• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

Ansible Dynamic Inventories in Azure – Part 2

December 13, 2019 by Elan Shudnow Leave a Comment

Part 1

  • Installing Ansible on CentOS 7.7
  • Create an Azure Service Principal that we will use to allow Ansible to authenticate to Azure via Dynamic Inventories.
  • Set up a basic Azure Dynamic Inventory filtering on “include_vm_resource_groups” to test pinging a VM as well as find out the name Ansible uses to refer to this Virtual Machine in order to capture Ansible hostvars.
  • Capture information via the Metadata Instance Service in order to see how Ansible hostvars pulls information from the VM.
  • Capture the Ansible Hostvars of an Azure Virtual Machine. These variables will then be used throughout this article series to filter what Virtual Machines we want to target.

Part 2

  • Install Azure CLI
  • Deploy a Virtual Machine Scale Set (VMSS) into an existing VNET
  • Modify our Azure Dynamic Inventory filtering for “include_vmss_resource_groups” to test connectivity to VMSS Instances (VM Nodes) within the VMSS.

Part 3

  • Install a Second VM
  • Configure Tags on VMs in Preparation of using Keyed_Groups
  • Using Keyed_Groups to filter on Tags’ Key/Value Pair
  • Using Keyed_Groups to filter on OS Type using Jinja2 Standard Dot Notation
  • Filter out specific VMs using exclude_host_filters

Part 4

  • Using Conditional_Groups to filter on specific criteria
  • Using Hostvar_Expressions to make modifications to specific hostvar values

Install Azure CLI on our Ansible Control Node

We need Azure CLI installed on our Ansible Control Node VM called iac. The reason why is our Ansible Control Node uses SSH when connecting to Linux VMs. When we create the VMSS, if we use Azure CLI, we must pass the contents of the id_rsa.pub file to the VMSS. It is similar when using the Azure Portal to create a Linux VM in that you take the SSH Public Key and insert the value so that you can SSH into your Linux VM after it is created.

I wanted to demonstrate how this is done using the Azure CLI.

To install the Azure CLI on CentOS 7.7, start by inserting the Microsoft Repository Key in the terminal:

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc

Then create local azure-cli repository information:

sudo sh -c 'echo -e "[azure-cli]
name=Azure CLI
baseurl=https://packages.microsoft.com/yumrepos/azure-cli
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/azure-cli.repo'

Finally, install azure-cli:

sudo yum install azure-cli

Provisioning our Virtual Machine Scale Set

Let’s set up a Virtual Machine Scale Set. This won’t be an in-depth guide on how to configure a Virtual Machine Scale Set (VMSS). Instead, we’ll get a VMSS set up just enough to leverage the Dynamic Inventory capabilities of Ansible.

There are five Quickstarts available in Azure Docs that walk you through creating a VMSS:

  • Azure Portal – https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-portal
  • Azure CLI – https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-cli
  • Azure PowerShell – https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-powershell
  • Azure ARM Template (Linux) – https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-linux
  • Azure ARM Template (Windows) – https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-windows

As explained earlier, we’ll use Azure CLI. Be sure to follow this step from Azure CLI on your Ansible Control Node. First, we’ll need to login to Azure via Azure CLI. Type the following command:

az login

You will be asked to open a Web Browser and enter the code.

At the website, enter our code.

Once authenticated, in Azure CLI on your Ansible Control Node, create our new Resource Group using the following command:

az group create --name vmblogvmss --location northcentralus

The following output is returned with our Resource Group information:

{
  "id": "/subscriptions/959b5d63-3xxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vmblogvmss",
  "location": "northcentralus",
  "managedBy": null,
  "name": "vmblogvmss",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"
}

To create our VMSS, use the following command:

az vmss create \
  --resource-group vmblogvmss \
  --name blogScaleSet \
  --image centos \
  --public-ip-per-vm \
  --upgrade-policy-mode automatic \
  --admin-username eshudnow \
  --subnet $(az network vnet subnet show -g Networking --vnet-name NorthCentral-VNET -n default -o tsv --query id) \
  --ssh-key-values ~/.ssh/id_rsa.pub

Note that we made a few changes here that are different from the quickstarts linked to above. I made the following additions/changes:

  • Added –public-ip-per-VM so we have the ability to SSH directly into an instance (node)
  • Changed the image from Ubuntu to CentOS
  • Instead of generating a new ssh key pair, I specify to use the ssh key values from our Ansible Control Node. This is why it is important to run this using Azure CLI from the Ansible Control Node.
  • I specified the subnet to use which is in the Resource Group Networking, in the VNET NorthCentral-VNET and the name of the subnet to use is default. If you also try to specify –vnet alongside –subnet when referencing an existing subnet, it will fail.

The creation of our VMSS will take a while and display as running after executing the above in Azure CLI. But be patient. We can see Resources are being created in the Azure Portal as shown in the following screenshot.

After the VMSS is created, you will get a large JSON Response back in Azure CLI. One piece of information that is of interest is whether the –ssh-key-values worked. Take a look at the osprofile section of the JSON Response.

"osProfile": {
        "adminUsername": "eshudnow",
        "allowExtensionOperations": true,
        "computerNamePrefix": "blogs5ea8",
        "linuxConfiguration": {
          "disablePasswordAuthentication": true,
          "provisionVMAgent": true,
          "ssh": {
            "publicKeys": [
              {
                "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/sLLG2X42jvWs0oiiDUFAqUicALaBN7tYi6a4lDR/k3fFbH0YIUs+H4SrjfyI8c4nq6zA4WtLNKIEONhxM/YNm87j4X5QeJx4P3gvCcQ9Q6HYLtWLOC5xHHvPMPQlXnR3aP9nVM+OxqqznyC0UK31H4VdHlwm4fDnHFzYegIdnfr4TD2/u49nwI4wsPg/xyNAtZYVKDt4JbsLhg3zkk5vf8K25pUlCw+ShH+DqEXh4OZEL1uKCkLaep7j72afr/eSHvXQrqNluG8O6n72BrVAdPvjohqQyPlbo/ZX9RiclNGOrOyRaslRA5LedUCfLb63TZjuzxXo7GlKWZBm2CKF [email protected]\n",
                "path": "/home/eshudnow/.ssh/authorized_keys"
              }
            ]
          }
        }

What better way to ensure that it worked by trying to SSH into one of our VMSS Instances. In the Azure Portal, I can see two Instances are running.

If I click on one of those Instances, I can see the Public IP Address.

On our Ansible Control Node, iac, SSH into this Public IP Address using the following command:

ssh [email protected]

It worked!

Now we’re ready to start working on our Dynamic Inventory file for Virtual Machine Scale Sets!

Modifying our Dynamic Inventory File to use VMSS Resource Groups

Let’s modify our ansible_azure_rm.yml that we created in Part 1. Currently, the file has the following text:

plugin: azure_rm

include_vm_resource_groups:
- vmblog

auth_source: auto

Let’s modify the file to look as such:

plugin: azure_rm

include_vm_resource_groups:
- vmblog

include_vmss_resource_groups:
- '*'

auth_source: auto

What we are expecting to see on our next execution (don’t forget to run the four EXPORTS for our Service Principal) is that Ansible will use the Dynamic Inventory and look for any VMs in the vmblog Resource Group as well as any VMSS Instances (VM Nodes) in any Resource Group.

Let’s go ahead and run the following command:

ansible all -m ping -i ansible_azure_rm.yml

What you will see is the following:

We successfully discovered our vmblog01VM and both of our VM Scale Set Instances. But one of them says Host key verification failed. This is because we tested an ssh into one of our VMSS Instances and added host key verification. Obviously, in a real-world environment, our VMSS can be scaling up and down and it wouldn’t make much sense to have to constantly be checking and SSH’ing into each of our Instances so Ansible will work.

So how do we solve this?

In our ansible.cfg, we must add the following:

host_key_checking=False

We can find the ansible.cfg we are currently using by running the following command:

ansible --version

Our output looks as such:

ansible 2.9.2
  config file = /home/eshudnow/ansible/ansible.cfg
  configured module search path = ['/home/eshudnow/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Run the following command to edit this file:

vi <config file path>

For us, we will be doing the following as I have my own ansible.cfg file in a folder called ansible located in my home directory:

vi /home/eshudnow/ansible/ansible.cfg

Ensure our host_key_checking = False is added to our ansible.cfg. My ansible.cfg looks as such:

[defaults]
inventory = ~/ansible/hosts
roles_path = ~/ansible/roles
deprecation_warnings=False
nocows = 1
host_key_checking=False

Run the following command again:

ansible all -m ping -i ansible_azure_rm.yml

Success! Our ping comes back successful for our vmblog01 and our two VMSS Instances. Now as your VMSS scales up or down, Ansible will be able to successfully connect and configure as necessary.

In Part 3, we’ll take a look at creating a second VM, configuring tags on our VMs, modifying our Ansible Dynamic Inventory to use keyed groups to filter on tags and operating system type, and filtering out specific VMs using exclude_host_filters.

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: Azure Tagged With: Ansible, Azure

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Azure Event Grid and Serverless PowerShell Functions – Part 1

March 16, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 3

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 2

March 6, 2020 By Elan Shudnow

Retrieving Activity Log Data from Azure Log Analytics – Part 1

March 5, 2020 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Chicagoland consultant focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and Powershell.

Previously a 6x Microsoft MVP in Exchange Server then Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) and participating in my 14 year old Stepson’s sports.

Recent

  • Azure Event Grid and Serverless PowerShell Functions – Part 2
  • Azure Event Grid and Serverless PowerShell Functions – Part 1
  • Retrieving Activity Log Data from Azure Log Analytics – Part 3
  • Retrieving Activity Log Data from Azure Log Analytics – Part 2
  • Retrieving Activity Log Data from Azure Log Analytics – Part 1

Search

Tags

ACR Always Encrypted Ansible Azure Azure AD Connect Azure Application Gateway Azure Disk Encryption Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CCR CDN DevOps Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Forefront Function App Hyper-V ISA iSCSI Log Analytics Logic App Lync Management Groups NLB OCS Office Office 365 Personal PowerShell RBAC SCOM SQL Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2021 · Magazine Pro on Genesis Framework · WordPress · Log in