No explicit plans to natively support it in Ansible right now, I've heard people talking about chaining connections, e.g. use SSH to a host then WinRM from there but's that quite complex and I don't expect anything anytime soon. So while you can't set all this up end to end with an inventory configuration you can still achieve what you want using a SOCKS proxy. Basically the only extra step needed to setup this proxy is to bind the local port and setup the SSH connection.
Here is a very basic example of how to do all this, in my example I set up my local SSH connection to listen on port 12345 # install the requests socks dependency packages pip install requests[socks] # set up the following in your inventory [socks] windows-host [socks:vars] ansible_user=username ansible_password=password ansible_connection=psrp ansible_port=5985 # this is the port of the WinRM instance your Windows host is listening on ansible_psrp_proxy=socks5://localhost:12345 # in a separate terminal on your Ansible host run the following which will # start an SSH connection you need to keep active until you have finished with Ansible ssh -D 12345 username@bastionhost # now run your playbook ansible -i inventory.ini socks -m win_ping I just tested this out and confirmed with Wireshark that there was no traffic over port 5985 to my host and the actual data was being sent over SSH to my bastion host and then from there it is sending the WinRM requests over port 5985. What happens in that example is that your localhost will setup an SSH connection that listens on port 12345 and any data received on that port will be tunneled to your bastion host. From the bastion host will then act as a client and send the WinRM request as per usual to the Windows host which it should have access to. Any responses are then tunneled back over the SSH connection and then finally sent back to Ansible to process. You can get tricky and play around with SSH to set up a ControlPath that you can use to run your SSH connection in the background and bring it up and down or even use a separate host to act as your SOCKS proxy and handle all the SSH connections but that's a separate conversation from this. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2ddfc3a3-ecae-4b83-ba2a-7cef102db981%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
