Terraform EC2 windows instance managed by Ansible
This article will show how you can spin up an EC2 instance with Terraform and how we make it eligible for Ansible by default.
For managing or Configuring Windows EC2 instances, the winRM HTTPS port, i.e., 5986, should be opened. So we do have the ConfigureRemotingForAnsible PowerShell script for enabling Ansible on windows instance.
So here you can find how we can userdata of EC2 to make-instance available for configuration with Ansible. The idea for this came from the article, where the fleet of windows instances are added to the domain. In my case, I was required to do more things other than adding to the domain and I am quite comfortable with Ansible and like to stay away from powershell. And also for keeping this simple I need to use Ansible windows authentication, where we can use is using simple local username password and do our configs.
USERDATA
Now for spinning up an instance with out key do checkout this. Now to set the password using userdata through Powershell, we do want to avoid having the password as part of the script. So here AWS Secret Manager comes to play.
Create a Secret Manager with the name “admin_pwd” and create a key as “password”. In the Value, you can put whatever password you want to use and just make sure you are in the same region you want your infra to be.
Now our userdata script looks like this:
So there two steps in the userdata. Set my Administrator password and enable this server for Ansible to perform some tasks. Well, you can modify this script if you want to use any other username. Then by using PowerShell you can add a user to the administrator group and set that user's password.
Terraform
Now for Terraform part, clone the repo.
Now navigate to the folder:
“cd terraform-ansible-windows-ec2”
Now go to terraform.tfvars and replace the account number with your account number along with the region. Now, these variables will help us to create a policy and instance Role that will allow our EC2 instance to access the secret manager and hence will help us to set the password.
So the policy is created using the following file: serverrole
And we will attach the same role to the instance.
So now we are good to initialize the terraform and apply it. Details step for terraform is mentioned in ReadMe for the repo:
So in the script we have opened both RDP and winRM protocols open for the instance so that you can use them both to test. While doing win_ping module test or running ansible just make sure the inventory has the following :
ansible_connection=winrm
ansible_winrm_transport=basic
ansible_winrm_server_cert_validation=ignore
ansible_port=5986
along with ansible_user and ansible_password and password being the one set in secrets.
