win_dns_record credentials

[Elio Lopez]

Hello there,

I'm using the win_dns_record module in tower 3.8.3 in Openshift, but it doesn't seem to have an option to put the credentials to be used, or at least not documented.
The only way to fill in the required "ansible_user" and "ansible_password" credentials is explicitly in the "extra variables" section, with its no convenient against security concerns.

I've opened an "issue" against the project (https://github.com/ansible-collections/community.windows/issues/315 ), but Jordan Borean has kindly suggested me to write in this group.

if I try to use the facts:

- set_fact:

  ansible_user: "{{ user }}"

  ansible_password: "{{ password }}"

- debug: msg: "Ansible user set by fact is {{ ansible_user }}"

- name: Create A record

  community.windows.win_dns_record:

    name: "{{ vm_name|upper }}"

    type: "A"

    value: "{{ vm_ip }}"

    zone: "{{ selected_zone }}"

the values are actually not considered by the playbook:

TASK [Gathering Facts] ********************************************************* task path: /tmp/bwrap_1535_6eo1vcx_/awx_1535_5bwcwf0t/project/windows_management_playbooks/automate.yaml:1 Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/setup.ps1 Pipelining is enabled. <dc.masked.com> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5985 TO dc.masked.com fatal: [dc.masked.com]: UNREACHABLE! => { "changed": false, "msg": "plaintext: auth method plaintext requires a password", "unreachable": true }

Is there a better was to pass the credentials (perhaps from within the playbook, and not as an extra variable) so we can encrypt them?

Thanks in advance,

Elio

[jbor...@gmail.com]

My comment in that issue still applies you have a play that looks somewhat like the following

- name: my play
  hosts: my-win-hosts
  gather_facts: yes  # If omitted the default is yes, will always run unless you set this as no
  tasks:

  - name: Create A record
    community.windows.win_dns_record:
      name: "{{ vm_name|upper }}"
      type: "A"
      value: "{{ vm_ip }}"
      zone: "{{ selected_zone }}"

The 'gather_facts: yes' part means it is going to run the setup.ps1 module at the start of the play and it's trying to connect as your current user and no password is set as per the error message. This happens all before the 'win_dns_record' module is even run. If no credential are specified for the winrm connection Ansible will default to the current username, in your case root, and there is no password specified leading to your problem.

What you need to do to fix this is to ensure you have defined ansible_user and ansible_password so that it applies to my-win-hosts. This can be done in 3 main ways

• Set as a host var for the host itself
• Set as a group var for the group the host is a member of, say a group called windows
• Set explicitly when you call ansible-playbook, either through -e, or with the -u and -k arguments

The latter option is only really useful if you need the caller of the play to provide the credentials, typically you want these set on the host or group level like so

[windows]

my-win-hosts  ansible_user=username ansible_password=password

[windows:vars]

ansible_connection=winrm

ansible_winrm_transport=ntlm

...

If you wish for the person to provide it through the command line when invoking Ansible you can do 'ansible-playbook main.yml -u username -k'. The -k will have Ansible prompt you what the password is, otherwise you can use the somewhat insecure method '-e ansible_password=password'.

Thanks

Jordan