azure.azcollection.azure_kql inventory – Azure Resource Manager inventory plugin using Graph QL

Note

This inventory plugin is part of the azure.azcollection collection (version 3.8.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install azure.azcollection. You need further requirements to be able to use this inventory plugin, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_kql.

New in azure.azcollection 3.7.0

Synopsis

  • Query VM details from Azure Resource Manager using Graph QL

  • See https://learn.microsoft.com/en-us/azure/virtual-machines/resource-graph-samples?tabs=azure-cli for how to craft your own query. The one requirement is that you need to provide inventory_hostname.

  • Requires a YAML configuration file whose name ends with ‘azure_kql.(yml|yaml)’

  • Be aware that currently Azure Resource Graph may not be consistent with the actual state of your resources. It can take up to 30 minutes for updates to propagate. This applies both for resources to appear and to dissapear.

Requirements

The below requirements are needed on the local controller node that executes this inventory.

  • python >= 2.7

  • The host that executes this module must have the azure.azcollection collection installed via galaxy

  • All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection

  • Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters

Parameter

Comments

ad_user

string

Active Directory username. Use when authenticating with an Active Directory user rather than service principal.

adfs_authority_url

string

added in azure.azcollection 0.0.1

Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority.

api_profile

string

added in azure.azcollection 0.0.1

Selects an API profile to use when communicating with Azure services. Default value of latest is appropriate for public clouds; future values will allow use with Azure Stack.

Default: "latest"

auth_source

string

added in azure.azcollection 0.0.1

Controls the source of the credentials to use for authentication.

Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.

When set to auto (the default) the precedence is module parameters -> env -> credential_file -> cli.

When set to env, the credentials will be read from the environment variables

When set to credential_file, it will read the profile from ~/.azure/credentials.

When set to cli, the credentials will be sources from the Azure CLI profile. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if more than one is present otherwise the default az cli subscription is used.

When set to msi, the host machine must be an azure resource with an enabled MSI extension. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if the resource is granted access to more than one subscription, otherwise the first subscription is chosen.

The msi was added in Ansible 2.6.

Choices:

  • "auto" ← (default)

  • "cli"

  • "credential_file"

  • "env"

  • "msi"

cache

boolean

Toggle to enable/disable the caching of the inventory’s source data, requires a cache plugin setup to work.

Choices:

  • false ← (default)

  • true

Configuration:

cache_connection

string

Cache connection data or path, read cache plugin documentation for specifics.

Configuration:

cache_plugin

string

Cache plugin to use for the inventory’s source data.

Default: "memory"

Configuration:

cache_prefix

string

Prefix to use for cache plugin files/tables.

Default: "ansible_inventory_"

Configuration:

cache_timeout

integer

Cache duration in seconds.

Default: 3600

Configuration:

cert_validation_mode

string

added in azure.azcollection 0.0.1

Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing ignore. Can also be set via credential file profile or the AZURE_CERT_VALIDATION environment variable.

Choices:

  • "ignore"

  • "validate"

client_id

string

Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi).

Can also be set via the AZURE_CLIENT_ID environment variable.

cloud_environment

string

added in azure.azcollection 0.0.1

For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, AzureChinaCloud, AzureUSGovernment), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or the AZURE_CLOUD_ENVIRONMENT environment variable.

Default: "AzureCloud"

compose

dictionary

A mapping of hostvar names to Jinja2 expressions. The value for each host is the result of the Jinja2 expression (which may refer to any of the host’s existing variables at the time this inventory plugin runs).

Default: {}

disable_instance_discovery

boolean

added in azure.azcollection 2.3.0

Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.

Set via credential file profile or the AZURE_DISABLE_INSTANCE_DISCOVERY environment variable.

