Connect to Azure
Connect your Ansible container with Azure.
In this lesson, you will connect your Ansible container with Azure. Following are the steps to connect to Azure:
- Sign in with Azure CLI.
- Create a Service Principal.
- Assign a role to the Service Principal.
- Create Environment Variables.
- Install the Azure Python module.
Prerequisites
You need to create an account on Azure. You can subscribe to Azure here.
Sign in with Azure CLI
You will use Azure CLI to create a service principal for Azure. Before you can do that, you will need a few tools to be installed and updated first. To set up Azure CLI in your development container, run the following command:
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
Docker Setup
All the software packages are already installed. You can verify this by executing theaz --versioncommand in the terminal.
Once installed, run the following command:
# Verify Installationaz --version
Sign in
You will need to sign in using the Azure CLI. Sign in to Azure using the az login cmdlet. Run the following command:
# Sign in to Azure# Replace <username> and <password> with your actual username and passwordaz login -u <username> -p <password># Or to sign in interactivelyaz login
Create an Azure service principal
Ansible uses a service principal to authenticate to Azure. You can use Azure CLI to create a password-based account and assign permissions to the account. You can do that by running the following command:
# Replace the <ServicePrincipalName> with a name of your own choiceaz ad sp create-for-rbac --name ServicePrincipalName
Replace the ServicePrincipalName with the name of your choice.
Copy the contents of the output and save it on your machine. You will use them in the upcoming chapters. The output will look like the one below:
{“appId”: “<App-ID>”,“displayName”: “<ServicePrincipalName>”,“name”: “http://<ServicePrincipalName>”,“password”: “<Password>,“tenant”: “<Tenant-ID>"}
Let’s look at the code output and try to make sense of it.
az ad sp create-for-rbac: We first create the password-based service principal by specifying the following:
ad: Active Directorysp: Service Principal
Output: The output consists of:
password: Auto-generated by Azure.appIdandtenantkeys: Used in service principal authentication.
Assign a role to the service principal
You use the az role assignment to assign Contributor to the service principal in your subscription.
The az role assignment requires two parameters:
AssigneeRoleDefinitionName
Let’s look at how you can store them and assign the Contributor role by reviewing the code snippet below:
# Replace the APP_ID with the output appId of the create-for-rbac command.az role assignment create --assignee APP_ID --role Contributor
Assignee
Use the appId you got as an output from the create-for-rbac command.
Role
Use the Contributor role.
You can modify the scope and role definition to be more restrictive.
Verify that the role has been assigned by executing the following command:
# Replace the APP_ID with the output appId of the create-for-rbac command.az role assignment list --assignee APP_ID
Create the environment variable
Ansible uses the following environment variables for its configuration to authenticate to Azure:
AZURE_SUBSCRIPTION_IDAZURE_CLIENT_IDAZURE_SECRETAZURE_TENANT
Getting the Azure information
Use the az to populate bash variables exported as environment variables later.
Run the following commands in the terminal one by one:
# Azure Subscription Idsubscriptionid=$(az account show --query id --output tsv)# Azure Client Id# Replace <appId> with the actual App Idclientid=<appId># Azure Secret.# Replace <Password> with the auto-generated password for service principal.secret=<password># Azure Tenant Id# Replace <tenant> with the actual tenant Idtenantid=<tenant>export AZURE_SUBSCRIPTION_ID=$subscriptionid;export AZURE_CLIENT_ID=$clientid;export AZURE_SECRET=$secret;export AZURE_TENANT=$tenantid;
Your Ansible environment is now connected to Azure.
Echo the variables and copy and store these variables as well; you will use them in the upcoming chapters.
# echo variables and save them for later use.echo $AZURE_SUBSCRIPTION_IDecho $AZURE_CLIENT_IDecho $AZURE_SECRETecho $AZURE_TENANT
Create an Azure resource group with Ansible
Use the Ansible azure_rm_resourcegroup command to create a resource group in Azure.
You will learn more about
Ansiblecommands in an upcoming chapter.
Run the following command in the terminal:
ansible localhost -m azure_rm_resourcegroup -a "name=ansible location=eastus"
Re-execute the azure_rm_resourcegroup command below in the terminal:
ansible localhost -m azure_rm_resourcegroup -a "name=ansible location=eastus"
Verify
Trust but verify. Double-check that the resource is created by either logging into the Azure Portal or using the az group list cmdlet. Run the following command in the terminal:
az group list
Practice all the commands covered in this lesson one be one in the terminal. We have provided a summarized view of the commands below:
# Launch PowerShellaz --version# Sign in to the Azure Account# Replace <username> and <password> with your actual username and passwordaz login -u <username> -p <password># Or to sign in interactivelyaz login# Create a service principal# Replace the <ServicePrincipalName> with a name of your own choiceaz ad sp create-for-rbac --name ServicePrincipalName## Assign the 'Contributor' role# Replace the APP_ID with the output appId of the create-for-rbac command.az role assignment create --assignee APP_ID --role Contributor## Verify Role Assignment# Replace the APP_ID with the output appId of the create-for-rbac command.az role assignment list --assignee APP_ID## Create Environment Variables# Azure Subscription Idsubscriptionid=$(az account show --query id --output tsv)# Azure Client Id# Replace <appId> with the actual App Idclientid=<appId># Azure Secret.# Replace <Password> with the auto-generated password for service principal.secret=<password># Azure Tenant Id# Replace <tenant> with the actual tenant Idtenantid=<tenant># Environment Variablesexport AZURE_SUBSCRIPTION_ID=$subscriptionid;export AZURE_CLIENT_ID=$clientid;export AZURE_SECRET=$secret;export AZURE_TENANT=$tenantid;# echo variables and save them for later use.echo $AZURE_SUBSCRIPTION_IDecho $AZURE_CLIENT_IDecho $AZURE_SECRETecho $AZURE_TENANT# Create a resourceansible localhost -m azure_rm_resourcegroup -a "name=ansible location=eastus"## In case of error,# Failed to import the required Python library (packaging)pip3 install ansible[azure]# re-run - Create a resourceansible localhost -m azure_rm_resourcegroup -a "name=ansible location=eastus"## End - Error# Verify the creationaz group list
Troubleshooting tips
Missing
ansible[azure]module
You might come across the following message.
“Failed to import the required Python library (packaging) on 5fbb354c4e23 Python /usr/bin/python2. Please read the module documentation and install it in the appropriate location. If the required library is installed, but Ansible uses the wrong Python interpreter, please consult the documentation on ansible_python_interpreter.”
You require the ansible[azure] python module to run the Azure Ansible modules.
Install the Azure Python module
You can install the ansible[azure] module by executing the following command:
pip3 install ansible[azure]
Update Dockerfile
You made some changes inside your container. If that container is deleted, all the changes will be lost. You can save your changes by updating the Dockerfile and rebuilding the image.
FROM ubuntu:latestRUN apt-get update; \apt install openssh-client; \apt-get install -y wget curl apt-transport-https; \curl -sL https://aka.ms/InstallAzureCLIDeb | bash; \apt install -y python3-pipRUN pip3 install --upgrade pip; \pip3 install "ansible==2.9.12"; \pip3 install ansible[azure]
In this lesson, we introduced azure cli modules for sign in, created a service principal, and assigned permissions. Once connected, you created a resource group in Azure.
Get hands-on with 1300+ tech skills courses.