{"id":5820,"date":"2020-02-23T06:34:30","date_gmt":"2020-02-23T11:34:30","guid":{"rendered":"\/db-blog\/?p=5820"},"modified":"2020-03-12T01:02:04","modified_gmt":"2020-03-12T05:02:04","slug":"azure-ansible-provision-a-virtual-machine-instance-using-infrastructure-as-code","status":"publish","type":"post","link":"https:\/\/droidbasement.com\/db-blog\/azure-ansible-provision-a-virtual-machine-instance-using-infrastructure-as-code\/","title":{"rendered":"Azure\/Ansible \u2013 Provision a Virtual Machine instance using Infrastructure as Code"},"content":{"rendered":"\n

Note: This article has been duplicated from the previous article<\/a> which uses Terraform and has been modified for Ansible.<\/em> <\/p>\n\n\n\n

In this article we will use Ansible<\/a> (Infrastructure as Code) to swiftly bring up a Microsoft Azure Virtual Machine instance in East US on a static IP, add a DNS Zone for the site in mention and install docker\/docker-compose on it.<\/p>\n\n\n\n

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created<\/a> and the container-admin<\/a> Service Principal. <\/p>\n\n\n\n

Please use ‘Create your Azure free account today’<\/a> prior to commencing with this article.<\/p>\n\n\n\n

<\/p>\n\n\n\n

–>
Go in to the dev directory\/link located within your home directory:<\/p>\n\n\n\n

$ cd ~\/dev<\/pre>\n\n\n\n
Upgrade the Azure CLI on your host:<\/p>\n\n\n\n
$ sudo apt update && sudo apt -y upgrade azure-cli<\/pre>\n\n\n\n
Update PIP:<\/p>\n\n\n\n
$ python3 -m pip install --upgrade --user pip<\/pre>\n\n\n\n
 If there was an update,  then forget remembered location references in the shell environment:<\/p>\n\n\n\n
$ hash -r pip <\/pre>\n\n\n\n
Install\/Upgrade Ansible:<\/p>\n\n\n\n
$ pip3 install ansible --upgrade --user && chmod 754 ~\/.local\/bin\/ansible ~\/.local\/bin\/ansible-playbook<\/pre>\n\n\n\n
Install the Ansible Azure modules (this may take a while):<\/p>\n\n\n\n
$ pip3 install 'ansible[azure]' --upgrade --user<\/pre>\n\n\n\n
Modify the profile and the key\/variable strings in the previously created Azure credentials file:<\/p>\n\n\n\n
$ sed -i 's\/\\[container-admin\/\\[default\/; s\/application_id\/client_id\/; s\/client_secret\/secret\/; s\/directory_id\/tenant\/' ~\/.azure\/credentials<\/pre>\n\n\n\n
Note: The above change will break the previously created terraform-az-sp function.  If you are also using Terraform, then please do this <\/em> (user’s startup):<\/em><\/p>\n\n\n\n
$ sed -i 's:application_id\/arm_:client_id\/arm_:; s:client_secret\/arm_:secret\/arm_:; s:directory_id\/arm_:tenant\/arm_:' ~\/.bashrc<\/pre>\n\n\n\n
Remove the subscription_id and modify the keys\/variables in our previously created az-login-sp function (user’s startup).<\/p>\n\n\n\n
If you have not gone through the Azure\/Terraform article:<\/p>\n\n\n\n
$ sed -i \"s:\\$HOME\/.azure\/credentials | xargs):\\$HOME\/.azure\/credentials | sed '\/subscription_id\/d; s\/client_id\/application_id\/; s\/secret\/client_secret\/; s\/tenant\/directory_id\/' | xargs):\" ~\/.bashrc<\/pre>\n\n\n\n
If you have gone through the Azure\/Terraform article:<\/p>\n\n\n\n
$ sed -i \"s:\\$HOME\/.azure\/credentials | sed '\/subscription_id\/d':\\$HOME\/.azure\/credentials | sed '\/subscription_id\/d; s\/client_id\/application_id\/; s\/secret\/client_secret\/; s\/tenant\/directory_id\/':\" ~\/.bashrc<\/pre>\n\n\n\n
Source it in:<\/p>\n\n\n\n
$ . ~\/.bashrc<\/pre>\n\n\n\n
Add the <SUBSCRIPTION ID> (UI Console -> Azure Active Directory ->  Search for (top left): Subscriptions -> Click your subscription -> Overview) in to the Azure credentials file (replace <SUBSCRIPTION ID>).<\/p>\n\n\n\n
Note: This can be omitted if you have gone through the Azure\/Terraform article:<\/p>\n\n\n\n
$ echo \"subscription_id=<SUBSCRIPTION ID>\" >> ~\/.azure\/credentials <\/pre>\n\n\n\n
In the Subscription, add roles to container-admin:
Access control (IAM) -> Role assignments -> <\/p>\n\n\n\n
Add (Add role assignment) -> Role: DNS Zone Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
Add (Add role assignment) -> Role: Network Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
Add (Add role assignment) -> Role: Virtual Machine Contributor -> Assign access to: Azure AD user, group, or service principal -> Select: container-admin -> Save<\/p>\n\n\n\n
<\/p>\n\n\n\n
Create a work folder and change in to it:<\/p>\n\n\n\n
$ mkdir -p ansible\/azure\/myweb\/scripts ansible\/azure\/myweb\/rbac && cd ansible\/azure\/myweb<\/pre>\n\n\n\n
Create a custom Role Based Access for Resource Groups so container-admin can Read, Write and Delete Resource Groups in the subscription (replace <SUBSCRIPTION ID>):<\/p>\n\n\n\n
$ cat << 'EOF' > rbac\/rg-custom.jsn\n> {\n>    \"Name\": \"Resource Group Allowance\",\n>    \"IsCustom\": true,\n>    \"Description\": \"Can read, write and delete Resource Groups.\",\n>    \"Actions\": [\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/read\",\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/write\",\n>       \"Microsoft.Resources\/subscriptions\/resourceGroups\/delete\"\n>    ],\n>    \"NotActions\": [],\n>    \"AssignableScopes\": [\n>       \"\/subscriptions\/<SUBSCRIPTION ID>\"\n>    ]\n> }\n> EOF<\/pre>\n\n\n\n
Authenticate to Azure using the CLI with the same Administrative credentials you use in the UI (a browser window will popup requesting credentials):<\/p>\n\n\n\n
$ az login<\/pre>\n\n\n\n
Create the Role Definition:<\/p>\n\n\n\n
$ az role definition create --role-definition rbac\/rg-custom.jsn<\/pre>\n\n\n\n
Add the role to container-admin:<\/p>\n\n\n\n
$ az role assignment create --role \"Resource Group Allowance\" --assignee $(grep client_id ~\/.azure\/credentials | cut -f2 -d=) --subscription $(grep subscription_id ~\/.azure\/credentials | cut -f2 -d=)<\/pre>\n\n\n\n
Logout of the Azure CLI session:<\/p>\n\n\n\n
$ az logout<\/pre>\n\n\n\n
Generate an SSH Key Pair (no password) and restrict permissions on it:<\/p>\n\n\n\n
$ ssh-keygen -q -t rsa -b 2048 -N '' -f ~\/.ssh\/myweb && chmod 400 ~\/.ssh\/myweb<\/pre>\n\n\n\n
Create a hosts file and specify localhost:<\/p>\n\n\n\n
$ cat << 'EOF' > hosts\n> [local]\n> localhost\n> EOF<\/pre>\n\n\n\n
The following is performed with this Playbook:<\/p>\n\n\n\n