How do you create a Windows server in EC2?


What’s the process for provisioning a Windows host in EC2 using an EC2 compute resource?
I can’t seem to find any docs on this.

Expected outcome:

A Windows server is created in EC2.

Foreman and Proxy versions:


Foreman and Proxy plugin versions:

foreman-tasks 0.14.1
foreman_ansible 2.2.9
foreman_cockpit 2.0.3
foreman_hooks 0.3.14
foreman_memcache 0.1.1
foreman_remote_execution 1.6.4

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)


Hello, Foreman is very Linux centric, but there are users out there maintaining Windows templates and some documentation (or blog posts). You might be on your own figuring this out, report back to us if you get it working.

EC2 is image-based provisioning, I guess Foreman won’t do you much in this scenario anyway - Foreman can spawn an image on EC2 and that’s pretty much it. Then you need to bootstrap Puppet or other management system to report back to Foreman.

1 Like

Thanks @lzap for the confirmation. That’s what I was starting to suspect.

I have this working in EC2 for my Linux hosts-- the instances are created and then their Ansible roles are automatically applied after a configurable amount of time (I just set it to 0 minutes in the settings to speed things up). I think I should be able to get this working now that I’ve explored it a little more. It should just require setting up the WinRM stuff in whatever AMI I’m using. I’ll post back with any progress I make.

Cool, I think I have this working with EC2 and Ansible! I got a successful response to my win_ping.

Here’s a user_data template that can be used as a starting point for others:

kind: user_data
name: Windows default user data
model: ProvisioningTemplate
oses: [Windows]


    # Set up both HTTP and HTTPS listeners with a self-signed certificate
    # and enables the Basic authentication option on the service.
    $url = ""
    $file = "$env:temp\ConfigureRemotingForAnsible.ps1"
    (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)
    powershell.exe -ExecutionPolicy ByPass -File $file


That PS code is taken from the Ansible docs.

@lzap Right now I have to get the admin password either through the AWS console or CLI tools. Once I have this and set ansible_password in either host_vars or group_vars, WinRM works. Do you know of a better to go about doing this? Does Foreman provide access to this password in any way?

One thing I noticed is that jobs take significantly longer to run using WinRM:

This job template took 2+ minutes to run:

- hosts: all
  gather_facts: no
    - name: Get the current user
      win_command: whoami
      register: debug_info

    - debug: var=debug_info

**Id:** b673c7cc-a671-44ff-9ec6-b9b8474aa8db
**Label:** Actions::RemoteExecution::RunHostJob
**Status:** stopped
**Result:** success
**Started at:** 2018-11-02 22:02:52 UTC
**Ended at:** 2018-11-02 22:05:04 UTC

Is the longer duration to be expected when using WinRM? (I haven’t used it much before)
Also, I noticed there’s no console feedback until the very end of the playbook. Is that also to be expected when using WinRM?

@dLobatog Any thoughts on the above?

For anyone else that might be doing the same thing, these are the bare minimum set of parameters I set at the operating system level to get this to work:

  • ansible_become: false
  • ansible_connection: winrm
  • ansible_port: 5986
  • ansible_user: Administrator

And then at the host level, I set the following variable after retrieving it:

  • ansible_ssh_pass <varies by host>

Even though, I’m using winrrm, the password appears to be configured using ansible_ssh_pass.