diff --git a/ansible/roles/join-ad-linux/README.md b/ansible/roles/join-ad-linux/README.md new file mode 100644 index 000000000..250f1be23 --- /dev/null +++ b/ansible/roles/join-ad-linux/README.md @@ -0,0 +1 @@ +This role is for joining linux instances to a domain. \ No newline at end of file diff --git a/ansible/roles/join-ad-linux/defaults/main.yml b/ansible/roles/join-ad-linux/defaults/main.yml new file mode 100644 index 000000000..5e365419b --- /dev/null +++ b/ansible/roles/join-ad-linux/defaults/main.yml @@ -0,0 +1,9 @@ +--- +service_account_ssm_passwords: + service_account: + parameter: "/join_domain_linux_service_account/passwords" + users: + - username: auto + - password: auto + +ad_domain: AZURE.NOMS.ROOT diff --git a/ansible/roles/join-ad-linux/handlers/main.yml b/ansible/roles/join-ad-linux/handlers/main.yml new file mode 100644 index 000000000..aaad2ed7d --- /dev/null +++ b/ansible/roles/join-ad-linux/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart SSSD service + service: + name: sssd + state: restarted + enabled: yes diff --git a/ansible/roles/join-ad-linux/tasks/get_facts.yml b/ansible/roles/join-ad-linux/tasks/get_facts.yml new file mode 100644 index 000000000..130f49a06 --- /dev/null +++ b/ansible/roles/join-ad-linux/tasks/get_facts.yml @@ -0,0 +1,23 @@ +--- +- name: Get linux service account details + import_role: + name: ssm-passwords + vars: + ssm_passwords: "{{ service_account_ssm_passwords }}" + +- name: Set linux service account variables + set_fact: + join_domain_linux_service_account_username: "{{ ssm_passwords_dict['service_account'].passwords['username'] }}" + join_domain_linux_service_account_password: "{{ ssm_passwords_dict['service_account'].passwords['password'] }}" + +- name: Check parameters + set_fact: + all_variables_set: true + when: + - join_domain_linux_service_account_username|length > 0 + - join_domain_linux_service_account_password|length > 0 + +- name: Fail if missing parameters + fail: + msg: Ensure all required parameters are set + when: not all_variables_set|default(false) diff --git a/ansible/roles/join-ad-linux/tasks/join_domain.yml b/ansible/roles/join-ad-linux/tasks/join_domain.yml new file mode 100644 index 000000000..3f1c97ba5 --- /dev/null +++ b/ansible/roles/join-ad-linux/tasks/join_domain.yml @@ -0,0 +1,30 @@ +--- +- name: Configure sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication.*no" + line: "PasswordAuthentication=yes" + notify: Restart SSSD service + +- name: Install pexpect for injecting secrets + pip: + name: pexpect + +- name: Install required packages for joining to the domain + package: + name: + - realmd + - sssd + - samba-common-tools + - realmd + - oddjob + - oddjob-mkhomedir + - adcli + - krb5-workstation + state: present + +- name: Join instance to the domain + expect: + command: /bin/bash -c "/usr/sbin/realm join --user={{ join_domain_linux_service_account_username }}@{{ ad_domain|upper }} {{ ad_domain|lower }} -v" + responses: + Password for *: "{{ join_domain_linux_service_account_password }}" diff --git a/ansible/roles/join-ad-linux/tasks/main.yml b/ansible/roles/join-ad-linux/tasks/main.yml new file mode 100644 index 000000000..a42579929 --- /dev/null +++ b/ansible/roles/join-ad-linux/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Set instance hostname + import_role: + name: set-ec2-hostname + +- name: Get linux service account details + import_tasks: get_facts.yml + tags: + - ec2provision + when: ansible_distribution in ['RedHat'] + +- import_tasks: join_domain.yml + tags: + - ec2provision + when: ansible_distribution in ['RedHat']