Skip to main content

Setup Terraform and Ansible for Windows provisionon CentOS

Provisioning Windows machines with Terraform is easy. Configuring Windows machines with Ansible is also not complex. However, it's a little bit challenging to combine them. The following steps are some ideas about handling a Windows machine from provisioning to post configuration without modifying the winrm configuration on the guest operating system.

  1. Install required repos for yum.
yum -y install https://repo.ius.io/ius-release-el7.rpm
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm
yum -y install epel-release
yum -y install yum-utils
yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
  1. Install Terraform.
sudo yum -y install terraform
  1. Install Ansible.
sudo yum -y install ansible
  1. Install Kerberos.
yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
  1. Install pip.
sudo yum -y install python-pip

# You probably need the following packages if you are using VPN
pip install pysocks
  1. Install pywinrm[kerberos].
pip install pywinrm[kerberos]
  1. Configure /etc/krb5.conf.
    The following are the required lines. Please make sure to change the domain name to yours. And it's case-sensitive.
[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    forward = true
    forwardable = true
    default_realm = ZHENGWU.ORG
[realms]
    ZHENGWU.ORG = {
    kdc = DC.ZHENGWU.ORG
    admin_server = DC.ZHENGWU.ORG
    }
[domain_realm]
    .zhengwu.org = ZHENGWU.ORG
    zhengwu.org = ZHENGWU.ORG
  1. Create an Ansible inventory file.
[win] #Group name
    dc.zhengwu.org #This is the target server list
[win:vars]
    ansible_connection=winrm
    ansible_user=administrator #It's better a domain admin account.
    ansible_password=P@ssw0rd #Change this password
    ansible_port=5985
    ansible_winrm_transport=kerberos     ansible_winrm_server_cert_validation=ignore
  1. Run Ansible win_ping test.
ansible <group in inventory file> -m win_ping -i <inventory file>

Popular posts from this blog

Connect-NsxtServer shows "Unable to connect to the remote server"

When you run Connect-NsxtServer in the PowerCLI, it may show "Unable to connect to the remote server".  Because the error message is a little bit confusing with other login issues. It's not easy to troubleshoot. The actual reason is the NSX-T uses a self-signed certificate, and the PowerCLI cannot accept the certificate automatically. The fix is super easy. You need to set the PowerCLI to ignore the invalid certificate with the following command: Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false

How to List All Users in Terraform Cloud

Terraform has a rich API. However, the API documentation does not mention how to list all users. We can leverage the organization membership API and the PowerShell command  Invoke-RestMethod  to get a user list. 1. Create an organization token in Terraform Cloud. 2. Create the token variable ( $Token ) in PowerShell. $Token = "abcde" 3. Create the API parameters variable in PowerShell. $params = @{ Uri = "https://app.terraform.io/api/v2/organizations/ZHENGWU/organization-memberships?page%5Bsize%5D=100" Authentication = "Bearer" Token = $Token ContentType = "application/vnd.api+json" } Note: You need to replace ZHENGWU with your own organization name. And I used 100 at the end of the URI to retrieve the first 100 users. It can be any number.  4. Retrieve the API return and list the user's email address. $Test = Invoke-RestMethod @params $Test.data.attributes.email