How do you actually execute modules in this collection (requires powershell)?

[watsonb]

SUMMARY

I'm trying to leverage microsoft.ad.group to manage groups in AD. The module documentation and examples are relatively straightforward. However, what's NOT straightforward is the connectivity/interpreter requirements to execute the module(s).

I keep encountering this error:

module_stderr: |-
    /bin/sh: 1: powershell: not found
  module_stdout: ''
  msg: |-
    The module failed to execute correctly, you probably need to set the interpreter.
    See stdout/stderr for the exact error

So far, I've tried the following, all with the same error:

1. targeting localhost (no fact gathering) with ansible_connection: local and just using the module as shown in examples
2. tried using args.executable like you would in the shell module, pointing it to powershell core installed on controller (/usr/bin/pwsh)
3. tried setting the variable ansible_python_interpreter at the task level and setting it to the path of powershell core installed on the controller (/usr/bin/pwsh)
4. tried executing the playbook against a native Windows host that has powershell and AD modules installed
5. tried delegating the task to a Windows host

I feel like I've scoured all of the usual sources (chats, forums, GH issues), but see no clear cut examples of execution or host setup/dependencies outside of the "Powershell ActiveDirectory module".

ISSUE TYPE

• Documentation Report

COMPONENT NAME

microsoft.ad.group

ANSIBLE VERSION

ansible [core 2.14.4]
  config file = /home/ben/workspace/kiewit/ansible/playbooks/ap_azure/ansible.cfg
  configured module search path = ['/home/ben/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ben/venvs/venv3_ansible-7.4.0/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ben/workspace/kiewit/ansible/playbooks/ap_azure/collections:/home/ben/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ben/venvs/venv3_ansible-7.4.0/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ben/venvs/venv3_ansible-7.4.0/bin/python3)
  jinja version = 3.1.2
  libyaml = True

[watsonb]

Alright, I did figure out one way, not sure if it the correct/preferred method.

I eventually did get delegate_to: <win_host> working at the task level. It failed previously because I had specified ansible_connection: local at the play level.

My initial issue is still valid from my point of view; that the documentation lacks this guidance to delegate tasks to some Windows host that you've previously configured to manage via Ansible.

[abelal83]

I'm stuck with the exact same issue and completely agree, documentation really needs improving for Windows.

Could you help by explaining exactly what you have done to get it working?

[watsonb]

Here are my notes in my playbook:

#
# NOTES: using the microsoft.ad.group module wasn't as straightforward as I initially thought
# with respect to _executing_ the modules.  I've verified 2 working methods:
#   1. Target a Windows host at the play level that has AD Powershell modules installed
#   2. delegate_to the specific microsoft.ad.* task to a Windows host
#

Here's my playbook/task example:

- name: Manage AD Groups and ADO Objects
  hosts: localhost
  gather_facts: false
  tasks:

        - name: AD | manage group state
          delegate_to: "{{ groups['awx_win_delegate'][0] }}"
          microsoft.ad.group:
            name: "{{ item.name }}"
            scope: global
            state: "{{ ap_azure_ad_group_state | default('present') }}"
            description: "[KHO][Approval: Required] {{ item.description_suffix }}"
            category: security
            managed_by: "{{ ap_azure_ad_groups_managed_by }}"
            path: "{{ ap_azure_ad_group_path }}"
            domain_server: "{{ domain_controllers[0] }}"
            domain_username: "{{ automation_user }}"
            domain_password: "{{ automation_user_pass }}"
          loop: "{{ ap_azure_ad_groups }}"
          tags: [manage_ad_groups]

The host I delegate the task to is a Windows machine with RSAT/AD powershell tools installed that I can connect to via WinRM with Ansible.

Hope this helps.

[abelal83]

Thank you. Will try this when back at work. Did you also have to configure winrm on the windows machine?

[watsonb]

Yes. I my assumption is you've got a Windows machine setup somewhere that you can manage/connect via Ansible.

[abelal83]

Where does the username and password for connecting to windows machine go?

[abelal83]

Got it working with this

inventory

[win]
srv03.mylab.com

[win:vars]
ansible_connection=winrm
ansible_port=5985
ansible_user=ansible@MYLAB.COM
ansible_password=mypassword
ansible_winrm_server_cert_validation=ignore

ansible.yaml

- name: manage ad objects
  hosts: win
  tasks:
    - name: Add group and specify the AD domain services to use for the create
      microsoft.ad.group:
        name: Test Group4
        domain_username: ansible@MYLAB.COM
        domain_password: mypassword
        scope: domainlocal

command: ansible-playbook -i inventory ansible.yaml