Skip to content

Requirements

Operational Requirements

Network

The ansible endpoint must be able to reach all linux hosts in all accounts/subscriptions on port 22 and all windows hosts in all accounts/subscriptions on port 5985 and 5986.

If ansible is deployed as a container, be sure that the source used for network rules takes into consideration that the container may be restarted and assigned a different IP address. See cloud specific container deployment documentation below. If ansible is deployed on a VM, the network rules can be configured to allow the VM's IP address as the source for the traffic.

Deployment Requirements

AWS Container

  • EFS filesystem, EFS access point, EFS mount target in the fargate subnet(s) and the ability to resolve the EFS endpoint.
  • Farget subnet(s).
  • Routes from the fargate subnet(s) to all subnets with machines that will be managed by Ansible.
  • IAM role with "ec2:DescribeInstances" and "sts:AssumeRole" to assume roles in other subscriptions with the "ec2:DescribeInstances" role.
  • Optionally create a log group for the container to write logs to. This is required when connecting with a VS Code tunnel.
  • An Ansible security group allowing port 22 to the Ansible VM. The security group assigned to the ansible "service definition" will also be used as the "referenced security group" in security group rules to allow the Ansible container to reach Windows VMs on 5985 and 5986 and Linux VMs on port 22.
  • Ansible container, including: ECS cluster, ECS task definition, and ECS service.
  • The Ansible container must be able to resolve the EFS endpoint.
  • The subnet the Ansible container is deployed in must be able to download the container image from the ghcr.io container registry.

Azure Container

  • Ansible share for persistent storage on the same storage account used for Terraform state files.
  • Container subnet with the "Microsoft.ContainerInstance/containerGroups" service delegation.
  • NSG rule allowing the container subnet to reach Windows VMs on 5985 and 5986 and Linux VMs on 22. Because the subnet is delegated specifically for container instances, this limits the scope of the rule to only apply to the Ansible container and not other resources that may be in the same VNet.
  • User assigned identity associated with the Ansible container and read privileges on the subscription(s).
  • Container with persistent storage mounted at /home/ansible/source, TCP port 22 exposed, and the user assigned identity attached.
  • The subnet the Ansible container is deployed in must be able to download the container image from the ghcr.io container registry.