Choices:

  • false ← (default)

  • true

fail_on_template_errors

string

When false, template failures during group and filter processing are silently ignored (eg, if a filter or group expression refers to an undefined host variable)

Choices:

  • true ← (default)

  • false

graph_query

string

A graph query which will retrieve the inventory of hosts you are interested in. You must return inventory_hostname as a field from your query.

groups

dictionary

A mapping of group names to Jinja2 expressions. When the mapped expression is true, the host is added to the named group.

Default: {}

hostnames

list / elements=string

A list of Jinja2 expressions in order of precedence to compose inventory_hostname.

Ignores expression if result is an empty string or None value.

An expression of default will force using the default hostname generator if no previous hostname expression resulted in a valid hostname.

Use default_inventory_hostname to access the default hostname generator’s value in any of the Jinja2 expressions.

Default: ["default"]

keyed_groups

list / elements=dictionary

Creates groups based on the value of a host variable. Requires a list of dictionaries, defining key (the source dictionary-typed variable), prefix (the prefix to use for the new group name), and optionally separator (which defaults to _)

Default: []

default_value

string

added in ansible-core 2.12

The default value when the host variable’s value is None or an empty string.

This option is mutually exclusive with keyed_groups[].trailing_separator.

key

string

The key from input dictionary used to generate groups.

parent_group

string

parent group for keyed group.

prefix

string

A keyed group name will start with this prefix.

Default: ""

separator

string

separator used to build the keyed group name.

Default: "_"

trailing_separator

boolean

added in ansible-core 2.12

Set this option to false to omit the keyed_groups[].separator after the host variable when the value is None or an empty string.

This option is mutually exclusive with keyed_groups[].default_value.

Choices:

  • false

  • true ← (default)

leading_separator

boolean

added in ansible-core 2.11

Use in conjunction with keyed_groups.

By default, a keyed group that does not have a prefix or a separator provided will have a name that starts with an underscore.

This is because the default prefix is "" and the default separator is "_".

Set this option to false to omit the leading underscore (or other separator) if no prefix is given.

If the group name is derived from a mapping the separator is still used to concatenate the items.

To not use a separator in the group name at all, set the separator for the keyed group to an empty string instead.

Choices:

  • false

  • true ← (default)

log_mode

string

Parent argument.

log_path

string

Parent argument.

password

string

Active Directory user password. Use when authenticating with an Active Directory user rather than service principal.

plugin

string / required

marks this as an instance of the ‘azure_rm’ plugin

Choices:

  • "azure_kql"

  • "azure.azcollection.azure_kql"

profile

string

Security profile found in ~/.azure/credentials file.

secret

string

Azure client secret. Use when authenticating with a Service Principal.

strict

boolean

If yes make invalid entries a fatal error, otherwise skip and continue.

Since it is possible to use facts in the expressions they might not always be available and we ignore those errors by default.

Choices:

  • false ← (default)

  • true

subscription_id

string

Your Azure subscription Id.

tenant

string

Azure tenant ID. Use when authenticating with a Service Principal.

thumbprint

string

added in azure.azcollection 1.14.0

The thumbprint of the private key specified in x509_certificate_path.

Use when authenticating with a Service Principal.

Required if x509_certificate_path is defined.

use_extra_vars

boolean

added in ansible-core 2.11

Merge extra vars into the available variables for composition (highest precedence).

Choices:

  • false ← (default)

  • true

Configuration:

x509_certificate_path

path

added in azure.azcollection 1.14.0

Path to the X509 certificate used to create the service principal in PEM format.

The certificate must be appended to the private key.

Use when authenticating with a Service Principal.

Note

Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).

Notes

Note

  • For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login.

  • Authentication is also possible using a service principal or Active Directory user.

  • To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

  • To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

  • Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

  • Inventories are not finalized at this stage, so the auto populated all and ungrouped groups will only reflect what previous inventory sources explicitly added to them.

  • Runtime ‘magic variables’ are not available during inventory construction. For example, groups and hostvars do not exist yet.

See Also

See also

Sign in with Azure CLI

How to authenticate using the az login command.

