StackStorm and Ansible on Windows

StackStorm provides integrations with tools such as Docker, AWS, Ansible and many more. These integrations or integration packs allow StackStorm to interact with tools and platforms that are commonly used in IT environments. In this post we’re going to cover integrating StackStorm and a Windows server via Ansible as opposed to utilizing the experimental Windows runner.

Windows Configuration

We’ll start by configuring our Windows host to support the Ansible connection over WinRM.

Allow the execution of all PowerShell scripts by running the following command in a PowerShell prompt.

Set-ExecutionPolicy Unrestricted  

Run the PowerShell script to configure the Windows host to allow Ansible connections. https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1

.ConfigureRemotingForAnsible.ps1

Stackstorm Configuration

We need to install the community provided Ansible pack on an existing installation of StackStorm. StackStorm is configured by default to lookup packs from the community repo to retrieve integration packs.

The following commands need to be run from the command line of the StackStorm host.

Install Ansible StackStorm Pack

st2 run packs.install packs=ansible  

Now that the Ansible pack has been installed we need to add the pywinrm pack to allow Ansible to utilize WinRM to communicate with our Windows host instead of SSH.

Install pywinrm

st2 run ansible.command_local args="pip install "pywinrm>=0.1.1""  

Now that we’ve got Ansible and pywinrm installed on our Stackstorm instance we need to add our Windows host (IP Address or DNS Name) to the Ansible inventory file to communicate with it.

Add an entry to the inventory file for the Windows host

By default the inventory file is located at /etc/ansible/hosts.

[windows]
winserver1.example.com  

We now need to add the credentials for the Windows host to Ansible in order to run commands via Ansible. Our configuration utilizes a non-domain joined Windows host.

We add the credentials to the /etc/ansible/group_vars/windows.yml variable file.

Add user credentials to the windows group variables file

# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml

ansible_user: Administrator  
ansible_password: SecretPasswordGoesHere  
ansible_port: 5986  
ansible_connection: winrm  
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore  

Now with all the configuration in place we can now run a command against our Windows host to test that Ansible is connecting to the host correctly.

Run the “win_ping” command from the command line to perform an ansible ping of the Windows host.

st2 run ansible.command module_name="win_ping" hosts="windows"  

The command should display output similar to that below.

id: 57ed7b61dcf876397df17b8e  
status: succeeded  
parameters:  
  hosts: windows
  module_name: win_ping
result:  
  failed: false
  return_code: 0
  stderr: ''
  stdout: "192.168.1.138 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}"
  succeeded: true

References

Windows Ansible Configuration
http://docs.ansible.com/ansible/intro_windows.html

Ansible PowerShell Configuration Script
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1