diff --git a/cloud/blueprints/linux.yml b/cloud/blueprints/linux.yml new file mode 100644 index 0000000..7b3ee54 --- /dev/null +++ b/cloud/blueprints/linux.yml @@ -0,0 +1,2 @@ +--- +vm_providers: [] \ No newline at end of file diff --git a/cloud/blueprints/windows.yml b/cloud/blueprints/windows.yml new file mode 100644 index 0000000..d7085e9 --- /dev/null +++ b/cloud/blueprints/windows.yml @@ -0,0 +1,6 @@ +--- +vm_blueprint_providers: + - aws +vm_blueprint_aws_instance_filter: 'Windows_Server-2019-English-Core-Base*' +vm_blueprint_aws_instance_size: t3.medium +vm_blueprint_aws_userdata_template: aws_windows_userdata \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/README.md b/cloud/collections/ansible_collections/demo/cloud/README.md new file mode 100644 index 0000000..e69de29 diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/aws/defaults/main.yml b/cloud/collections/ansible_collections/demo/cloud/roles/aws/defaults/main.yml new file mode 100644 index 0000000..e2d1978 --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/aws/defaults/main.yml @@ -0,0 +1,22 @@ +--- +####### +# AWS VARS +####### +aws_vpc_name: ansible +aws_vpc_prefix: demo +aws_vpc_cidr_block: 10.0.0.0/16 +aws_subnet_cidr: 10.0.1.0/24 +aws_region: us-east-1 +aws_vm_name: "{{ vm_name }}" +aws_vm_owner: "{{ vm_owner }}" +aws_blueprint: "{{ vm_blueprint }}" +aws_instance_filter: "{{ vm_blueprint_aws_instance_filter }}" +aws_instance_size: "{{ vm_blueprint_aws_instance_size }}" +aws_userdata_template: "{{ vm_blueprint_aws_userdata_template }}" +aws_keypair_name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-demo-key" +aws_securitygroup_name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-sec-group" +aws_env_tag: prod +aws_purpose_tag: ansible_demo +aws_ansiblegroup_tag: cloud +aws_ec2_wait: true + diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_infra.yml b/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_infra.yml new file mode 100644 index 0000000..510aed5 --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_infra.yml @@ -0,0 +1,118 @@ +--- +- name: AWS | CREATE INFRA | vpc + amazon.aws.ec2_vpc_net: + state: present + name: "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-vpc" + cidr_block: "{{ aws_vpc_cidr_block }}" + tenancy: default + region: "{{ aws_region }}" + tags: + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" + register: aws_vpc + +- name: AWS | CREATE INFRA | internet gateway + amazon.aws.ec2_vpc_igw: + state: present + vpc_id: "{{ aws_vpc.vpc.id }}" + region: "{{ aws_region }}" + tags: + Name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-vpc-igw" + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" + register: aws_gateway + +- name: Create security group internal + amazon.aws.ec2_group: + state: present + name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-sec-group" + region: "{{ aws_region }}" + description: Inbound WinRM and RDP, http for demo servers and internal AD ports + rules: + - proto: tcp + ports: + - 80 # HTTP + - 443 # HTTPS + - 22 # SSH + - 5986 # WinRM + - 3389 # RDP + cidr_ip: 0.0.0.0/0 + - proto: icmp + to_port: -1 + from_port: -1 + cidr_ip: 0.0.0.0/0 + - proto: tcp + ports: + - 80 # HTTP + - 5986 # WinRM + - 3389 # RDP + - 53 # DNS + - 88 # Kerberos Authentication + - 135 # RPC + - 139 # Netlogon + - 389 # LDAP + - 445 # SMB + - 464 # Kerberos Authentication + - 5432 # PostgreSQL + - 636 # LDAPS (LDAP over TLS) + - 873 # Rsync + - 3268-3269 # Global Catalog + - 1024-65535 # Ephemeral RPC ports + cidr_ip: 10.0.0.0/16 + - proto: udp + ports: + - 53 # DNS + - 88 # Kerberos Authentication + - 123 # NTP + - 137-138 # Netlogon + - 389 # LDAP + - 445 # SMB + - 464 # Kerberos Authentication + - 1024-65535 # Ephemeral RPC ports + cidr_ip: 10.0.0.0/16 + rules_egress: + - proto: -1 + cidr_ip: 0.0.0.0/0 + vpc_id: "{{ aws_vpc.vpc.id }}" + tags: + Name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-sec-group" + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" + +- name: Create a subnet on the VPC + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: "{{ aws_vpc.vpc.id }}" + cidr: "{{ aws_subnet_cidr }}" + region: "{{ aws_region }}" + map_public: yes + tags: + Name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-subnet" + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" + register: aws_subnet + +- name: Create a subnet route table + amazon.aws.ec2_vpc_route_table: + state: present + vpc_id: "{{ aws_vpc.vpc.id }}" + region: "{{ aws_region }}" + subnets: + - "{{ aws_subnet.subnet.id }}" + routes: + - dest: 0.0.0.0/0 + gateway_id: "{{ aws_gateway.gateway_id }}" + tags: + Name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-vpc-rtbl" + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" + +- name: Create AWS keypair + amazon.aws.ec2_key: + name: "{{ aws_vpc_name }}-{{aws_vpc_prefix }}-demo-key" + region: "{{ aws_region }}" + key_material: "{{ aws_public_key }}" + state: present + tags: + owner: "{{ aws_vpc_name }}" + purpose: "{{ aws_purpose_tag }}" \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_vm.yml b/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_vm.yml new file mode 100644 index 0000000..01d4c4e --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/aws/tasks/create_vm.yml @@ -0,0 +1,45 @@ +--- +- name: AWS | CREATE VM | get subnet info + amazon.aws.ec2_vpc_subnet_info: + region: "{{ aws_region }}" + filters: + "tag:Name": "{{ aws_vpc_name }}-{{ aws_vpc_prefix }}-subnet" + register: aws_subnet + +- name: AWS | CREATE VM | save subnet id + set_fact: + aws_subnet_id: "{{ aws_subnet.subnets|map(attribute='id')| list | last }}" + +- name: AWS| CREATE VM | find ami + amazon.aws.ec2_ami_info: + region: "{{ aws_region }}" + filters: + name: "{{ aws_instance_filter }}" + register: amis + +- name: AWS| CREATE VM | save ami + set_fact: + aws_instance_ami: > + {{ amis.images | selectattr('name', 'defined') | sort(attribute='creation_date') | last }} + +- name: AWS| CREATE VM | create instance + amazon.aws.ec2_instance: + network: + assign_public_ip: yes + groups: "{{ aws_securitygroup_name }}" + key_name: "{{ aws_keypair_name }}" + instance_type: "{{ aws_instance_size }}" + image_id: "{{ aws_instance_ami.image_id }}" + region: "{{ aws_region }}" + tags: + blueprint: "{{ aws_blueprint }}" + purpose: "{{ aws_purpose_tag }}" + env: "{{ aws_env_tag }}" + ansible_group: "{{ aws_ansiblegroup_tag }}" + owner: "{{ aws_vm_owner }}" + info: "This instance was built by Red Hat Product Demos" + Name: "{{ aws_vm_name }}" + wait: "{{ aws_ec2_wait }}" + vpc_subnet_id: "{{ aws_subnet_id }}" + user_data: "{{ lookup('template', aws_userdata_template+'.j2', template_vars=dict(aws_vm_name=vm_name)) }}" + register: aws_vm_output \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 b/cloud/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 