Ansible role for joining rhel instances to AD (#367)

* Role for joining linux instances to AD

ansible/roles/join-ad-linux/README.md

@@ -0,0 +1 @@
+This role is for joining linux instances to a domain. 

ansible/roles/join-ad-linux/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+service_account_ssm_passwords:
+  service_account:
+    parameter: "/join_domain_linux_service_account/passwords"
+    users:
+      - username: auto
+      - password: auto
+
+ad_domain: AZURE.NOMS.ROOT

ansible/roles/join-ad-linux/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart SSSD service
+  service:
+    name: sssd
+    state: restarted
+    enabled: yes

ansible/roles/join-ad-linux/tasks/get_facts.yml

@@ -0,0 +1,23 @@
+---
+- name: Get linux service account details
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ service_account_ssm_passwords }}"
+
+- name: Set linux service account variables
+  set_fact:
+    join_domain_linux_service_account_username: "{{ ssm_passwords_dict['service_account'].passwords['username'] }}"
+    join_domain_linux_service_account_password: "{{ ssm_passwords_dict['service_account'].passwords['password'] }}"
+
+- name: Check parameters
+  set_fact:
+    all_variables_set: true
+  when:
+    - join_domain_linux_service_account_username|length > 0
+    - join_domain_linux_service_account_password|length > 0
+
+- name: Fail if missing parameters
+  fail:
+    msg: Ensure all required parameters are set
+  when: not all_variables_set|default(false)

ansible/roles/join-ad-linux/tasks/join_domain.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure sshd_config
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication.*no"
+    line: "PasswordAuthentication=yes"
+  notify: Restart SSSD service
+
+- name: Install pexpect for injecting secrets
+  pip:
+    name: pexpect
+
+- name: Install required packages for joining to the domain
+  package:
+    name:
+      - realmd
+      - sssd
+      - samba-common-tools
+      - realmd
+      - oddjob
+      - oddjob-mkhomedir
+      - adcli
+      - krb5-workstation
+    state: present
+
+- name: Join instance to the domain
+  expect:
+    command: /bin/bash -c "/usr/sbin/realm join --user={{ join_domain_linux_service_account_username }}@{{ ad_domain|upper }} {{ ad_domain|lower }} -v"
+    responses:
+      Password for *: "{{ join_domain_linux_service_account_password }}"

ansible/roles/join-ad-linux/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Set instance hostname
+  import_role:
+    name: set-ec2-hostname
+
+- name: Get linux service account details
+  import_tasks: get_facts.yml
+  tags:
+    - ec2provision
+  when: ansible_distribution in ['RedHat']
+
+- import_tasks: join_domain.yml
+  tags:
+    - ec2provision
+  when: ansible_distribution in ['RedHat']