Allow password to be null in Scheduled Task for gMSA (#60990)

* Allow password to be null in Scheduled Task for gMSA * Remove test for removed password validation, linting fixes
2019-08-27 18:44:45 -04:00 · 2019-08-27 18:44:45 -04:00 · eaa6848932
parent 0914cdb345
commit eaa6848932
3 changed files with 12 additions and 14 deletions
--- a/lib/ansible/modules/windows/win_scheduled_task.ps1
+++ b/lib/ansible/modules/windows/win_scheduled_task.ps1
@ -686,9 +686,6 @@ if ($null -ne $username -and $null -ne $group) {
    Fail-Json -obj $result -message "username and group can not be set at the same time"
 }
 if ($null -ne $logon_type) {
-    if ($logon_type -eq [TASK_LOGON_TYPE]::TASK_LOGON_PASSWORD -and $null -eq $password) {
-        Fail-Json -obj $result -message "password must be set when logon_type=password"
-    }
    if ($logon_type -eq [TASK_LOGON_TYPE]::TASK_LOGON_S4U -and $null -eq $password) {
        Fail-Json -obj $result -message "password must be set when logon_type=s4u"
    }
--- a/lib/ansible/modules/windows/win_scheduled_task.py
+++ b/lib/ansible/modules/windows/win_scheduled_task.py
@ -266,9 +266,9 @@ options:
    description:
    - The password for the user account to run the scheduled task as.
    - This is required when running a task without the user being logged in,
-      excluding the builtin service accounts.
+      excluding the builtin service accounts and Group Managed Service Accounts (gMSA).
    - If set, will always result in a change unless C(update_password) is set
-      to C(no) and no othr changes are required for the service.
+      to C(no) and no other changes are required for the service.
    type: str
    version_added: '2.4'
  update_password:
@ -376,7 +376,7 @@ options:
  priority:
    description:
    - The priority level (0-10) of the task.
-    - When creating a new task the default if C(7).
+    - When creating a new task the default is C(7).
    - See U(https://msdn.microsoft.com/en-us/library/windows/desktop/aa383512.aspx)
      for details on the priority levels.
    type: int
@ -430,6 +430,9 @@ notes:
 - The option names and structure for actions and triggers of a service follow
  the C(RegisteredTask) naming standard and requirements, it would be useful to
  read up on this guide if coming across any issues U(https://msdn.microsoft.com/en-us/library/windows/desktop/aa382542.aspx).
+- A Group Managed Service Account (gMSA) can be used by setting C(logon_type) to C(password)
+  and omitting the password parameter. For more information on gMSAs,
+  see U(https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Windows-Server-2012-Group-Managed-Service-Accounts/ba-p/255910)
 seealso:
 - module: win_scheduled_task_stat
 author:
@ -480,6 +483,12 @@ EXAMPLES = r'''
    username: DOMAIN\User
    logon_type: s4u

+- name: Change above task to use a gMSA, where the password is managed automatically
+  win_scheduled_task:
+    name: TaskName2
+    username: DOMAIN\gMsaSvcAcct$
+    logon_type: password
+
 - name: Create task with multiple triggers
  win_scheduled_task:
    name: TriggerTask
--- a/test/integration/targets/win_scheduled_task/tasks/failures.yml
+++ b/test/integration/targets/win_scheduled_task/tasks/failures.yml
@ -16,14 +16,6 @@
  register: fail_username_and_group
  failed_when: fail_username_and_group.msg != 'username and group can not be set at the same time'

- name: fail logon type password but no password set
-  win_scheduled_task:
-    name: '{{test_scheduled_task_name}}'
-    state: present
-    logon_type: password
-  register: fail_lt_password_not_set
-  failed_when: fail_lt_password_not_set.msg != 'password must be set when logon_type=password'
-
 - name: fail logon type s4u but no password set
  win_scheduled_task:
    name: '{{test_scheduled_task_name}}'