new file mode 100644 index 0000000..c4671f2 --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 @@ -0,0 +1,29 @@ + +# Disable .Net Optimization Service +Get-ScheduledTask *ngen* | Disable-ScheduledTask + +# Disable Windows Auto Updates +# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html#high-cpu-issue +reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f +net stop wuauserv +net start wuauserv + +# Remove policies stopping us from enabling WinRM +reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowBasic /f +reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v AllowUnencryptedTraffic /f +reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" /v DisableRunAs /f + +# Disable Windows Defender Monitoring +Set-MpPreference -DisableRealtimeMonitoring $true + +# Enable WinRM +Invoke-WebRequest -Uri https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile C:\ConfigureRemotingForAnsible.ps1 +C:\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert -EnableCredSSP + +# add ec2-user +$Password = ConvertTo-SecureString {{ ansible_password }} -AsPlainText -Force +New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password $Password +Add-LocalGroupMember -Group "Administrators" -Member "ec2-user" + +Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart + \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/azure/defaults/main.yml b/cloud/collections/ansible_collections/demo/cloud/roles/azure/defaults/main.yml new file mode 100644 index 0000000..e38e0e3 --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/azure/defaults/main.yml @@ -0,0 +1,9 @@ +--- +############## +# Azure Vars +############## +az_region: +az_rg_name: ansible +az_rg_prefix: demo +az_vnet_cidr_block: 10.0.0.0/16 +az_subnet_cidr: 10.0.1.0/24 \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/azure/tasks/create_infra.yml b/cloud/collections/ansible_collections/demo/cloud/roles/azure/tasks/create_infra.yml new file mode 100644 index 0000000..cc655e3 --- /dev/null +++ b/cloud/collections/ansible_collections/demo/cloud/roles/azure/tasks/create_infra.yml @@ -0,0 +1,76 @@ +--- +- name: AZURE | CREATE INFRA | resource group + azure.azcollection.azure_rm_resourcegroup: + name: "{{ az_rg_name }}-{{ az_rg_prefix }}-rg" + location: "{{ az_region }}" + +- name: AZURE | CREATE INFRA | virtual network + azure.azcollection.azure_rm_virtualnetwork: + resource_group: "{{ az_rg_name }}-{{ az_rg_prefix }}-rg" + name: "{{ az_rg_name }}-{{ az_rg_prefix }}-vnet" + address_prefixes: "{{ az_vnet_cidr }}" + +- name: AZURE | CREATE INFRA | subnet + azure.azcollection.azure_rm_subnet: + resource_group: "{{ az_rg_name }}-{{ az_rg_prefix }}-rg" + name: "{{ az_rg_name }}-{{ az_rg_prefix }}-subnet }}" + address_prefix: "{{ az_subnet_cidr }}" + virtual_network: "{{ az_rg_name }}-{{ az_rg_prefix }}-vnet" + +- name: AZURE | CREATE INFRA | security group + azure.azcollection.azure_rm_securitygroup: + resource_group: "{{ az_rg_name }}-{{ az_rg_prefix }}-rg" + name: "{{ az_rg_name }}-{{ az_rg_prefix }}-sec-group" + rules: + - name: External + protocol: Tcp + destination_port_range: + - 80 # HTTP + - 443 # HTTPS + - 5986 # WinRM + - 3389 # RDP + access: Allow + priority: 1001 + direction: Inbound + - name: Ping + protocol: Icmp + access: Allow + priority: 1002 + direction: Inbound + - name: Internal TCP + protocol: Tcp + destination_port_range: + - 80 # HTTP + - 5986 # WinRM + - 