Skip to main content

Example Playbook from Start to Finish

Configuring Ansible

Copy the global config to my home directory. That way, I'll keep my Ansible environment how I like it.

cp /etc/ansible/ansible.cfg ~/.ansible.cfg

# Create a directory to store my inventory
mkdir ~/.ansible

# Create a file to use for inventory later
touch ~/.ansible/inventory/inventory.ini


Modify the local configuration file and define my inventory

nano ~/.ansible.cfg

Add this line to declare my default inventory file. Save the changes and exit.

[defaults]
inventory = $HOME/.ansible/inventory/inventory.ini



Adding Inventory

Edit the inventory file

nano ~/.ansible/inventory/inventory.ini

Add some hosts to the inventory

# Aliases
dc1 192.168.10.5
dc2 192.168.10.6
workstation1 192.168.100.11
workstation2 192.168.100.12
web1 10.10.10.11
web2 10.10.10.12
mail1 10.10.10.15

[windows]
dc1
dc2
workstation1
workstation2

[linux]
web1
web2
mail1



Create Some Group Variables

Create the directories for the group variables

mkdir -p ~/.ansible/inventory/group_vars/{windows,linux}

windows

vault.yml

~/.ansible/inventory/group_vars/windows/vault.yml

---
ansible_user: domain_admin@mydomain.tld
ansible_password: $uper5tr0ng
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

# Use the same user and pass when performing administrative tasks
ansible_become_user: "{{ ansible_user }}"
ansible_become_password: "{{ ansible_password }}"
ansible_become_method: runas

Encrypt the vault file.

ansible-vault encrypt ~/.ansible/inventory/group_vars/windows/vault.yml


vars.yml

~/.ansible/inventory/group_vars/windows/vars.yml

---
ansible_user: "{{ vault_ansible_user }}"
ansible_password: "{{ vault_ansible_password }}"
ansible_connection: "{{ vault_ansible_connection }}"
ansible_winrm_transport: "{{ vault_ansible_winrm_transport }}"
ansible_winrm_server_cert_validation: "{{ vault_ansible_winrm_server_cert_validation }}"
ansible_become_user: "{{ vault_ansible_become_user }}"
ansible_become_password: "{{ vault_ansible_become_password }}"
ansible_become_method: "{{ vault_ansible_become_method }}"



Linux

SSH Private Key

chmod 600 ~/.ansible/ssh-private-key.pem


vault.yml

~/.ansible/inventory/group_vars/linux/vault.yml

---
ansible_user: ansible_svc
ansible_password: $uper5tr0ng
ansible_ssh_private_key_file: ~/.ansible/ssh-private-key.pem
ansible_become_user: "{{ ansible_user }}"
ansible_become_password: "{{ ansible_password }}"
ansible_become_method: sudo

Encrypt the vault file.

ansible-vault encrypt ~/.ansible/inventory/group_vars/linux/vault.yml


vars.yml

---
ansible_user: "{{ vault_ansible_user }}"
ansible_password: "{{ vault_ansible_password }}"
ansible_ssh_private_key_file: "{{ vault_ansible_ssh_private_key_file }}"
ansible_become_user: "{{ vault_ansible_become_user }}"
ansible_become_password: "{{ vault_ansible_become_password }}"
ansible_become_method: "{{ vault_ansible_become_method }}"



Creating and Running a Playbook

Create a directory to store your playbooks.

mkdir ~/ansible-playbooks

Create another directory to store each playbook (just my way of doing things).

mkdir ~/ansible-playbooks/ping-test
touch ~/ansible-playbooks/ping-test/ping-test.yml

Edit your playbook file.

nano ~/ansible-playbooks/ping-test/ping-test.yml

Note that the AnsibleĀ ping andĀ win_ping modules are not functionally the same as ICMP pings. These Ansible modules ensure that the Ansible server can authenticate to the host and run tasks.

---
- name: Ping Windows hosts
  hosts: windows
  tasks:
    - name: Ping Windows hosts using win_ping module
      win_ping:

- name: Ping Linux Hosts
  hosts: linux
  tasks:
    - name: Ping Linux hosts using ping module
      ping:

Run the playbook.

ansible-playbook ~/ansible-playbooks/ping-test/ping-test.yml


Breaking Down a Playbook Run

  1. Ansible finds the default inventory file at ~/.ansible/inventory/inventory.ini

  2. The playbook references two groups:

    • windows
    • linux

  3. Ansible searches for group_vars directories

    • It discovers group variables at:
      • ~/.ansible/inventory/group_vars/windows/
      • ~/.ansible/inventory/group_vars/linux/

  4. It reads the vault.yml file with

    ansible-vault view ~/.ansible/inventory/group_vars/<group>/vault.yml

  5. It populates the template at: ~/.ansible/inventory/group_vars/<group>/vars.yml

  6. It evaulates the playbook and runs the tasks in order

    • Windows
      • Use the connection variables in the inventory and group variables
      • Connect to each host in the inventory
      • Run the ping connectivity task using the credentials specified
    • Linux
      • Use the connection variables in the inventory and group variables
      • Connect to each host in the inventory
      • Run the ping connectivity task using the credentials specified


Note: We don't specify an inventory file in this example, because we are using the default inventory file as specified in ~/.ansible.cfg. You can specify a custom inventory file with ansible-playbook -i /path/to/custom-inventory. If you do this, then you'll need to be mindful of any group variables that you expect to run. You can read more about variable precedence here.

Back to top