_initial_password }}
win_initial_password: myFinalPassword123!
<powershell>
$admin = [adsi]("WinNT://./administrator, user")
$admin.PSBase.Invoke("SetPassword", "{{ win_initial_password }}")
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
</powershell>
- hosts: localhost
gather_facts: no
vars:
target_aws_region: us-west-2
vars_files:
- secret.yml
tasks:
- name: find current Windows AMI in this region
ec2_ami_find:
region: "{{ target_aws_region }}"
platform: windows
virtualization_type: hvm
owner: amazon
name: Windows_Server-2012-R2_RTM-English-64Bit-Base-*
no_result_action: fail
sort: name
sort_order: descending
register: found_amis
- set_fact:
win_ami_id: "{{ (found_amis.results | first).ami_id }}"
- name: ensure security group is present
ec2_group:
name: WinRM RDP
description: Inbound WinRM and RDP
region: "{{ target_aws_region }}"
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 5986
to_port: 5986
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 3389
to_port: 3389
cidr_ip: 0.0.0.0/0
rules_egress:
- proto: -1
cidr_ip: 0.0.0.0/0
register: sg_out
- name: ensure instances are running
ec2:
region: "{{ target_aws_region }}"
image: "{{ win_ami_id }}"
instance_type: t2.micro
group_id: "{{ sg_out.group_id }}"
wait: yes
wait_timeout: 500
exact_count: 1
count_tag:
Name: stock-win-ami-test
instance_tags:
Name: stock-win-ami-test
user_data: "{{ lookup('template', 'userdata.txt.j2') }}"
register: ec2_result
- name: wait for WinRM to answer on all hosts
wait_for:
port: 5986
host: "{{ item.public_ip }}"
timeout: 300
with_items: ec2_result.tagged_instances
- name: add hosts to groups
add_host:
name: "win-temp-{{ item.id }}"
ansible_ssh_host: "{{ item.public_ip }}"
groups: win
changed_when: false
with_items: ec2_result.tagged_instances
- name: web app setup
hosts: win
gather_facts: no
vars_files: [ "secret.yml" ]
tasks:
- name: ensure IIS and ASP.NET are installed
win_feature:
name: AS-Web-Support
- name: ensure application dir exists
win_file:
path: c:\inetpub\foo
state: directory
- name: ensure default.aspx is present
win_copy:
src: default.aspx
dest: c:\inetpub\foo\default.aspx
- name: ensure that the foo web application exists
win_iis_webapplication:
name: foo
physical_path: c:\inetpub\foo
site: Default Web Site
- name: ensure that application responds properly
uri:
url: http://{{ ansible_ssh_host}}/foo
return_content: yes
register: uri_out
delegate_to: localhost
until: uri_out.content | search("Hello from")
retries: 3
- debug:
msg: web application is available at http://{{ ansible_ssh_host}}/f
@chilicat
Copy link

Thanks for the tutorial, I use ansible 2.2.0 and I had to add add

[win:vars]
....
ansible_winrm_server_cert_validation=ignore

to make it work.

thanks.

@dgant
Copy link

dgant commented Nov 18, 2016

Thanks for a great resource!

Two changes I had to make (in addition to the cert_validation above):

Before: with_items: ec2_result.tagged_instances
After: with_items: "{{ ec2_result.tagged_instances }}"

Also had to specifically allow outbound HTTP connections. I think the default may at some point have been to allow all outgoing connections, but the default changed since the time of writing. Without this, the instance can't download ConfigureRemotingForAnsible.ps1. It's probably possible to use a narrower list than this but I didn't investigate further. Just enabling outbound HTTP wasn't quite sufficient.

      rules_egress:
      - proto: all
        from_port: 0
        to_port: 65535
        cidr_ip: 0.0.0.0/0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment