Skip to main content
Version: Next

Ansible Playbooks

Reference Azure

DOCUMENT CATEGORY: Reference SCOPE: Ansible automation for configuration management PURPOSE: Document Ansible playbooks used in Azure Local deployments MASTER REFERENCE: Ansible Documentation

Status: Active

Overview

Seven Ansible roles and six playbooks handle on-premises and guest OS configuration that Terraform cannot manage. This includes Active Directory preparation, node OS configuration, Azure Arc registration, monitoring agent deployment, and management VM configuration.

All roles use Ansible Validated Content collections: microsoft.ad, ansible.windows, community.windows, and azure.azcollection.

Deployment Paths

PathHow Ansible is Used
Terraform + AnsibleAnsible runs after Terraform provisions Azure resources
Ansible OnlyAnsible manages both Azure resources (via azure.azcollection) and on-prem config

Playbooks

PlaybookDeployment PhaseTarget HostsDescription
01-ad-preparation.ymlPart 3, Phase 1domain_controllers[0]OUs, security groups, DNS forwarders, LCM service account
02-os-configuration.ymlPart 4, Phase 3cluster_nodesHostname, static IP, NTP, DNS, ICMP, domain join
03-arc-registration.ymlPart 4, Phase 4cluster_nodesArc endpoint validation, SPN auth, Arc initialization
04-monitoring-setup.ymlPart 5, Phase 2cluster_nodesAzure Monitor Agent, Data Collection Rules, HCI Insights
05-management-vms.ymlPart 2/5domain_controllers, managementDC promotion, WAC install, syslog config
site.ymlAllAll groupsMaster playbook — runs all phases in order

Execution Order

# Run all phases sequentially
ansible-playbook -i inventory/hosts.yml playbooks/site.yml

# Or run individual phases
ansible-playbook -i inventory/hosts.yml playbooks/01-ad-preparation.yml
ansible-playbook -i inventory/hosts.yml playbooks/02-os-configuration.yml
ansible-playbook -i inventory/hosts.yml playbooks/03-arc-registration.yml
ansible-playbook -i inventory/hosts.yml playbooks/04-monitoring-setup.yml
ansible-playbook -i inventory/hosts.yml playbooks/05-management-vms.yml

# Run specific tags
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --tags arc-registration

Roles

ad-preparation

Mirrors scripts/deploy/03-onprem-readiness/phase-01-active-directory/.

TaskModule Used
Create OU hierarchy (AzureLocal → Computers, ServiceAccounts, Groups)microsoft.ad.ou
Create 7 cluster security groupsmicrosoft.ad.group
Configure DNS conditional forwarders for Azure endpointsansible.windows.win_powershell
Create LCM deployment service accountmicrosoft.ad.user
Pre-stage cluster computer accountmicrosoft.ad.computer
Assign group membershipsmicrosoft.ad.group

os-configuration

Mirrors scripts/deploy/04-cluster-deployment/phase-03-os-configuration/.

Runs with serial: 1 (one node at a time) due to reboots.

TaskModule Used
Ensure WinRM is runningansible.windows.win_service
Set hostnameansible.windows.win_hostname
Configure NTPansible.windows.win_powershell (w32tm)
Set static IP on management NICansible.windows.win_powershell
Configure DNS clientansible.windows.win_dns_client
Enable ICMP firewall rulecommunity.windows.win_firewall_rule
Domain joinmicrosoft.ad.membership

arc-registration

Mirrors scripts/deploy/04-cluster-deployment/phase-04-arc-registration/.

TaskModule Used
Validate Arc endpoint connectivityansible.windows.win_powershell
Authenticate with SPN and register nodeansible.windows.win_powershell (Invoke-AzStackHciArcInitialization)
Verify Arc agent statusansible.windows.win_powershell (azcmagent show)

monitoring-agents

Mirrors scripts/deploy/05-operational-foundations/phase-02-monitoring/.

TaskModule Used
Install Azure Monitor Agent extensionansible.windows.win_powershell
Create Data Collection Rule (perf counters + event logs)azure.azcollection.azure_rm_resource
Enable HCI Insightsansible.windows.win_powershell

domain-controller

Promotes management VMs as domain controllers.

TaskModule Used
Install AD-Domain-Services featureansible.windows.win_feature
Promote as new forestmicrosoft.ad.domain
Promote as replica DCmicrosoft.ad.domain_controller
Store DSRM password in Key Vaultazure.azcollection.azure_rm_keyvaultsecret
Configure DNS forwardersansible.windows.win_powershell

wac-server

Mirrors scripts/deploy/05-operational-foundations/phase-02-monitoring/task-05-deploy-wac/.

TaskModule Used
Download WAC installeransible.windows.win_get_url
Silent MSI installationansible.windows.win_package
Start gateway serviceansible.windows.win_service
Configure Kerberos Constrained Delegationansible.windows.win_powershell

syslog-receiver

Mirrors scripts/deploy/05-operational-foundations/phase-02-monitoring/task-06-configure-network-device-logging/.

Supports both Linux (rsyslog/snmpd) and Windows (WEF) receivers.

TaskModule Used
Install rsyslog + SNMP (Linux)ansible.builtin.apt
Configure UDP syslog receptionansible.builtin.copy
Configure SNMP trap receiveransible.builtin.copy
Configure Windows Event Forwardingansible.windows.win_powershell

Required Collections

CollectionVersionPurpose
azure.azcollection>= 2.4.0Azure resource management
microsoft.ad>= 1.5.0Active Directory management
ansible.windows>= 2.3.0Core Windows modules
community.windows>= 2.2.0Extended Windows modules
community.general>= 9.0.0General utilities
ansible-galaxy collection install -r src/ansible/collections/requirements.yml

Inventory

Three host groups are required:

all:
  children:
    domain_controllers:   # DCs (for AD prep and DC promotion)
    management:           # Jumpbox, WAC, Syslog VMs
    cluster_nodes:        # Physical Azure Local nodes

Variables

Variables are generated from the central config/variables/variables.yml:

Export-AnsibleVars -Config $config -OutputPath "src/ansible/inventory/group_vars/all.yml"

Sensitive values should use Ansible Vault:

ansible-vault create inventory/group_vars/vault.yml
# Required: domain_admin_password, spn_client_secret

Repository

Source: azurelocal-toolkit/src/ansible/

PreviousUpNext
Bicep TemplatesPart 3: Automation GuidesPowerShell Scripting Guide