07 automate windowsenvironmentswithansibleanddsc
0 likes163 views
- Ansible can be used to automate Windows environments by leveraging over 70 Windows modules and 350 PowerShell DSC resources. - DSC (Desired State Configuration) is a configuration management platform that ships with Windows Server 2012 and newer to define and maintain the desired state of systems. - Ansible and DSC can be used together, with Ansible providing a scaleable architecture to manage DSC configurations across many nodes using its agentless design. - Windows modules are generally used for tasks that DSC resources do not support, like when the host does not support PowerShell v5 or a specific feature is missing, while DSC resources are used when the module is not available or to leverage existing DSC
![- hosts: new_servers
tasks:
- name: ensure common OS updates are current
win_updates:
register: update_result
- name: ensure domain membership
win_domain_membership:
dns_domain_name: contoso.corp
domain_admin_user: '{{ domain_admin_username }}'
domain_admin_password: '{{ domain_admin_password }}'
state: domain
register: domain_result
- name: reboot and wait for host if updates or domain change require it
win_reboot:
when: update_result.reboot_required or domain_result.reboot_required
- name: ensure local admin account exists
win_user:
name: localadmin
password: '{{ local_admin_password }}'
groups: Administrators
- name: ensure common tools are installed
win_chocolatey:
name: '{{ item }}'
with_items: ['sysinternals', 'googlechrome']
PLAYBOOK EXAMPLE: WINDOWS](https://image.slidesharecdn.com/07-automatewindowsenvironmentswithansibleanddsc-190503080201/85/07-automate-windowsenvironmentswithansibleanddsc-5-320.jpg)
![- name: Install required DSC module
win_psmodule:
name: xWebAdministration
state: present
- name: Install IIS Web-Server
win_dsc:
resource_name: windowsfeature
name: Web-Server
- name: Create IIS site
win_dsc:
resource_name: xWebsite
Ensure: Present
Name: Ansible
State: Started
PhysicalPath: c:sitesAnsible
BindingInfo:
- Protocol: http
Port: 8080
IPAddress: '*'
Use win_dsc module vs Powershell
# Import the module
Import-DscResource -Module xWebAdministration,
PSDesiredStateConfiguration
Node $NodeName
{
# Install the IIS role
WindowsFeature IIS
{
Ensure = 'Present'
Name = 'Web-Server'
}
xWebsite DefaultSite
{
Ensure = 'Present'
Name = 'Ansible'
State = 'Started'
PhysicalPath = 'c:sitesAnsible'
DependsOn = '[WindowsFeature]IIS'
BindingInfo = MSFT_xWebBindingInformation
{
Protocol = 'http'
Port = '8080'
IPAddress = '*'
}
}
}](https://image.slidesharecdn.com/07-automatewindowsenvironmentswithansibleanddsc-190503080201/85/07-automate-windowsenvironmentswithansibleanddsc-10-320.jpg)
07 automate windowsenvironmentswithansibleanddsc
- 1. Kok Hui Lew Specialist Solution Architect Automate Windows Environments with Ansible and DSC
- 2. Agenda ● Windows Management with Ansible ● What is DSC? ● Why use DSC with Ansible? ● Where to use Ansible Windows Modules vs DSC resources? ● Compare and contrast Windows Modules and DSC resource examples ● Credential Management ● Example Playbooks
- 3. SIMPLE POWERFUL AGENTLESS App deployment Configuration management Workflow orchestration Network automation Orchestrate the app lifecycle Human readable automation No special coding skills needed Tasks executed in order Usable by every team Get productive quickly Agentless architecture Uses OpenSSH & WinRM No agents to exploit or update Get started immediately More efficient & more secure WHY ANSIBLE?
