Skip to content

Instantly share code, notes, and snippets.

@ruzickap

ruzickap/aws_cf_stack.yml.j2

Created February 13, 2017 20:23
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ruzickap/d60165b582b84587ecf0dd4c62ace892 to your computer and use it in GitHub Desktop.
Save ruzickap/d60165b582b84587ecf0dd4c62ace892 to your computer and use it in GitHub Desktop.
Download ZIP
CloudFormation template using by Ansible to create single Windows Server 2016 instance + enable WinRM (ssl)
Raw
aws_cf_stack.yml.j2
---
AWSTemplateFormatVersion: "2010-09-09"
Description:
Windows 2016 Template
Resources:
alltraffic:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SG Permitting All Traffic
VpcId: {{ aws_cf_vpc_id }}
SecurityGroupIngress:
CidrIp: 0.0.0.0/0
IpProtocol: -1
FromPort: -1
ToPort: -1
SecurityGroupEgress:
CidrIp: 0.0.0.0/0
IpProtocol: -1
FromPort: -1
ToPort: -1
Tags:
- Key: Name
Value: "All Traffic SG"
- Key: Costcenter
Value: {{ aws_cf_tags.Costcenter }}
win01:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Init:
config:
files:
c:\cfn\cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
c:\cfn\hooks.d\cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.win01.Metadata.AWS::CloudFormation::Init
action=cfn-init.exe -v -s ${AWS::StackId} -r win01 --region ${AWS::Region}
c:\cfn\hooks.d\enable_winrm.ps1:
content: !Sub |
#Enable WinRM
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
#Disable password complexity
secedit /export /cfg {{ system_security_settings_tmp_file }}
(gc {{ system_security_settings_tmp_file }}).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File {{ system_security_settings_tmp_file }}
secedit /configure /db c:\windows\security\local.sdb /cfg {{ system_security_settings_tmp_file }} /areas SECURITYPOLICY
rm -force {{ system_security_settings_tmp_file }} -confirm:$false
#Add user ansible and add it to group 'WinRMRemoteWMIUsers__'+'Administrators' to enable WinRM
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME"
$User = $Computer.Create("User", "{{ windows_machines_ansible_user }}")
$User.SetPassword("{{ windows_machines_ansible_pass }}")
$User.SetInfo()
$User.FullName = "Ansible WinRM user"
$User.SetInfo()
$User.UserFlags = 65536 # Password never Expires
$User.SetInfo()
$Group = $Computer.Children.Find('Administrators')
$Group.Add(("WinNT://$Env:COMPUTERNAME/{{ windows_machines_ansible_user }}"))
$Group = $Computer.Children.Find('WinRMRemoteWMIUsers__')
$Group.Add(("WinNT://$Env:COMPUTERNAME/{{ windows_machines_ansible_user }}"))
commands:
enable_winrm:
command: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File c:\cfn\hooks.d\enable_winrm.ps1 -SkipNetworkProfileCheck -CertValidityDays 3650
services:
windows:
cfn-hup:
enabled: true
ensureRunning: true
files:
- c:\cfn\cfn-hup.conf
- c:\cfn\hooks.d\cfn-auto-reloader.conf
Properties:
InstanceType: t2.medium
ImageId: {{ (win_server_ami_id.results | first).ami_id }}
KeyName: {{ aws_cf_keyname }}
SecurityGroupIds: [ !Ref alltraffic ]
SubnetId: {{ aws_cf_subnet_id }}
UserData:
"Fn::Base64":
!Sub |
<script>
cfn-init.exe -v -s ${AWS::StackId} -r win01 --region ${AWS::Region}
</script>
Tags:
- Key: Name
Value: win01.{{ domain }}
- Key: Hostname
Value: win01.{{ domain }}
- Key: Role
Value: Windows Server 2016
{% for (key, value) in aws_cf_instance_tags.items() %}
- Key: {{ key }}
Value: {{ value }}
{% endfor %}
Outputs:
winservers:
Value: !Join [ ' ', [ win01, !GetAtt win01.PrivateIp ] ]
Description: Windows Servers
@kumaran85
Copy link

If ansible installed on Linux, How it will interact with windows for credentials?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment