win_dns_record credentials

Archives Ansible Project
1

Hello there,

I’m using the win_dns_record module in tower 3.8.3 in Openshift, but it doesn’t seem to have an option to put the credentials to be used, or at least not documented.
The only way to fill in the required “ansible_user” and “ansible_password” credentials is explicitly in the “extra variables” section, with its no convenient against security concerns.

I’ve opened an “issue” against the project (https://github.com/ansible-collections/community.windows/issues/315 ), but Jordan Borean has kindly suggested me to write in this group.

if I try to use the facts:

  • set_fact:
    ansible_user: “{{ user }}”
    ansible_password: “{{ password }}”

  • debug: msg: “Ansible user set by fact is {{ ansible_user }}”

  • name: Create A record
    community.windows.win_dns_record:
    name: “{{ vm_name|upper }}”
    type: “A”
    value: “{{ vm_ip }}”
    zone: “{{ selected_zone }}”

the values are actually not considered by the playbook:

TASK [Gathering Facts] ********************************************************* task path: /tmp/bwrap_1535_6eo1vcx_/awx_1535_5bwcwf0t/project/windows_management_playbooks/automate.yaml:1 Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/setup.ps1 Pipelining is enabled. <dc.masked.com> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5985 TO dc.masked.com fatal: [dc.masked.com]: UNREACHABLE! => { “changed”: false, “msg”: “plaintext: auth method plaintext requires a password”, “unreachable”: true }

Is there a better was to pass the credentials (perhaps from within the playbook, and not as an extra variable) so we can encrypt them?

Thanks in advance,

Elio

2

My comment in that issue still applies you have a play that looks somewhat like the following

  • name: my play
    hosts: my-win-hosts
    gather_facts: yes # If omitted the default is yes, will always run unless you set this as no
    tasks:
  • name: Create A record
    community.windows.win_dns_record:
    name: “{{ vm_name|upper }}”
    type: “A”
    value: “{{ vm_ip }}”
    zone: “{{ selected_zone }}”

The ‘gather_facts: yes’ part means it is going to run the setup.ps1 module at the start of the play and it’s trying to connect as your current user and no password is set as per the error message. This happens all before the ‘win_dns_record’ module is even run. If no credential are specified for the winrm connection Ansible will default to the current username, in your case root, and there is no password specified leading to your problem.

What you need to do to fix this is to ensure you have defined ansible_user and ansible_password so that it applies to my-win-hosts. This can be done in 3 main ways

  • Set as a host var for the host itself
  • Set as a group var for the group the host is a member of, say a group called windows
  • Set explicitly when you call ansible-playbook, either through -e, or with the -u and -k arguments
    The latter option is only really useful if you need the caller of the play to provide the credentials, typically you want these set on the host or group level like so

[windows]
my-win-hosts ansible_user=username ansible_password=password

[windows:vars]
ansible_connection=winrm
ansible_winrm_transport=ntlm

If you wish for the person to provide it through the command line when invoking Ansible you can do ‘ansible-playbook main.yml -u username -k’. The -k will have Ansible prompt you what the password is, otherwise you can use the somewhat insecure method ‘-e ansible_password=password’.

Thanks

Jordan