For some background, this was initially an RFE that was opened from a Red Hat support ticket. https://github.com/ansible/ansible/issues/76227.
Here’s where I’m struggling with this. I have a playbook that creates a VM in vCenter, sets it up for WinRM, and then applies some OS configs (updates and move to OU). When the system gets moved to an OU within our domain, it has a GPO applied. This GPO will rename the default Administrator account to a different name, which breaks the credentials I have set for this newly created system. I can easily use the set_fact module to cover the account rename, but I’ve found there isn’t any place to put it without creating an error.
Here’s what I’ve found though:
When using the win modules (Specifically I’m using the win_ping, win_reboot, and win_update modules), I’ve found that if the wrong credentials are used from the start, the module fails as unreachable because of authentication issues. However, if authentication issues happen during a module execution (win_reboot, and win_update with reboots) the module reports a failure because the stored credentials are no longer working.
I can cover if the credentials change during module execution with a block/rescue setup, and everything completes with green. I can also cover the initial unreachable error if I use the ignore_unreachable keyword and use a conditional to change the credentials. The problem is that the ignore_unreachable does not show that the playbook completed without errors, and at the summary report, it shows the host as red (like it failed).
There was an initial suggestion to submit an RFE that would allow the ignore_unreachable keyword to not show the host as failed, but that would mean that if there is a host that is actually down or the WinRM or SSH port is down that we wouldn’t be able to tell from this.
Essentially, I’m looking for the option to do one of two things:
-
Have authentication errors not classified as unreachable. This would allow them to be handled in a rescue block and it would allow the overall summary to show error free.
-
Allow unreachable errors to be handled in a rescue block. This would cover authentication issues, and allow for the ability to try different usernames/passwords (we have many systems in our environment where the password could have variations currently). I think this would be an easier implementation, as a conditional could be applied to handle things depending on why it’s unreachable.
This is a long explanation, and I can provide more info if needed (scrubbed playbooks, output, etc…). I come from a python background, so I’m familiar with error handling and how I can cover some complex behavior with it.