Setup Terraform and Ansible for Windows provisionon CentOS

-

Provisioning Windows machines with Terraform is easy. Configuring Windows machines with Ansible is also not complex. However, it's a little bit challenging to combine them. The following steps are some ideas about handling a Windows machine from provisioning to post configuration without modifying the winrm configuration on the guest operating system.

  1. Install required repos for yum.
yum -y install https://repo.ius.io/ius-release-el7.rpm
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm
yum -y install epel-release
yum -y install yum-utils
yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
  1. Install Terraform.
sudo yum -y install terraform
  1. Install Ansible.
sudo yum -y install ansible
  1. Install Kerberos.
yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
  1. Install pip.
sudo yum -y install python-pip

# You probably need the following packages if you are using VPN
pip install pysocks
  1. Install pywinrm[kerberos].
pip install pywinrm[kerberos]
  1. Configure /etc/krb5.conf.
    The following are the required lines. Please make sure to change the domain name to yours. And it's case-sensitive.
[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    forward = true
    forwardable = true
    default_realm = ZHENGWU.ORG
[realms]
    ZHENGWU.ORG = {
    kdc = DC.ZHENGWU.ORG
    admin_server = DC.ZHENGWU.ORG
    }
[domain_realm]
    .zhengwu.org = ZHENGWU.ORG
    zhengwu.org = ZHENGWU.ORG
  1. Create an Ansible inventory file.
[win] #Group name
    dc.zhengwu.org #This is the target server list
[win:vars]
    ansible_connection=winrm
    ansible_user=administrator #It's better a domain admin account.
    ansible_password=P@ssw0rd #Change this password
    ansible_port=5985
    ansible_winrm_transport=kerberos
    ansible_winrm_server_cert_validation=ignore
  1. Run Ansible win_ping test.
ansible <group in inventory file> -m win_ping -i <inventory file>

Popular posts from this blog

Moving to Blogger.com

-
My website was moved from WordPress to Blogger.com recently. I used to run my blog on Bluehost . It was a three years contract. To be honest,  the Bluehost service was super stable. The website only failed less than three times in the last three years. However, the renewal price was over $300. Hence, I started to explore an alternative. WordPress.com was an excellent option. However, I experienced it a few years ago. I want to try something new. GitHub Pages is a trendy blog service. But it needs to be simpler to set up. Try if you have time.  Eventually, I decided to go with Blogger.com . I need something stable and long-lasting. Blogger.com has been a Google service since 1997. It is long enough to prove the service's stability. And it is free to use with some advanced features. Such as the custom domain, SSL and AdSense, etc... It is easy to import WordPress content to Blogger.com. Some online tools can convert the exported WordPress XML to Blogger.com format. It took me 15 m
Read more

How to Use Proxy on WSL 2

-
1. Install cntlm.sudo   apt-get install cntlm 2. Configure the permission for cntlm.conf file. sudo chmod 644 /etc/cntlm.conf 3. Configure proxy settings.  sudo vi /etc/cntlm.conf 4. Make sure the following parameters are configured. Domain XXX Username XXX Proxy 1.2.3.4:5678 NoProxy localhost, 127.0.0., 10. Listen 3128 5. Test connectivity. (Hit enter key if it asks a password) cntlm -M http://www.google.com 6. Generate hashed passwords. cntlm -H 7. Paste the generated passwords to the cntlm configuration file. 8. Configure proxy. export http_proxy=http://localhost:3128/ export https_proxy=http://localhost:3128 9. Start cntlm sudo cntlm -v -c /etc/cntlm.conf
Read more

Connect-NsxtServer shows "Unable to connect to the remote server"

-
When you run Connect-NsxtServer in the PowerCLI, it may show "Unable to connect to the remote server".  Because the error message is a little bit confusing with other login issues. It's not easy to troubleshoot. The actual reason is the NSX-T uses a self-signed certificate, and the PowerCLI cannot accept the certificate automatically. The fix is super easy. You need to set the PowerCLI to ignore the invalid certificate with the following command: Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false
Read more