Ansible collection for Delinea Priviledged Access Services.
This is the README file for using Ansible roles in your playbooks to deploy Centrify software and enroll systems to Delinea Platform and/or Active Directory. There is three Ansible roles provided, allowing deployment of Delinea Server Suite agents and Delinea Cloud Suite clients.
- delinea_audit
- delinea_auth
- delinea_vault
Installing collections with ansible-galaxy is only supported in ansible-core>=2.13.9
Before using this collection, you need to install it with the Ansible Galaxy command-line tool:
ansible-galaxy collection install delinea.pas
You can also include it in a requirements.yml file and install it with ansible-galaxy collection install -r requirements.yml, using the format:
collections:
- name: delinea.pas
Note that if you install any collections from Ansible Galaxy, they will not be upgraded automatically when you upgrade the Ansible package. To upgrade the collection to the latest available version, run the following command:
ansible-galaxy collection install delinea.pas --upgrade
You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax to install version 1.0.0:
ansible-galaxy collection install delinea.pas:==1.0.0
See using Ansible collections for more details.
Role is named delinea_audit under roles folder. To start using this Role you should check the default variables under roles/delinea_audit/defaults/main.yml and declare values for your inventory using host_vars or group_vars
Role is named delinea_auth under roles folder. To start using this Role you should check the default variables under roles/delinea_auth/defaults/main.yml and declare values for your inventory using host_vars or group_vars You will also need to generate or edit the following files under roles/delinea_auth/files
- adjoin.keytab
- Centrify Agent for Windows64.msi
- Group Policy Deployment.mst
- Join-DelineaZone.ps1
- krb5.conf
adjoin.keytab: You can generate a keytab file to use with Active Directory service account using the followin commands on Linux (requires a Delinea joined Linux server).
Delinea Agent for Windows64.msi and Group Policy Deployment.mst: Both those files should be copied from the software source of the Delinea Infrastructure Services for Windows in use. Those two files are located under /Agent folder.
Join-DelineaZone.ps1: This PowerShell script is provided as as sample and is used to join Windows system to existing Delinea Zone. This script can be modified to satisfy any customisation of the join process in your environment.
krb5.conf: You can copy the Kerberos config file of any of your Delinea joined Linux systems to the same Active Directory domain you plan to join using Ansible. Alternatively you can manually create this file using Kerberos docuementation.
Role is named delinea_vault under roles folder. To start using this Role you should check the default variables under roles/delinea_vault/defaults/main.yml and declare values for your inventory using host_vars or group_vars
This is an example of hosts file declaring default inventory.
hosts
---
# Grouped by OS
linux:
hosts:
rhel-nsblapp01.domain.name:
rhel-nsblweb01.domain.name:
suse-pgrsdb01.domain.name:
ubnt-pgadmweb01.domain.name:
windows:
hosts:
win-centapp01.domain.name:
win-centapp02.domain.name:
win-rdpgw01.domain.name:
# Grouped by type
application:
hosts:
rhel-nsblapp01.domain.name:
win-centapp01.domain.name:
win-centapp02.domain.name:
database:
hosts:
suse-pgrsdb01.domain.name:
webserver:
hosts:
rhel-nsblweb01.domain.name:
ubnt-pgadmweb01.domain.name:
win-rdpgw01.domain.name:
Then an example of how to set values for Delinea roles on the Linux group of systems, using a file named linux under group_vars
linux
# Connection variable for linux
ansible_user: ansible
ansible_become: yes
# Delinea variables for linux
delinea_redhat_urltoken: tc-xxxxxxxx-M0EV
delinea_debian_urltoken: dp-xxxxxxxx-WLgR
delinea_suse_urltoken: ga-xxxxxxxx-caHL
# Delinea Vault variables for linux
delinea_vault_tenant_url: https://company.my.centrify.net
delinea_vault_registration_code: I3-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-AWQJ5O1
delinea_vault_features: aapm,dmc
# Delinea Auth variables for linux
delinea_auth_domain: domain.name
delinea_auth_service_principal: [email protected]
delinea_auth_container: domain.name/Delinea/Computers
delinea_auth_zone: domain.name/Delinea/Zones/AWS/Linux
# Delinea Audit variables for linux
delinea_audit_installation_name: DelineaAMS
For general testing guidelines, please refer to Ansible Testing Documentation.
For support, please contact us at https://support.delinea.com/s/.
Release notes and Roadmap for this Ansible collection are currently being developed. Please check back later for updates.We welcome community input on our roadmap. If you have suggestions or ideas for future development, please submit a pull request or open an issue on our GitHub repository.
Documentation - https://docs.delinea.com/online-help/cloud-suite/integrations/ansible/roles-for-ansible.htm
This project is licensed under the MIT License. See the LICENSE file for more details.