Examples

plugin: azure.azcollection.azure_kql

graph_query: |-
  Resources
      | where type =~ 'microsoft.compute/virtualmachines'
      | project vmId = tolower(tostring(id)),
                inventory_hostname = name,
                tags,
                location,
                resourceGroup,
                osType = tostring(properties.storageProfile.osDisk.osType),
                powerState = tostring(properties.extended.instanceView.powerState.displayStatus),
                hostName = properties.osProfile.computerName,
                subscription_id = subscriptionId
      | join kind=inner (ResourceContainers
          | where type=='microsoft.resources/subscriptions'
          | extend subscription_name = name,
                   subscription_id = subscriptionId,
                   state = properties.state
          | where state == 'Enabled'
          | project subscription_name,
                    subscription_id)
            on subscription_id
      | project-away subscription_id1
      | join (Resources
          | where type =~ 'microsoft.network/networkinterfaces'
          | mv-expand ipconfig=properties.ipConfigurations
          | project vmId = tolower(tostring(properties.virtualMachine.id)),
                    privateIp = ipconfig.properties.privateIPAddress,
                    publicIpId = tostring(ipconfig.properties.publicIPAddress.id)
          | join kind=leftouter (Resources
              | where type =~ 'microsoft.network/publicipaddresses'
              | project publicIpId = id, publicIp = properties.ipAddress
          ) on publicIpId
          | project-away publicIpId, publicIpId1
          | summarize privateIps = make_list(privateIp), publicIps = make_list(publicIp) by vmId
      ) on vmId
      | project-away vmId1
      | sort by inventory_hostname asc

# adds variables to each host found by this inventory plugin, whose values are the result of the associated expression
compose:
    ansible_host: "(publicIps + privateIps) | first"
    ansible_winrm_kerberos_hostname_override: "inventory_name + '.domain.tld'"
    ansible_winrm_transport: "'ntlm' if ('AAP_managed' in tags and ('DMZ' in (tags.AAP_Managed|list) or 'Local' in (tags.AAP_Managed|list))) else 'kerberos'"

groups:
    AAP_Managed: "'AAP_Managed' in (tags|list)"
    ubuntu18: "'AAP_Managed' in (tags|list) and 'ubuntu18' in tags.Ansible_OS"
    ubuntu20: "'AAP_Managed' in (tags|list) and 'ubuntu20' in tags.Ansible_OS"
    ubuntu22: "'AAP_Managed' in (tags|list) and 'ubuntu22' in tags.Ansible_OS"
    rhel7: "'AAP_Managed' in (tags|list) and 'rhel7' in tags.Ansible_OS"
    rhel8: "'AAP_Managed' in (tags|list) and 'rhel8' in tags.Ansible_OS"
    rhel9: "'AAP_Managed' in (tags|list) and 'rhel9' in tags.Ansible_OS"
    windows2012: "'AAP_Managed' in (tags|list) and 'windows2012' in tags.Ansible_OS"
    windows2016: "'AAP_Managed' in (tags|list) and 'windows2016' in tags.Ansible_OS"
    windows2019: "'AAP_Managed' in (tags|list) and 'windows2019' in tags.Ansible_OS"
    windows2022: "'AAP_Managed' in (tags|list) and 'windows2022' in tags.Ansible_OS"
    Asia: "'AAP_managed' in (tags|list) and 'Asia' in tags.AAP_Managed"
    North_America: "'AAP_managed' in (tags|list) and 'Asia' not in tags.AAP_Managed"

# change how inventory_hostname is generated. Each item is a jinja2 expression similar to hostvar_expressions.
hostnames:
    - "tags.vm_name if 'vm_name' in tags"
    - default_inventory_hostname + ".domain.tld" # Transfer to fqdn if you use shortnames for VMs
    - default  # special var that uses the default hashed name

keyed_groups:
    - prefix: ""
      separator: ""
      key: osType
    - prefix: ""
      separator: ""
      key: location
    - prefix: ""
      separator: ""
      key: powerState