Azure
Create a Windows virtual machine in Azure using Ansible | Microsoft Learn
Code
azure-ansible/1-4-az-create-windows-vm at main · spawnmarvel/azure-ansible (github.com)
- name: Create Network Security Group
azure_rm_securitygroup:
resource_group: myResourceGroup
name: networkSecurityGroup
rules:
- name: 'allow_rdp'
protocol: Tcp
destination_port_range: 3389
access: Allow
priority: 1001
direction: Inbound
- name: 'allow_web_traffic'
protocol: Tcp
destination_port_range:
- 80
- 443
access: Allow
priority: 1002
direction: Inbound
- name: 'allow_powershell_remoting'
protocol: Tcp
destination_port_range:
- 5985
- 5986
access: Allow
priority: 1003
direction: Inbound
- name: Create a network interface
azure_rm_networkinterface:
name: nic
resource_group: myResourceGroup
virtual_network: vNet
subnet_name: subnet
security_group: networkSecurityGroup
ip_configurations:
- name: default
public_ip_address_name: pip
primary: True
Result after running code from github
Next, Configure the WinRM Listener.
Error message: \"Failed to download all specified files. Exiting. Error Message: CustomScript failed to download the blob https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 because it does not exist. Please create the blob and try again, the response code and message returned were: \"The remote server returned an error: (404) Not Found. Not Found\"
oink
Lets check the vm
Vicuna
This error occurs when the VM extension (in this case, the WinRM extension) fails to provision on the VM. The error message indicates that the command execution finished but returned a non-zero exit code (1), which typically signifies an error.
To resolve this issue, you can try the following steps:
Check the VM extension log for more details about the error. You can do this by running the following command:
az vm extension show --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --output json
This command will return the extension log, which may provide more information about the cause of the error.
2. Ensure that the VM agent is running and configured correctly. You can check the status of the VM agent by running the following command:
az vm show --name <your-vm-name> --resource-group <your-resource-group> --query "vm.extensions[?name=='vmAgent']" --output json
If the VM agent extension is not running or is not configured correctly, you may need to restart the VM or reconfigure the VM agent extension.
3. If the issue persists, try redeploying the VM using the same or a new VM image, making sure to include the necessary extensions during deployment.
4. If the issue is specific to the WinRM extension, you can try provisioning the extension manually by running the following command:
az vm extension set --name winrm-extension --vm-name <your-vm-name> --resource-group <your-resource-group> --publisher Microsoft.Compute --settings '{"url": "<your-winrm-url>"}'
Replace <your-winrm-url> with the URL of the WinRM listener on the VM.
If you continue to face issues with provisioning the VM extension, consider reaching out to Azure support for further assistance.
Ok, lets delete all, since we added it step by step, and run the full playbook.
Since it does not seem enabled:
az vm extension show --name winrm-extension --vm-name win-wm --resource-group Rg-ansible-win01 --output json
ResourceNotFound) The Resource ‘Microsoft.Compute/virtualMachines/win-wm/extensions/winrm-extension’ under resource group ‘Rg-ansible-win01’ was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Code: ResourceNotFound
Troubleshooting Windows VM extension failures – Azure Virtual Machines | Microsoft Learn
Well, after putting everything in the yml file, it worked:
It could be something with timing, ran it 1 time with fail, but the ymal was missing this:
- name: Get facts for one Public IP
azure_rm_publicipaddress_info:
resource_group: myResourceGroup
name: pip
register: publicipaddresses
- name: set public ip address fact
set_fact: publicipaddress="{{ publicipaddresses | json_query('publicipaddresses[0].ip_address')}}"
- name: wait for the WinRM port to come online
wait_for:
port: 5986
host: '{{ publicipaddress }}'
timeout: 600
So all was created up to the vm, but nothing after.
Result after adding above yml and running it.
wait for the WinRM connection:
oink
Make the connect.yml and try to connect.
ansible-playbook connect.yml -i 20.117.74.165,
Check the NSG
Ok, try telnet on the ctrlnode, it is not success, hm.
Is port open for outbound, do we need it?
add outbound 5985, 5986 and 80, 443.
Nope, it must be something else, internal firewall on windows or some other thing.
Login to the windows vm.
success
The internal firewall is on
Turn of and check telnet again, hm only 5985 works, not 5986, 80 or 443.
Run ansible, now it is super fast.
Turn on firewall again and run ansible, now it goes to timeout, same as image way above here..
Ok.
New-SelfSignedCertificate -Subject 'CN=ServerB.domain.com' -TextExtension '2.5.29.37={text}1.3.6.1.5.5.7.3.1'
Thumbprint Subject
---------- -------
TPRINT CN=ServerB.domain.com
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="ServerB.domain.com"; CertificateThumbprint="TPRINT"}'
ResourceCreated
Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters
ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
SelectorSet
Selector: Address = *, Transport = HTTPS
$FirewallParam = @{ DisplayName = 'Windows Remote Management (HTTPS-In)' Direction = 'Inbound' LocalPort = 5986 Protocol = 'TCP' Action = 'Allow' Program = 'System' } New-NetFirewallRule @FirewallParam
$FirewallParam = @{
DisplayName = 'Windows Remote Management (HTTPS-In)'
Direction = 'Inbound'
LocalPort = 5986
Protocol = 'TCP'
Action = 'Allow'
Program = 'System'
}
New-NetFirewallRule @FirewallParam
The rule is added
Now run ansible
Amazing
now ping it
The user is admin
Set same timezone? Nope
Yes, updated inventory with: ansible_winrm_transport = ntlm
# https://github.com/ansible/ansible/issues/43920
# Does NTLM auth work, ansible_winrm_transport: ntlm
ansible_winrm_transport = ntlm
ansible winhosts -m win_ping -u azureuser
ansible winhosts -m win_ping
# 20.117.74.165 | SUCCESS => {
# "changed": false,
# "ping": "pong"
# }