Ask an Expert: Ansible + Windows For Federal System Integrators For more information, contact Carahsoft or our reseller partners: [email protected] | 877-RHAT-GOV Ask an Expert: Ansible Automation + Windows for Federal System Integrators IT automation is critical for Federal System Integrators seeking to manage large number of systems and applications at scale. Red Hat expert J.R. Morgan discusses how Red Hat Ansible Automation Platform helps ensure necessary security, consistency, and repeatability of management operations for Windows IT infrastructure. Which integrations are supported by Ansible Tower? There’s really such an ecosystem around this [Ansible], it’s crazy. We Featuring: can integrate with VMware and pull our dynamic inventory from there, or we could spin up virtual machines (VMs). There are many different options. Same thing with AWS. We could pull an inventory or spin up EC2 instances or make changes in AWS. Same goes for Splunk. Ansible can also integrate with lots of different configuration management databases (CMDB), like ServiceNow. You can pull your inventory, write an inventory into there, or even drive the automation through some of these programs. We also integrate with GitHub, GitLab, or Bitbucket. I recommend you store all your playbooks in source J.R. Morgan control management. You can take advantage of all the tools that these applications Senior Solutions Architect, have. They even have version control, so you can do PRs and Merges to see who’s Red Hat submitting the code and who’s merging it in if you have an approval committee that you’ve nominated within your company. They review the playbooks and then merge them into the new repository and that’s the repo that Tower reads from. Ansible is the glue that holds all these different things together within your network. Is Microsoft Windows’ capability on par with Ansible Linux Automation? I’d say the short answer to that is yes, it’s very close as far as the core modules go with feature parity on managing Windows or Linux. That wasn’t always the case. Recently, you’re seeing a lot more added to the Windows modules and Windows collection to enable you to leverage automation against Windows endpoints. What are the use cases of Ansible Tower for configuring Windows infrastructure? The first use case that comes to mind is provisioning a Windows VM inside of VMware. It doesn’t just target cloning the template, it might also include attaching the appropriate virtual machine networks or associating the proper static IP addresses via VMware customizations. All things can be automated from start to finish with Ansible. Additionally, if you’re already leveraging Terraform by HashiCorp, Ansible can manage Terraform to instantiate these virtual machines in VMware. And, again, we’re not limited to that environment. We could just as easily target instance provisioning or VM Ask an Expert: Ansible Automation + Windows for Federal System Integrators 1 provisioning across VMware, across AWS, across Azure, and then again, manage the artifacts that come along with provisioning those instances in different environments. Now, I want to highlight security automation with regard to Windows. This is a very “All things can be common use case for Ansible against Linux endpoints, but it’s getting more and automated from start more common with Windows managed hosts and Ansible Tower. Part of that is to finish with Ansible.” a result of the Microsoft PowerStig project. Through this project, Microsoft and independent contributors allow you to make a Windows system STIG compliant, – J.R. Morgan regardless of version, supported as far back as 2008 and all the way up to 2019. PowerStig allows you to apply a STIG profile to a Windows server using Desired State Configuration (DSC) files and management object files as well. It’s a very easy to use a collection of PowerShell modules, and it integrates very nicely with Ansible as well. I want to emphasize the different use cases that you can tackle with Ansible or Ansible Tower when it comes to Windows. It’s not isolated to Linux for all these different use cases anymore. If you have a workflow where you are providing select exceptions to STIG profiles assigned to newer existing Windows hosts, you can incorporate that into a more elaborate workflow. You can add that approval or denial step into the workflow so it can be escalated to a member of your corporate information security team or an administrator who has the authority to approve or deny that security exception. If they end up denying the exception, it may still apply to the PowerStig DSC. Either way, you have a workflow in place to enforce certain profiles or provide exceptions for certain profiles. Can Ansible discover a server configuration drift? For example, if the user changed a configuration file and then put it back to the way it was or should be. Absolutely, that is a very common use case. You can even show the diff output between the original source configuration and the new configuration file to verify what was changed and even have the capability to back up that file if any reversion to the original is executed. How do you check configuration drift regularly on a schedule? Either via API or even via code checking, if your configuration files themselves are checked into some kind of version control system, you could even trigger it to apply the new version of that config file just based off of either, again, an API call or a web hook. Has Ansible Tower been made into a Docker container? Typically, Ansible Tower is not installed as a Docker container. It certainly could be if you want to run it on Kubernetes or OpenShift directly; there is an operator that would install that in a container. If you’re not running it on OpenShift or Kubernetes, it’s typically installed with an Ansible playbook either on a VM or bare-metal. Ask an Expert: Ansible Automation + Windows for Federal System Integrators 2 How can Ansible help with patch management on Windows? There’s actually a Windows Update module, and there are a couple different ways you can leverage that. “I want to emphasize the 1. You can have a playbook run periodically. different use cases that 2. You can have that Windows Update module preset a scheduled you can tackle with Ansible task that is managed either exclusively or partially by Ansible. or Ansible Tower when it If you’re already using a Microsoft solution, more than just Windows Server Update comes to Windows. It’s not Services (WSUS), like System Center, it’s going to have a different patching isolated to Linux for all pattern than leveraging the Windows Update module with WSUS. If you’re not these different use cases using System Center, Windows Update and WSUS together (which is a powerful anymore.” combination even without WSUS) it should be very quick and easy to schedule – J.R. Morgan and enforce updates against any given number of Windows endpoints. Do you see Ansible replacing Satellite for provisioning? What are the pros and cons of one over the other? Ansible and Ansible Tower complement, rather than replace, Satellite as far as provisioning and patching go. It is a symbiotic relationship. I can’t say it’s going to replace it because Ansible doesn’t really handle content management in the same way that Satellite does. As far as configuration management, Satellite has embedded Ansible included with it, but it does not have the API. It doesn’t have the ability to define and leverage elaborate workflow templates or approval dialogues, it doesn’t have the full role-based access control capabilities that Ansible Tower has. While some overlap occurs between the two products, they’re more complementary than competing. The same even applies to Terraform. I don’t see Ansible replacing Terraform, but I see them complementing one another. Terraform is amazing at provisioning infrastructure and maintaining state. Ansible can do that as well, but it doesn’t really maintain state as much. You included WinRM basic on your example - what are other connectivity methods for WinRM for domain and workgroup servers? Such a good question! Again, basic authentication will be unacceptable for product environments. For demo, that’s fine. CredSSP, Kerberos, X.509, all of those are supported authentication mechanisms for managing hosts via WinRM. So, take your pick. We’ve had exposure and experience with all of those. I’ll also add that if you’re familiar with cloud-init, either on AWS or the Windows version of cloud-init, it does make configuration of WinRM on new instances spinning up quite easy, even if you are using something like X.509. Can you incorporate the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Windows and Red Hat as a playbook? The PowerStig project is actually based off of DISA STIG guidelines. So, the short answer is yes, it’s as close as you’ll get. If there’s some rule missing from the PowerStig Ask an Expert: Ansible Automation + Windows for Federal System Integrators 3 project, you can actually add those in directly. I’d refer to the wiki on the PowerStig project page for details on how to do that, but the baselines that the PowerStig project provides is pretty comprehensive. We only focused on the standard Microsoft server profile. With that said, if this was a SQL Server we were provisioning, there are Contact Us: other profiles you can apply for specific applications installed on Windows servers. Is there a way to convert PowerShell to Ansible Red Hat Solutions playbook or Chocolatey playbook? for Government Yes, absolutely.