3389 # RDP + - 53 # DNS + - 88 # Kerberos Authentication + - 135 # RPC + - 139 # Netlogon + - 389 # LDAP + - 445 # SMB + - 464 # Kerberos Authentication + - 5432 # PostgreSQL + - 636 # LDAPS (LDAP over TLS) + - 873 # Rsync + - 3268-3269 # Global Catalog + - 1024-65535 # Ephemeral RPC ports + access: Allow + priority: 1003 + direction: Inbound + source_address_prefix: "{{ az_vnet_cidr_block }}" + - name: Internal UDP + protocol: Udp + destination_port_range: + - 53 # DNS + - 88 # Kerberos Authentication + - 123 # NTP + - 137-138 # Netlogon + - 389 # LDAP + - 445 # SMB + - 464 # Kerberos Authentication + - 1024-65535 # Ephemeral RPC ports + access: Allow + priority: 1004 + direction: Inbound + source_address_prefix: "{{ az_vnet_cidr_block }}" \ No newline at end of file diff --git a/cloud/collections/ansible_collections/demo/cloud/roles/azure/tasks/create_vm.yml b/cloud/collections/ansible_collections/demo/cloud/roles/azure/tasks/create_vm.yml new file mode 100644 index 0000000..e69de29 diff --git a/cloud/create_infra.yml b/cloud/create_infra.yml index df83911..0e199e6 100644 --- a/cloud/create_infra.yml +++ b/cloud/create_infra.yml @@ -3,120 +3,10 @@ hosts: localhost gather_facts: no vars: - vpc_user: workshop - vpc_name: demo - vpc_cidr_block: 10.0.0.0/16 + infra_provider: undef + aws_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCK93BIfZx+MeEyP6qBha48FxtoZYsmx4grYOM3ZQMbkDp0v/cHFKHlUrZR67bVHuOriqrCScBaBfZ0RQk7mYpTAR5CgLed8Vun3LcQz7bZHq26CS83J8KE5Kbfhm07VzZfOND/yeuq3dU9P6Kb2HBufj+mUGgktUjuLVlRAk1KTYfTAevYcCfm75LtCKAkTsR5hG+yGHRo0n1lWeEhz8m0Gl1g0e3/eGo/bmViHvrKi5cGPu7K8p8JGhtXhpr0jMIqh5Ej7Iu2fPe/sV05Qp+am4upGPW7PmS2V82sMuZxLPeWZRJxvqstW7aSziUxbWu6b8gMfRJdzGa6b24ejp1R 2cfb-key tasks: - - name: Create VPC - amazon.aws.ec2_vpc_net: - state: present - name: "{{ vpc_name }}-ansible-vpc" - cidr_block: "{{ vpc_cidr_block }}" - tenancy: default - region: "{{ aws_region }}" - tags: - user: "{{ vpc_user }}" - purpose: Ansible Demo - register: aws_vpc - - - name: Create Internet Gateway for VPC - amazon.aws.ec2_vpc_igw: - state: present - vpc_id: "{{ aws_vpc.vpc.id }}" - region: "{{ aws_region }}" - tags: - Name: "{{ vpc_user }}-{{vpc_name }}-vpc-igw" - user: "{{ vpc_user }}" - purpose: Ansible Demo - register: aws_gateway - - - name: Create security group internal - amazon.aws.ec2_group: - state: present - name: "{{ vpc_user }}-{{ vpc_name }}-sec-group" - region: "{{ aws_region }}" - description: Inbound WinRM and RDP, http for demo servers and internal AD ports - rules: - - proto: tcp - ports: - - 80 # HTTP - - 443 # HTTPS - - 22 # SSH - cidr_ip: 0.0.0.0/0 - - proto: icmp - to_port: -1 - from_port: -1 - cidr_ip: 0.0.0.0/0 - - proto: tcp - ports: - - 80 # HTTP - - 5986 # WinRM - - 3389 # RDP - - 53 # DNS - - 88 # Kerberos Authentication - - 135 # RPC - - 139 # Netlogon - - 389 # LDAP - - 445 # SMB - - 464 # Kerberos Authentication - - 5432 # PostgreSQL - - 636 # LDAPS (LDAP over TLS) - - 873 # Rsync - - 3268-3269 # Global Catalog - - 1024-65535 # Ephemeral RPC ports - cidr_ip: 10.0.0.0/16 - - proto: udp - ports: - - 53 # DNS - - 88 # Kerberos Authentication - - 123 # NTP - - 137-138 # Netlogon - - 389 # LDAP - - 445 # SMB - - 464 # Kerberos Authentication - - 1024-65535 # Ephemeral RPC ports - cidr_ip: 10.0.0.0/16 - rules_egress: - - proto: -1 - cidr_ip: 0.0.0.0/0 - vpc_id: "{{ aws_vpc.vpc.id }}" - tags: - Name: "{{ vpc_user }}-{{ vpc_name }}-sec-group" - user: "{{ vpc_user}}" - purpose: Ansible Demo - - - name: Create a subnet on the VPC - amazon.aws.ec2_vpc_subnet: - state: present - vpc_id: "{{ aws_vpc.vpc.id }}" - cidr: 10.0.0.0/16 - region: "{{ aws_region }}" - map_public: yes - tags: - Name: "{{ vpc_user }}-{{ vpc_name }}-subnet" - user: "{{ vpc_user }}" - purpose: Ansible Demo - register: aws_subnet - - - name: Create a subnet route table - amazon.aws.ec2_vpc_route_table: - state: present - vpc_id: "{{ aws_vpc.vpc.id }}" - region: "{{ aws_region }}" - subnets: - - "{{ aws_subnet.subnet.id }}" - routes: - - dest: 0.0.0.0/0 - gateway_id: "{{ aws_gateway.gateway_id }}" - tags: - Name: "{{ vpc_user }}-{{ vpc_name }}-vpc-rtbl" - user: "{{ vpc_user }}" - purpose: Ansible Demo - - - name: Create AWS keypair - amazon.aws.ec2_key: - name: "{{ vpc_user }}-{{ vpc_name }}-demo-key" - region: "{{ aws_region }}" - key_material: "{{ aws_public_key }}" - state: present \ No newline at end of file + - include_role: + name: "demo.cloud.{{ infra_provider }}" + tasks_from: create_infra diff --git a/cloud/create_vm.yml b/cloud/create_vm.yml new file mode 100644 index 0000000..e03bf44 --- /dev/null +++ b/cloud/create_vm.yml @@ -0,0 +1,25 @@ +--- +- name: Create Cloud Infra + hosts: localhost + gather_facts: no + vars: + vm_name: undef + vm_owner: undef + vm_provider: undef + vm_blueprint: undef + + tasks: + - name: "Importing {{ vm_blueprint | upper }} Blueprint" + include_vars: + file: "blueprints/{{ vm_blueprint }}.yml" + + - name: "Check Provider Compatibility" + assert: + that: "{{ vm_provider }} in {{ vm_blueprint_providers }}" + fail_msg: "{{ vm_blueprint | upper }} is not available for {{ vm_provider | upper }}" + when: "vm_blueprint_providers is defined" + + - name: "Building {{ vm_blueprint | upper }} in {{ vm_provider | upper }}" + include_role: + name: "demo.cloud.{{ infra_provider }}" + tasks_from: create_vm diff --git a/cloud/setup.yml b/cloud/setup.yml index ecc980c..48f6cab 100644 --- a/cloud/setup.yml +++ b/cloud/setup.yml @@ -43,4 +43,40 @@ controller_templates: - question_name: Public Key type: textarea variable: aws_public_key - required: true \ No newline at end of file + required: true + - name: Cloud / Create VM + job_type: run + organization: Default + credentials: + - AWS + - Workshop Credential + project: Ansible official demo project + playbook: cloud/create_vm.yml + inventory: Workshop Inventory + execution_environment: Default execution environment + survey_enabled: true + extra_vars: + aws_region: us-east-2 + survey: + name: '' + description: '' + spec: + - question_name: Name + type: text + variable: vm_name + required: true + - question_name: Owner + type: text + variable: vm_owner + required: true + - question_name: Provider + type: multiplechoice + variable: vm_provider + required: true + choices: + - aws + - question_name: Blueprint + type: multiplechoice + variable: vm_blueprint + required: true + choices: "{{ lookup('fileglob', 'blueprints/*.yml') | regex_replace(',','\n') | regex_findall('.*/(.*)(?=.yml)') }}" \ No newline at end of file diff --git a/collections/requirements.yml b/collections/requirements.yml index 0641ebc..6ddb39a 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -11,5 +11,8 @@ collections: #windows - chocolatey.chocolatey - community.windows - # - - azure.azcollection + #cloud + - name: azure.azcollection + version: 1.11.0 + - name: amazon.aws + version: 3.1.1