Working with Azure using Ansible

By | February 20, 2019

Ansible includes a suite of modules for interacting with “Azure Resource Manager”, giving you the tools to easily create and orchestrate infrastructure on the Microsoft Azure Cloud.

Step 1 – Requirements – Azure SDK in Ansible Control Server
Using the Azure Resource Manager modules requires having specific Azure SDK modules installed on the host running Ansible.’

$ pip install 'ansible[azure]'

Note – You can also directly run Ansible in Azure Cloud Shell, where Ansible is pre-installed.

Step 2 – Authenticating with Azure
Using the Azure Resource Manager modules requires authenticating with the Azure API. You can choose from two authentication strategies:

  • Active Directory Username/Password
  • Active Directory Username/Password

Step 3 – Setting up “Service Principal Credentials”

Please follow this steps – https://docs.microsoft.com/en-gb/azure/active-directory/develop/howto-create-service-principal-portal

After stepping through the tutorial you will have:

Client ID – Your Client ID, which is found in the “client id” box in the “Configure” page of your application in the Azure portal

Secret key – Your Secret key, generated when you created the application. You cannot show the key after creation. If you lost the key, you must create a new one in the “Configure” page of your application.

tenant ID – And finally, a tenant ID. It’s a UUID (e.g. ABCDEFGH-1234-ABCD-1234-ABCDEFGHIJKL) pointing to the AD containing your application. You will find it in the URL from within the Azure portal, or in the “view endpoints” of any given URL.

Azure Subscription Id –

Step 4 – Providing Credentials to Azure Modules

Method – 1 – Ansible Tower, you will most likely want to use environment variables. To pass service principal credentials via the environment, define the following variables:
AZURE_CLIENT_ID
AZURE_SECRET
AZURE_SUBSCRIPTION_ID
AZURE_TENANT

Method – 2 – A file within your home directory. The modules will look for credentials in $HOME/.azure/credentials [default]
subscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
secret=xxxxxxxxxxxxxxxxx
tenant=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Method – 3 – Pass credentials as parameters to a task within a playbook. If you wish to pass credentials as parameters to a task, use the following parameters for service principal:
client_id
secret
subscription_id
tenant

Step 4 – Creating a Virtual Machine with Default Options
If you simply want to create a virtual machine without specifying all the details, you can do that as well. The only caveat is that you will need a virtual network with one subnet already in your resource group. Assuming you have a virtual network already with an existing subnet, you can run the following to create a VM:

azure_rm_virtualmachine:
  resource_group: Testing
  name: testvm10
  vm_size: Standard_D1
  admin_username: chouseknecht
  ssh_password_enabled: false
  ssh_public_keys: "{{ ssh_keys }}"
  image:
    offer: CentOS
    publisher: OpenLogic
    sku: '7.1'
    version: latest

Step 5 – Creating Individual Components
An Azure module is available to help you create a storage account, virtual network, subnet, network interface, security group and public IP. Here is a full example of creating each of these and passing the names to the azure_rm_virtualmachine module at the end:

- name: Create storage account
  azure_rm_storageaccount:
    resource_group: Testing
    name: testaccount001
    account_type: Standard_LRS

- name: Create virtual network
  azure_rm_virtualnetwork:
    resource_group: Testing
    name: testvn001
    address_prefixes: "10.10.0.0/16"

- name: Add subnet
  azure_rm_subnet:
    resource_group: Testing
    name: subnet001
    address_prefix: "10.10.0.0/24"
    virtual_network: testvn001

- name: Create public ip
  azure_rm_publicipaddress:
    resource_group: Testing
    allocation_method: Static
    name: publicip001

- name: Create security group that allows SSH
  azure_rm_securitygroup:
    resource_group: Testing
    name: secgroup001
    rules:
      - name: SSH
        protocol: Tcp
        destination_port_range: 22
        access: Allow
        priority: 101
        direction: Inbound

- name: Create NIC
  azure_rm_networkinterface:
    resource_group: Testing
    name: testnic001
    virtual_network: testvn001
    subnet: subnet001
    public_ip_name: publicip001
    security_group: secgroup001

- name: Create virtual machine
  azure_rm_virtualmachine:
    resource_group: Testing
    name: testvm001
    vm_size: Standard_D1
    storage_account: testaccount001
    storage_container: testvm001
    storage_blob: testvm001.vhd
    admin_username: admin
    admin_password: Password!
    network_interfaces: testnic001
    image:
      offer: CentOS
      publisher: OpenLogic
      sku: '7.1'
      version: latest