Creating the Ansible Play

Steps to Use Ansible Vault for Credentials

1. Create an Ansible Vault file to store your credentials:

   Create a YAML file (e.g., vault.yml) to store your credentials and encrypt it with Ansible Vault.

   yaml

   Copy code

   ansible_user: Brian ansible_password: usarmy7584 ansible_port: 5985 ansible_connection: winrm domain_user: globomantics\brian.dorr.admin domain_password: iloveJESUS12#$

   Encrypt the file using Ansible Vault:

   sh

   Copy code

   ansible-vault encrypt vault.yml

2. Modify your inventory file to reference the encrypted variables:

   Your hosts.ini file should look like this:

   ini

   Copy code

   [windows] 10.1.25.10 10.1.25.17 10.1.25.38 10.1.70.15

3. Create a playbook to include the vaulted variables and use them:

   Update your rename_and_join_domain.yml playbook to include the vaulted variables:

   yaml

   Copy code

   --- - name: Rename computers and join domain hosts: windows gather_facts: no vars_files: - vault.yml tasks: - name: Check current computer name win_shell: "(Get-WmiObject -Class Win32_ComputerSystem).Name" register: current_computer_name vars: ansible_user: "{{ ansible_user }}" ansible_password: "{{ ansible_password }}" ansible_port: "{{ ansible_port }}" ansible_connection: "{{ ansible_connection }}" - name: Rename computer if necessary win_shell: | $currentComputerName = '{{ current_computer_name.stdout }}'; $expectedComputerName = '{{ expected_computer_name }}'; if ($currentComputerName -ne $expectedComputerName) { Rename-Computer -NewName $expectedComputerName -Force -Restart; } else { Write-Output 'Computer name is already correct'; } args: executable: powershell when: current_computer_name.stdout != expected_computer_name register: rename_result ignore_errors: yes - name: Wait for system to come back after rename win_wait_for_connection: delay: 30 when: rename_result is changed - name: Join domain if not already joined win_shell: | $domain = 'globomantics.com'; $password = ConvertTo-SecureString '{{ domain_password }}' -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential('{{ domain_user }}', $password); if (-not (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) { Add-Computer -DomainName $domain -Credential $credential -OUPath 'OU=Windows 10 VMs,OU=Globomantics Computers,DC=globomantics,DC=com' -Force -Restart -PassThru | Out-Null; Write-Output 'Attempted to join domain'; } else { Write-Output 'Already part of the domain'; } args: executable: powershell register: join_result ignore_errors: yes - name: Wait for system to come back after domain join win_wait_for_connection: delay: 30 when: join_result is changed - name: Verify domain membership win_shell: | if ((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) { Write-Output 'Successfully joined the domain'; } else { Write-Output 'Failed to join the domain'; } args: executable: powershell

4. Run the Ansible Playbook with the Vault Password:

   When running the playbook, provide the vault password using the --ask-vault-pass option:

   sh

   Copy code

   ansible-playbook -i hosts.ini rename_and_join_domain.yml --ask-vault-pass

Explanation:

1. Vault File:

   • vault.yml contains sensitive information and is encrypted with Ansible Vault.

2. Inventory File:

   • hosts.ini lists the Windows hosts without sensitive information.

3. Playbook:

   • The playbook references the vaulted variables using vars_files.
   • Variables like ansible_user, ansible_password, etc., are loaded from the vault and used in tasks.

This setup ensures that your sensitive credentials are stored securely and only accessible when running the playbook with the correct vault password.