Using Ansible Playbooks - ezra-buckingham/terry-the-terraformer GitHub Wiki

Ansible Inventory Format

Terry can build various types of servers. At runtime, Terry will dynamically generate an Ansible inventory file which will be used to populate the playbook variables. That inventory is located at <operation-name>/ansible/inventory/hosts.

Using the inventory structure generated by Terry, all servers are configured using Ansible. For the playbooks to work, a couple of assumptions are made:

  • SSH is available from your network. If deploying to a private cloud that is behind a firewall, make sure you can route to that IP address
  • The host is running Debian

Adding a Playbook

Since the needs of each red team are different, your team may need to expand the capabilities of a playbook. To do so, there is the extended_plays section in the configuration. In this section, you can define custom playbooks as well as any extra variables you may want to run against the deployed server.

Example of Adding a Playbook

NOTE: All custom playbooks MUST live in the ./playbooks/custom directory AND the path value below MUST only be the name of the playbook inside of the ./playbooks/custom directory for these to work

Let us say you want to set the hostnames of all teamservers to "teamserver" whenever you run the create command. Let us also assume you do not want to hardcode the new hostname into a playbook, but rather pass it in dynamically. You can easily do this by adding a custom playbook.

In this example, your playbook lives at ./playbooks/custom/set-hostname.yml and looks like the following:

- name: Set custom hostname for teamservers
  gather_facts: true
  hosts: teamserver
  become: true

  - name: Set the hostname of the teamserver to a new hostname
      name: "{{ new_hostname }}"

Now in your Terry configuration file, you can add the following to ansible_configuration.extended_plays.create:

  - path: set-hostname.yml
      new_hostname: "teamserver"

Running a Playbook

It is possible that you may want to re-run only one playbook against some servers (or even against servers deployed by Terry). This is not recommended, but I assume you are an adult who makes their own decisions. Here are the helpful hints.

To configure a "base" server with all the "base" configuration needed for all the other scripts to run, you can run the command below:

ansible-playbook ./playbooks/prep-all-systems.yml -i ./<deployments-dir>/<operation-name>/ansible/inventory/hosts --private-key 

Additional configuration is made to each of the specific types of servers.