Closed watsonb closed 4 months ago
Alright, I did figure out one way, not sure if it the correct/preferred method.
I eventually did get delegate_to: <win_host>
working at the task level. It failed previously because I had specified ansible_connection: local
at the play level.
My initial issue is still valid from my point of view; that the documentation lacks this guidance to delegate tasks to some Windows host that you've previously configured to manage via Ansible.
I'm stuck with the exact same issue and completely agree, documentation really needs improving for Windows.
Could you help by explaining exactly what you have done to get it working?
Here are my notes in my playbook:
#
# NOTES: using the microsoft.ad.group module wasn't as straightforward as I initially thought
# with respect to _executing_ the modules. I've verified 2 working methods:
# 1. Target a Windows host at the play level that has AD Powershell modules installed
# 2. delegate_to the specific microsoft.ad.* task to a Windows host
#
Here's my playbook/task example:
- name: Manage AD Groups and ADO Objects
hosts: localhost
gather_facts: false
tasks:
- name: AD | manage group state
delegate_to: "{{ groups['awx_win_delegate'][0] }}"
microsoft.ad.group:
name: "{{ item.name }}"
scope: global
state: "{{ ap_azure_ad_group_state | default('present') }}"
description: "[KHO][Approval: Required] {{ item.description_suffix }}"
category: security
managed_by: "{{ ap_azure_ad_groups_managed_by }}"
path: "{{ ap_azure_ad_group_path }}"
domain_server: "{{ domain_controllers[0] }}"
domain_username: "{{ automation_user }}"
domain_password: "{{ automation_user_pass }}"
loop: "{{ ap_azure_ad_groups }}"
tags: [manage_ad_groups]
The host I delegate the task to is a Windows machine with RSAT/AD powershell tools installed that I can connect to via WinRM with Ansible.
Hope this helps.
Thank you. Will try this when back at work. Did you also have to configure winrm on the windows machine?
Yes. I my assumption is you've got a Windows machine setup somewhere that you can manage/connect via Ansible.
Where does the username and password for connecting to windows machine go?
Got it working with this
inventory
[win]
srv03.mylab.com
[win:vars]
ansible_connection=winrm
ansible_port=5985
ansible_user=ansible@MYLAB.COM
ansible_password=mypassword
ansible_winrm_server_cert_validation=ignore
ansible.yaml
- name: manage ad objects
hosts: win
tasks:
- name: Add group and specify the AD domain services to use for the create
microsoft.ad.group:
name: Test Group4
domain_username: ansible@MYLAB.COM
domain_password: mypassword
scope: domainlocal
command: ansible-playbook -i inventory ansible.yaml
SUMMARY
I'm trying to leverage
microsoft.ad.group
to manage groups in AD. The module documentation and examples are relatively straightforward. However, what's NOT straightforward is the connectivity/interpreter requirements to execute the module(s).I keep encountering this error:
So far, I've tried the following, all with the same error:
ansible_connection: local
and just using the module as shown in examplesargs.executable
like you would in theshell
module, pointing it to powershell core installed on controller (/usr/bin/pwsh)ansible_python_interpreter
at the task level and setting it to the path of powershell core installed on the controller (/usr/bin/pwsh)I feel like I've scoured all of the usual sources (chats, forums, GH issues), but see no clear cut examples of execution or host setup/dependencies outside of the "Powershell ActiveDirectory module".
ISSUE TYPE
COMPONENT NAME
microsoft.ad.group
ANSIBLE VERSION