Azure cloud provisioning using Ansible
I would rather suggest to go with Ansible as the configuration management tool because of its simplicity and straight forward operation features. This came in market late, but gained solid footing and adopted by many DevOps professionals because of its unique features. Ansible offers huge number of modules for managing the cloud operations for all major cloud providers like Azure AWS and GCP.
The Ansible playbooks which I refer below will help you to provisioning cloud resources in Azure environment, which create a Window VM and configure the VM to connect with Ansible host for any post provision activities, The playbook will perform the following tasks.
- Create the resource groups and Network infrastructure
- Provisioning of windows VMs
- Adding the new host to dynamic inventory for any post provision activities
- Enabling the PowerShell execution policy to connect to WinRM
- Installing a Firefox package using ansible on the newly created VM
Now let’s go through the first role common which creates the resource group and network infrastructure.
- name: Create a resource group
azure_rm_resourcegroup:
name: "{{ rg_name }}"
location: "{{ location }}"
state: present
- name: Create a virtual network
azure_rm_virtualnetwork:
name: "{{ vitual_network }}"
resource_group: "{{ rg_name }}"
address_prefixes_cidr:
- "{{ CIDR }}"
- name: Create network windows base_security groups
azure_rm_securitygroup:
resource_group: "{{ rg_name }}"
name: windows_base
purge_rules: yes
rules:
- name: 'AllowRDP'
protocol: Tcp
source_address_prefix: 0.0.0.0/0
destination_port_range: 3389
access: Allow
priority: 100
direction: Inbound
- name: 'AllowWinRM'
protocol: Tcp
source_address_prefix: 0.0.0.0/0
destination_port_range: 5986
priority: 102
direction: Inbound
- name: 'DenyAll'
protocol: Tcp
source_address_prefix: 0.0.0.0/0
destination_port_range: 0-65535
priority: 103
direction: Inbound
- name: Create a Subnet and adding the windows_base security group in to it
azure_rm_subnet:
name: "{{ subnet }}"
virtual_network_name: "{{ vitual_network }}"
resource_group: "{{ rg_name }}"
address_prefix_cidr: "{{ subnet_CIDR }}"
security_group_name: windows_base
Here it’s creating a Resource group, virtual network and a security group which allow incoming RDP and WinRM traffics. You can either add the security group to the NIC card or to the subnet where we create the Virtual machine. Azure will create a NIC card and allocate to the VM in default if you are not giving any custom NIC cards while provisioning. Here I am not creating any custom NIC cards for the server instead attaching the security group with the subnet.
Let’s go through the second role which creates the Virtual machine.
- name: Create a VM azure_rm_virtualmachine: os_type: Windows resource_group: "{{ rg_name }}" virtual_network_name: "{{ virtual_network_name }}" name: "{{ vm_name }}" admin_username: "{{ admin_user }}" admin_password: "{{ admin_passwd }}" vm_size: Standard_F2s_v2 image: offer: WindowsServer publisher: MicrosoftWindowsServer sku: '2016-Datacenter' version: latest register: output - name: Add new instance to the host group add_host: hostname: "{{ vm_name }}" ansible_host: "{{ azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0]. properties.publicIPAddress.properties.ipAddress }}" ansible_user: "{{ admin_user }}" ansible_password: "{{ admin_passwd }}" ansible_connection: winrm ansible_port: 5986 ansible_winrm_server_cert_validation: ignore ansible_winrm_transport: ssl groupname: azure_vms with_items: output.instances - name: create Azure vm extension to enable HTTPS WinRM listener azure_rm_virtualmachine_extension: name: winrm-extension resource_group: "{{ rg_name }}" virtual_machine_name: "{{ vm_name }}" publisher: Microsoft.Compute virtual_machine_extension_type: CustomScriptExtension type_handler_version: 1.9 settings: '{"commandToExecute": "powershell.exe -ExecutionPolicy ByPass - EncodedCommand {{winrm_enable_script}}"}' auto_upgrade_minor_version: true with_items: output.instances - name: wait for the WinRM port to come online wait_for: port: 5986 host: '{{azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[ 0].properties.publicIPAddress.properties.ipAddress}}' timeout: 600 with_items: output.instances
The third and final role in the playbook will install a Firefox browser in the newly provisioned VM using the ansible win_chocolatey module.
- name: Install Firefox win_chocolatey: name: firefox state: present
Here is the main playbook which calls all the 3 roles
--- - hosts: localhost gather_facts: yes roles: - common - vm - hosts: azure_vms gather_facts: no roles: - install_firefox
Hope this post helped you. Please share your feedback/suggestions in the comments below.
Good one Rajeev