Azure

Create a Windows virtual machine in Azure using Ansible | Microsoft Learn

Code

azure-ansible/1-4-az-create-windows-vm at main · spawnmarvel/azure-ansible (github.com)

- name: Create Network Security Group
    azure_rm_securitygroup:
      resource_group: myResourceGroup
      name: networkSecurityGroup
      rules:
        - name: 'allow_rdp'
          protocol: Tcp
          destination_port_range: 3389
          access: Allow
          priority: 1001
          direction: Inbound
        - name: 'allow_web_traffic'
          protocol: Tcp
          destination_port_range:
            - 80
            - 443
          access: Allow
          priority: 1002
          direction: Inbound
        - name: 'allow_powershell_remoting'
          protocol: Tcp
          destination_port_range: 
            - 5985
            - 5986
          access: Allow
          priority: 1003
          direction: Inbound

  - name: Create a network interface
    azure_rm_networkinterface:
      name: nic
      resource_group: myResourceGroup
      virtual_network: vNet
      subnet_name: subnet
      security_group: networkSecurityGroup
      ip_configurations:
        - name: default
          public_ip_address_name: pip
          primary: True

Result after running code from github

Next, Configure the WinRM Listener.

Error message: \"Failed to download all specified files. Exiting. Error Message: CustomScript failed to download the blob https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 because it does not exist. Please create the blob and try again, the response code and message returned were: \"The remote server returned an error: (404) Not Found. Not Found\"

ConfigureRemotingForAnsible.ps1 removed from default branch? · Issue #81240 · ansible/ansible (github.com)

oink

Lets check the vm

Vicuna

This error occurs when the VM extension (in this case, the WinRM extension) fails to provision on the VM. The error message indicates that the command execution finished but returned a non-zero exit code (1), which typically signifies an error.

To resolve this issue, you can try the following steps:

Check the VM extension log for more details about the error. You can do this by running the following command:



az vm extension show --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --output json
This command will return the extension log, which may provide more information about the cause of the error.
2. Ensure that the VM agent is running and configured correctly. You can check the status of the VM agent by running the following command:




az vm show --name <your-vm-name> --resource-group <your-resource-group> --query "vm.extensions[?name=='vmAgent']" --output json
If the VM agent extension is not running or is not configured correctly, you may need to restart the VM or reconfigure the VM agent extension.
3. If the issue persists, try redeploying the VM using the same or a new VM image, making sure to include the necessary extensions during deployment.
4. If the issue is specific to the WinRM extension, you can try provisioning the extension manually by running the following command:




az vm extension set --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --publisher Microsoft.Compute --settings '{"url": "<your-winrm-url>"}'
Replace <your-winrm-url> with the URL of the WinRM listener on the VM.

If you continue to face issues with provisioning the VM extension, consider reaching out to Azure support for further assistance.

Ok, lets delete all, since we added it step by step, and run the full playbook.

Since it does not seem enabled:

az vm extension show --name winrm-extension --vm-name win-wm --resource-group Rg-ansible-win01 --output json

ResourceNotFound) The Resource ‘Microsoft.Compute/virtualMachines/win-wm/extensions/winrm-extension’ under resource group ‘Rg-ansible-win01’ was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Code: ResourceNotFound

Troubleshooting Windows VM extension failures – Azure Virtual Machines | Microsoft Learn

Well, after putting everything in the yml file, it worked:

It could be something with timing, ran it 1 time with fail, but the ymal was missing this:

- name: Get facts for one Public IP
    azure_rm_publicipaddress_info:
      resource_group: myResourceGroup
      name: pip
    register: publicipaddresses

  - name: set public ip address fact
    set_fact: publicipaddress="{{ publicipaddresses | json_query('publicipaddresses[0].ip_address')}}"

  - name: wait for the WinRM port to come online
    wait_for:
      port: 5986
      host: '{{ publicipaddress }}'
      timeout: 600

So all was created up to the vm, but nothing after.

azure-ansible/1-4-az-create-windows-vm/create_vm.yml at main · spawnmarvel/azure-ansible (github.com)

Result after adding above yml and running it.

wait for the WinRM connection:

oink

Make the connect.yml and try to connect.

ansible-playbook connect.yml  -i 20.117.74.165,

Check the NSG

Ok, try telnet on the ctrlnode, it is not success, hm.

Is port open for outbound, do we need it?

add outbound 5985, 5986 and 80, 443.

Nope, it must be something else, internal firewall on windows or some other thing.

Login to the windows vm.

success

The internal firewall is on

Turn of and check telnet again, hm only 5985 works, not 5986, 80 or 443.

Run ansible, now it is super fast.

Turn on firewall again and run ansible, now it goes to timeout, same as image way above here..

Ok.

Ansible WinRM HTTPS and Persistent “Unreachable” Error · Issue #98 · Orange-Cyberdefense/GOAD (github.com)

New-SelfSignedCertificate -Subject 'CN=ServerB.domain.com' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'

Thumbprint                                Subject
----------                                -------
TPRINT                                    CN=ServerB.domain.com


winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="ServerB.domain.com"; CertificateThumbprint="TPRINT"}'

ResourceCreated
    Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters
        ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
        SelectorSet
            Selector: Address = *, Transport = HTTPS


$FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam


$FirewallParam = @{
    DisplayName = 'Windows Remote Management (HTTPS-In)'
    Direction = 'Inbound'
    LocalPort = 5986
    Protocol = 'TCP'
    Action = 'Allow'
    Program = 'System'
}
New-NetFirewallRule @FirewallParam

The rule is added

Now run ansible

Amazing

now ping it

WinRM – the specified credentials were rejected by the server · Issue #114 · diyan/pywinrm (github.com)

The user is admin

Set same timezone? Nope

Getting Credential rejected Error when trying to win_ping to a windows host from Ansible. · Issue #43920 · ansible/ansible (github.com)

Yes, updated inventory with: ansible_winrm_transport = ntlm

# https://github.com/ansible/ansible/issues/43920
# Does NTLM auth work, ansible_winrm_transport: ntlm

ansible_winrm_transport = ntlm

ansible winhosts -m win_ping -u azureuser
ansible winhosts -m win_ping

# 20.117.74.165 | SUCCESS => {
#     "changed": false,
#    "ping": "pong"
# }