This project enables Ansible on Azure.
Ansible can run on any computer or group of computers that it finds, provided that WinRM or SSH are enabled on those computers. This project includes a dynamic inventory for Ansible, which automatically groups virtual machines on Azure by location and tags.
You may run Ansible on Linux or macOS, or in WSL. Ansible requires Python 3.
To set up Ansible, run these commands in a terminal window:
pip3 install --user -r requirements-ansible.txt
ansible-galaxy install -r requirements.yml
pip3 install --user -r $HOME/.ansible/collections/ansible_collections/azure/azcollection/requirements-azure.txt
Ensure that the bin directory for Python is on your PATH. On macOS, this is $HOME/Library/Python/3.9/bin.
Some Microsoft tasks for Ansible are currently not compatible with pipx and other Python environment isolation tools. For this reason, these commands install Ansible and the required Python modules to your home directory.
To set up code checks for development, run npm install:
npm install
To run operations with Ansible, you need a Service Principal in Azure Active Directory. This Service Principal must be a member of the Contributors role on the subscriptions in Azure.
Set the service principal details in either the configuration file $HOME/.azure/credentials, or as environment variables:
- AZURE_CLIENT_ID
- AZURE_SECRET
- AZURE_SUBSCRIPTION_ID
- AZURE_TENANT
To list the available Virtual Machines:
ansible-inventory -i inventories/azure_rm.yml --graph
Ansible provides specific modules for Windows. For example, win_command runs a command on Windows computers, and win_copy copies files from your systems to Windows computers.
To run an Ansible task on one computer, use the name of the computer. This command specifies the computer example-vm-0001:
ansible example-vm-0001 --ask-pass --user vmadmin -i inventories/azure_rm.yml -m win_copy -a "src=example.txt dest=C:\Temp"
To run an Ansible task on a group of computers, specify the group. This command specifies the group tag_environment_dev:
ansible tag_environment_dev --ask-pass --user vmadmin -i inventories/azure_rm.yml -m win_copy -a "src=example.txt dest=C:\Temp"
To get information about computers, use setup:
ansible example-vm-0001 --ask-pass --user vmadmin -i inventories/azure_rm.yml -m setup
To check whether Ansible can access Windows computers without making any changes, use win_ping:
ansible example-vm-0001 --ask-pass --user vmadmin -i inventories/azure_rm.yml -m win_ping
Use playbooks to define a set of commands that execute on a group of computers. This project includes several playbooks.
- ping_azure_windows checks that Ansible can connect to all available Windows computers on Azure
- apply_windows_devtools installs and updates a collection of standard tools on Windows development machines
- apply_windows_updates.yml runs Windows Update on all target computers
To carry out a dry-run of a playbook, use --check to enable check mode:
ansible-playbook --ask-pass --user vmadmin --check -i inventories/azure_rm.yml ./apply_windows_updates.yml
To run a playbook on the target computers, use ansible-playbook without --check:
ansible-playbook --ask-pass --user vmadmin -i inventories/azure_rm.yml ./ping_azure_windows.yml
Use the --limit option to change which computers a playbook runs on:
ansible-playbook --ask-pass --user vmadmin -i inventories/azure_rm.yml --limit tag_environment_dev ./ping_azure_windows.yml
If Ansible fails on some computers, it creates a list of these computers as a .retry file. You can use --limit to run a playbook on the computers where Ansible failed:
ansible-playbook --ask-pass --user vmadmin -i inventories/azure_rm.yml --limit @apply_windows_updates.retry ./apply_windows_updates.yml
To deploy a new Windows VM:
ansible-playbook -i inventories/localhost ./deploy_disposable_public_win_vm.yml --extra-vars "@examples/answers/disposable_public_win_vm.yml"
This playbook creates copies of the WinRM server certificates for new virtual machines in the tmp/ directory of this project.
To deploy a new Linux VM:
ansible-playbook -i inventories/localhost ./deploy_disposable_public_ubuntu_vm.yml --extra-vars "@examples/answers/disposable_public_ubuntu_vm.yml"
## Working with Azure Resource Groups
We use the localhost inventory to run commands on Azure itself.
To create an empty resource group:
ansible-playbook -i inventories/localhost ./create_resource_group.yml --extra-vars "resource_group_name=example-hosts-0040-rg location=uksouth"
To create a resource group with resources for testing and prototyping:
ansible-playbook -i inventories/localhost ./deploy_lab_resource_group.yml --extra-vars "@examples/answers/lab_resource_group.yml"
To delete a resource group and all of the resources in it:
ansible-playbook -i inventories/localhost ./delete_resource_group.yml --extra-vars "resource_group_name=example-hosts-0040-rg location=uksouth"
This project also includes playbooks for deploying several types of resources on Azure. These playbooks are useful for setting up resources for testing.
To deploy a Virtual Network:
ansible-playbook -i inventories/localhost ./deploy_minimal_vnet.yml --extra-vars "@examples/answers/minimal_vnet.yml"
To deploy an Azure Key Vault:
ansible-playbook -i inventories/localhost ./deploy_minimal_key_vault.yml --extra-vars "@examples/answers/minimal_key_vault.yml"
To deploy a Storage Account for VM diagnostics:
ansible-playbook -i inventories/localhost ./deploy_vm_diag_storage.yml --extra-vars "@examples/answers/vm_diag_storage.yml"
Install Ansible Lint and the Visual Studio Code extension for Ansible. The Visual Studio Code extension automatically checks roles and playbooks with Ansible Lint.
To install Ansible Lint, run these commands in a terminal window:
pipx install ansible-lint
pipx inject ansible-lint ansible-core yamllint
This project includes examples of using Ansible to deploy ARM templates and run the Azure CLI. The roles used by the deploy_ playbooks provide examples of how to deploy ARM templates. The role key_vault_secret provides an example of running the Azure CLI in an Ansible task.
Use the playbooks create_resource_group.yml and delete_resource_group.yml to create and delete resource groups for testing. You can then use the playbook deploy_arm_template.yml to deploy any ARM template into your resource groups.
ansible-playbook -i inventories/localhost ./deploy_arm_template.yml --extra-vars "template_file_path=examples/arm/storage/store-deployment-template.json parameters_file_path=examples/arm/storage/store-deployment-parameters.json deployment_name=example-0010 resource_group_name=example-hosts-0040-rg location=uksouth"