My most recent vRealize Automation Cloud (vRAC) task was to leverage Ansible to join a new AWS Windows machine to an Active Directory domain.
First off I needed to figure out how to get WinRM working in an AWS AMI. Initially I just deployed a Windows instance, installed WinRM, added a new account admin account, then created a private AMI. This did work, sometimes, but really wasn’t the best solution for the customer. What I really needed was a way to install WinRM and create the new user in an EC2 instance deployed from a publicly available AMI.
The dots finally connected last week when it dawned on me that vRAC cloudConfig equals AWS instance User Data. Yes it was that simple.
After reviewing Running Commands on your Windows Instance at Launch, and some tinkering I came up with this basic vRAC cloudConfig PowerShell script. It adds the new user in the local Administrators group, then installs and configures WinRM. This leaves me a clean Ansible ready machine.
cloudConfig: |
<powershell>
# Add new user for ansible access
$password = ConvertTo-SecureString ${input.new_user_password} -AsPlainText -Force
$newUser = New-LocalUser -Name "${input.new_user_name}" -Password $password -FullName "Ansible Remote User" -Description "Ansible remote user"
Add-LocalGroupMember -Group "Administrators" -Member "${input.new_user_name}"
# Setup WinRM
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
</powershell>
The resulting instance User Data includes the expanded variables as seen below.
<powershell>
# Add new user for ansible access
$password = ConvertTo-SecureString VMware123! -AsPlainText -Force
$newUser = New-LocalUser -Name "ansibleuser" -Password $password -FullName "Ansible Remote User" -Description "Ansible remote user"
Add-LocalGroupMember -Group "Administrators" -Member "ansibleuser"
# Setup WinRM
Invoke-Expression ((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))
</powershell>
The playbook turned out to be fairly simple. It waits for 5 minutes, points DNS to the DC (also running DNS), renames the machine, and joins it to the domain.
- hosts: win
gather_facts: no
tasks:
- name: Pause for OS
pause:
minutes: 5
- name: Change DNS to DC
win_dns_client:
adapter_names: '*'
ipv4_addresses:
- 10.10.0.100
- name: Rename machine
win_hostname:
name: "{{ hostname }}"
register: res
- name: Reboot if necessary
win_reboot:
when: res.reboot_required
- name: Wait for WinRM to be reachable
wait_for_connection:
timeout: 900
- name: Join to "{{ domain_name }}"
win_domain_membership:
hostname: "{{ hostname }}"
dns_domain_name: "{{ domain_name }}"
domain_admin_user: "{{ domain_user }}"
domain_admin_password: "{{ domain_user_password }}"
domain_ou_path: "{{ domain_oupath }}"
state: domain
register: domain_state
- name: Wait for 2 minutes
pause:
minutes: 2
- name: reboot if necessary
win_reboot:
post_reboot_delay: 120
when: domain_state.reboot_requiredBlending existing AWS User Data with vRAC cloudConfig finally provided a clean solution without having to write a super complex ansible playbook. Keeping it simple once again pays off.
The blueprint and playbook referenced in this article are available this github repo.
{!aCoder} 