How to set windows admin password on terraform instances

[Kyle Brooks]

Hi, 

I am trying to provision Windows instances on AWS using terraform, and I need remote-exec and file provisioning over winrm. 

Right now I am using the user_data file to set up winrm and the password:

 <script>

   winrm quickconfig -q & winrm set winrm/config/winrs @{MaxMemoryPerShellMB="300"} & winrm set winrm/config @{MaxTimeoutms="1800000"} & winrm set winrm/config/service

 @{AllowUnencrypted="true"} & winrm set winrm/config/service/auth @{Basic="true"}

 </script>

 <powershell>

   netsh advfirewall firewall add rule name="WinRM in" protocol=TCP dir=in profile=any localport=5985 remoteip=any localip=any action=allow

   $admin = [adsi]("WinNT://./administrator, user")

   $admin.psbase.invoke("SetPassword", "${admin_password}")
...

 

I think it is triggering a race condition, because I will intermittently get a 401 error when I set up the instance. I think that sometimes remote_exec runs before cloud-init and user_data has a chance to set up the admin password.

Are there other techniques to set up the admin password on a windows instance, or other ways to avoid this issue?

Thanks,

- Kyle

[Kyle Brooks]

For what it's worth, I was able to resolve the 401 error by adding a local-exec sleep 7m to the template.

[Anthony Petecca]

Kyle, can you show me your provisioner that you used to do this? I just started Terraform and would like to implement a admin password on launch for easier access to a testing environment

[Kyle Brooks]

You need to set up a custom uname/pw on windows using a user data file. Here is how my template looks:

 

resource "aws_instance" "gateway" {

... 

   user_data = "${template_file.gateway_user_data.rendered}"

... 

 

resource "template_file" "gateway_user_data" {

    filename = "templates/gateway_install.ps1"

    vars {

      admin_password="${var.admin_password}"

...

    }

}

Then in my gateway_install.ps1 file I have

<powershell>

  netsh advfirewall firewall add rule name="WinRM in" protocol=TCP dir=in profile=any localport=5985 remoteip=any localip=any action=allow

  $admin = [adsi]("WinNT://./administrator, user")

  $admin.psbase.invoke("SetPassword", "${admin_password}")

This is how you can set the password.

[Anthony Petecca]

Here is what I have:

resource "aws_instance" "dmzA" {
  ami = "${lookup(var.amis, var.region)}"
  instance_type = "${lookup(var.instance_types, "dmz")}"
 key_name = "${lookup(var.key_name, var.region)}"
 associate_public_ip_address = true
 subnet_id = "${aws_subnet.dmzA.id}"


  user_data = "${template_file.gateway_user_data.rendered}"


 security_groups = [
 "${aws_security_group.management.id}"
 ]
  tags {
    Name = "${var.instance_dmz_a}"

  }
}


resource "template_file" "gateway_user_data" {
    filename = "templates/gateway_install.ps1"
    vars {
      admin_password="${var.admin_password}"
    }
}

Then I created the folder templates and the script inside there called gateway_install.ps1 and which contains:

  netsh advfirewall firewall add rule name="WinRM in" protocol=TCP dir=in profile=any localport=5985 remoteip=any localip=any action=allow
  $admin = [adsi]("WinNT://./administrator, user")
  $admin.psbase.invoke("SetPassword", "${admin_password}")

When the instance is made, the password set is not the one I made in the admin_password variable. Am I missing something?

[Kyle Brooks]

The userdata file may not be executing at all. Make sure it has the <powershell> tags around the powershell part of the execution etc. Unfortunately making this sort of thing work on a windows instance is a pain