Using Custom Ansible Playbooks on Windows

Overview

This is a guide to use custom Ansible playbooks on Windows instances..

Turbot Requirements

There are two primary Turbot requirements to run custom playbooks on Windows instances:

  1. The instance should be launched using the Turbot key.
  2. Windows instances should be manageable by Turbot.

Additionally, Turbot requires a minimum instance type and eight policy settings to manage the instance.

Minimum instance type:

  • t2-medium (lower profiles struggle to run remote managing)

Required policy settings:

  • AWS > EC2 > Bootstrap Windows Instance = Enabled
  • AWS > EC2 > Instance Has Default EC2 Instance Profile Attached = Enforce: Attach default EC2 instance profile if no instance profile is attached
  • AWS > SSM > Enabled = Enabled
  • AWS > SSM > Rights = Enforce: Enabled if AWS > SSM > Enabled (Default)
  • AWS > SSM > Turbot EC2 Instance Role Permissions = Enabled if AWS > SSM > Enabled (Default)
  • AWS > IAM > EC2 Role Has Turbot Default Instance Policies = Enforce: Attach Turbot default instance policies
  • AWS > IAM > Turbot EC2 Instance Role = Enforce: Manage role
  • Windows > Turbot User Password Rotation = Enforce: [x] days

Security Group Configurations

The instance must allow the following Ingress and Egress network access in its security groups.

Ingress

Protocol(s) Port(s) Source Purpose
TCP 5986 Intranet PowerShell Remoting

Egress

Protocol(s) Port(s) Destination Purpose
TCP 80 Internet SSM communication
TCP 443 Internet SSM communication

Note: The default security group will usually include the egress settings by default.

Required Windows Policy Settings

Turbot uses a local account named turbot to remotely manage the instance. The following settings are required to enable Windows remote management. In most cases, they are already satisfied by default.

  • Allow Remote Shell Access: UI Path: Computer Configuration \ Administrative Templates \ Windows Components \ Windows Remote Shell \ Allow Remote Shell Access Option: Enabled

  • Allow remote server management through WinRM: UI Path: Computer Configuration \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service \ Allow remote server management through WinRM Option: Enabled

  • Avoid applying UAC restrictions to local accounts on network logons: UI Path: Computer Configuration \ Administrative Templates \ SCM: Pass the Hash Mitigations \ Apply UAC restrictions to local accounts on network logons Option: Disabled

  • Avoid denying access to this computer from the network: UI Path: Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment \ Deny access to this computer from the network Should not include local accounts (S-1-2-0) nor Administrators group (S-1-5-32-544)

Registering a Playbook with Turbot

To register a custom playbook with a Turbot account, follow these eight steps.

  1. Login to the Turbot console as a user with Turbot/Admin permissions or higher for the account.
  2. Go to the account page.
  3. Go to the Advanced tab, then Playbooks.
  4. Click Add Playbook.
  5. Choose a unique playbook ID, considering that playbooks are run in alphabetical order.
  6. Enter details of the S3 bucket and (optional) key prefix.
  7. Click Save.
  8. The playbook will execute within 10 minutes.

Custom Playbook Example

Unless you want to create a playbook to run on both Linux and Windows, it’s recommended to set hosts as platform_windows.

The following is a simple playbook that gathers and shows details from the target instance.


  • hosts: platform_windows tasks:
    • setup: register: current_instance_info
    • debug: var: current_instance_info
Was this article helpful?
0 out of 0 found this helpful