Testing Ansible Roles on Windows Hosts Using Test-Kitchen and AWS

Working a-lot with Ansible lately, I was encountering in a real blocking problem. As we were working on deploying our software on Windows targets, We were constantly trying to find ways to test our roles, but we encountered some issues, mostly related to our development environments. Writing these lines, i’m using my personal Macbook Air so don’t be confused because of that.

The fact we were working on a Cyber Security company requires compromises on development environments. Always working in a virtual environment has it’s limitations, and therefore it was not possible to use a solution that deploys VirtualBox VM’s, Docker or LXC containers, and manage all of these using Vagrant, for example. Therefore, I was looking for a way to provision machine using the existing resources on our team. I discovered that Test-Kitchen could help me doing that using it’s EC2 driver.

Getting Started with Test-Kitchen

Rule of thumb: Ansible roles are great, please use Ansible roles. I’m not going to elaborate on this furthermore, but just use roles whether it’s possible. Test-Kitchen is pretty easy to setup, and consists few steps:

  1. Download ChefDK from the Chef download website, according to your platform (I assume that you’re using Linux or macOS as your development machine).

The .kitchen.yml File

Once we finished setting up our development environment, we want to describe how exactly we are going to provision the testing environment for our role and how to test it. This is why the .kitchen.yml file exists, Let’s take a look:

This YAML file is pretty-much self explanatory, but let’s focus on a few important things:

  1. On the windows-2016 platform, we can see the the verifier is pester. We get that ability out of the box with our setup, so we can use Pester tests to describe tests inside our Windows targets using PowerShell.

Time to Get Dirty

Now, it’s time to clone our example repository and see how it works. On the example project, the following steps will allow us to create, test and destroy our testing environment as many times as we want. The Ansible role itself, defined on the repository is bloody simple: it will download and silently install Google Chrome on our Windows target.

The following steps will be included in the flow, that can be easily automated to be comply with CI-CD environments:

  1. kitchen create — will create our environment on AWS. It will look for our default region, then launch the EC2 instances on the default VPC inside the default subnet (should be public). The demo environment contains an Ansible machine and Windows 2016 Server target host, both configured with user_data to make sure that they have the software needed to perform the necessary operations (Ansible with Windows hosts support on RHEL, WinRM allowed on the firewall and password changed to “Kitchen” on the Windows host).

Git repository: https://github.com/avishayil/ansible_test_kitchen_windows_role

Cloud Security Expert at CyberArk. https://www.cyberark.com @avishayil

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store