- 4. 70+ Windows Modules Use Ansible to deploy and manage Windows systems and applications. ANSIBLE WINDOWS AUTOMATION ansible.com/windows 350+ Powershell DSC resources
- 5. - hosts: new_servers tasks: - name: ensure common OS updates are current win_updates: register: update_result - name: ensure domain membership win_domain_membership: dns_domain_name: contoso.corp domain_admin_user: '{{ domain_admin_username }}' domain_admin_password: '{{ domain_admin_password }}' state: domain register: domain_result - name: reboot and wait for host if updates or domain change require it win_reboot: when: update_result.reboot_required or domain_result.reboot_required - name: ensure local admin account exists win_user: name: localadmin password: '{{ local_admin_password }}' groups: Administrators - name: ensure common tools are installed win_chocolatey: name: '{{ item }}' with_items: ['sysinternals', 'googlechrome'] PLAYBOOK EXAMPLE: WINDOWS
- 6. What is DSC? > Windows Management Platform built in ● Ships natively with Windows Server 2012 R2 and Windows 8.1 and newer ● Requires PowerShell v4 or greater > Configuration based declarative model ● Define desired state in configuration ● DSC determines how to execute on target > Push or Pull Architecture
- 7. Why Use DSC with Ansible? Both declarative & end-state oriented Scale using Ansible lightweight architecture Compliment each other Rich community ecosystem for both Ansible Tower provides enterprise capabilities managing Windows Extend end-to-end use cases beyond Windows management
- 8. Where to use Ansible Windows Modules vs DSC resources? Reasons for using an Ansible module over a DSC resource: ● The host does not support PowerShell v5.0, or it cannot easily be upgraded ● The DSC resource does not offer a feature present in an Ansible module ● DSC resources have limited check mode support, while some Ansible modules have better checks ● DSC resources do not support diff mode, while some Ansible modules do ● Custom resources require further installation steps to be run on the host beforehand, while Ansible modules are in built-in to Ansible Reasons for using a DSC resource over an Ansible module: ● The Ansible module does not support a feature present in a DSC resource ● There is no Ansible module available
- 9. - name: Install IIS Web-Server win_feature: name: Web-Server state: present restart: True include_sub_features: True include_management_tools: True - name: Create IIS site win_iis_website: name: Ansible state: started physical_path: c:sitesAnsible - name: Add HTTP webbinding to IIS win_iis_webbinding: name: Ansible protocol: http port: 8080 ip: '*' state: present Example playbooks with Ansible Modules vs DSC resources - name: Install required DSC module win_psmodule: name: xWebAdministration state: present - name: Install IIS Web-Server win_dsc: resource_name: windowsfeature name: Web-Server - name: Create IIS site win_dsc: resource_name: xWebsite Ensure: Present Name: Ansible State: Started PhysicalPath: c:sitesAnsible BindingInfo: - Protocol: http Port: 8080 IPAddress: '*'
- 10. - name: Install required DSC module win_psmodule: name: xWebAdministration state: present - name: Install IIS Web-Server win_dsc: resource_name: windowsfeature name: Web-Server - name: Create IIS site win_dsc: resource_name: xWebsite Ensure: Present Name: Ansible State: Started PhysicalPath: c:sitesAnsible BindingInfo: - Protocol: http Port: 8080 IPAddress: '*' Use win_dsc module vs Powershell # Import the module Import-DscResource -Module xWebAdministration, PSDesiredStateConfiguration Node $NodeName { # Install the IIS role WindowsFeature IIS { Ensure = 'Present' Name = 'Web-Server' } xWebsite DefaultSite { Ensure = 'Present' Name = 'Ansible' State = 'Started' PhysicalPath = 'c:sitesAnsible' DependsOn = '[WindowsFeature]IIS' BindingInfo = MSFT_xWebBindingInformation { Protocol = 'http' Port = '8080' IPAddress = '*' } } }
- 11. Handle Credentials with win_dsc Module ● By default win_dsc module uses SYSTEM account ● You can use PsDscRunAsCredential attribute to run as another user: - name: use win_dsc with PsDscRunAsCredential to run as a different user win_dsc: resource_name: Registry Ensure: Present Key: HKEY_CURRENT_USERExampleKey ValueName: TestValue ValueData: TestData PsDscRunAsCredential_username: '{{ ansible_user }}' PsDscRunAsCredential_password: '{{ ansible_password }}' no_log: true
- 12. Some Example DSC Resources ● Built-in: ○ Archive ○ File ○ Group ○ Package ○ WindowsFeature ○ And more.. ● Custom resources provided by Microsoft and the community: ○ Domain Controller ○ IIS Web Site ○ SQL Server Cluster ○ Failover Cluster ○ DNS ○ And many more..
- 13. 13 CONFIDENTIAL Beyond Server Management - Rolling Update Example Your applications and systems are more than just collections of configurations. They’re a finely tuned and ordered list of tasks and processes that result in your working application. Ansible can do it all: • Provisioning • App Deployment • Configuration Management • Multi-tier Orchestration
- 14. How to obtain a list of Ansible Windows Modules and DSC Resources ● Ansible Modules: ○ https://docs.ansible.com/ansible/latest/modules/list_of_windows_modules.html ● Built-in DSC Resources: ○ https://docs.microsoft.com/en-us/powershell/dsc/builtinresource ○ Or run this powershell command: Find-DscResource ● DSC Resources on Github: ○ https://github.com/PowerShell/DscResources ● DSC Resources on Powershell Gallery: ○ https://www.powershellgallery.com
- 15. THANK YOU