Ansible provisioner doesn't allow execution of raw powershell commands

[fbsdmon]

I am having problems executing raw PowerShell commands via Packer's Ansible provisioner.
Example: I can't disable the Windows firewall by running raw: Set-NetFirewallProfile -Enabled False, but I can list a directory by running raw: dir or set a registry key with Ansible's win_regedit module.

Here is my full test setup and packer logs:

• Packer version: 0.12.2
• Ansible version: 2.2.1.0
• Host platform: SLES12SP1
• Packer template: https://gist.github.com/fbsdmon/324bf8deafa24f40cd732ec0d67658d6
• PowerShell scripts:
  • ec2-bootstrap.ps1 https://gist.github.com/fbsdmon/1a32bec33aa972d93198b4e16a6cd1df
  • ec2-config.ps1 https://gist.github.com/fbsdmon/6834a0a2c42b1ca813f0bbff9013ddbc
  • ec2-bundle-config.ps1 https://gist.github.com/fbsdmon/e8ede0bfc64ffc3d57bbe1d11e7ba660
• Ansible playbook: https://gist.github.com/fbsdmon/73bd372380738b77633c89d74ce3d3ed
• Packer log: https://gist.github.com/fbsdmon/9584e3f48f175fff56495378ee5a7fc1

[fbsdmon]

#3911 Feature: allow Ansible provisioner to specify usage of WinRM instead of SSH
#4209 provisioner/ansible: assume scp target is file (resolves winrm incompatibility)

[bhcleek]

When you run the Set-NetFirewallProfile -Enabled False command manually, what's the result? If you run it twice in a row, is the exit code for each run 0?

[fbsdmon]

Manually, the command works. It also works when provisioning directly with Ansible (not via Packer).

PS C:\Users\Administrator> Set-NetFirewallProfile -Enabled False
PS C:\Users\Administrator> Write-Host $?
True
PS C:\Users\Administrator> Set-NetFirewallProfile -Enabled False
PS C:\Users\Administrator> Write-Host $?
True

[bhcleek]

Is the winrm_user specified in the provisioner section an administrator on the machine?

[fbsdmon]

The ansible provisioner only supports user and that is specified.
The builder supports winrm_username and that is specified as well.
Please see the link to my packet template I provided in the issue description.

[bhcleek]

I see that they are the same (as they should be), but my question is about whether or not that user has permission to execute the commands that are failing.

[fbsdmon]

Yes!
The ec2-bootstrap.ps1 script I added create's the user and adds it to the Administrators group, right after enabling WinRM. And as I said, I can add/edit the registry and do all other admin level tasks, the only thing I can't do is execute powershell scripts/commands via raw module.

[bhcleek]

I see; I'd missed the bootstrap script. Thanks for pointing it out. The raw task module works, as you can see by the dir listing in your output. I'll try to duplicate this independently.

[fbsdmon]

Yes, the raw module works. The issue is when I try to execute powershell commands via raw.
Thanks for looking into this. Currently I have to provision my AMI's manually :(

[bhcleek]

I've tried to duplicate this, but am currently running into problems introduced by Ansible 2.3. Can you verify whether this happens with a more common cmdlet (e.g. Get-Help)?

[bhcleek]

I can duplicate this. From what I can tell, it's because the raw won't execute in a Powershell environment. I'd suggest either executing powershell -Command "& {Set-NetFirewallProfile -Enabled False}" or else use the win_shell module.

[fbsdmon]

Ansible 2.4 + Packer 1.1.0 + using win_shell instead of raw = works!
Thanks!!

[SwampDragons]

Closing since the issue had a workaround

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.