feat: add Windows Server 2025 and SQL 2022 AMI templates, improve provisioning and documentation

ansible/playbooks/base/README.md

@@ -37,16 +37,24 @@ Provisions Windows Server with:
 - Trust relationships
 - User/Group/OU creation
 
-### `mssql_base.yml` - SQL Server Base
+### `mssql_base_setup.yml` + `mssql_base_sql.yml` - SQL Server Base
 
-Provisions Windows Server with:
+Split into two playbooks to stay under the AWS Image Builder 16K component data limit.
+
+**`mssql_base_setup.yml`** provisions Windows Server with:
+
+- PowerShell DSC modules
+- IIS Web Server and WebDAV Publishing
+- RDP enabled with firewall rule
+
+**`mssql_base_sql.yml`** provisions SQL Server:
 
-- All of member_base.yml content
-- SQL Server Express 2019
+- SQL Server Express (version auto-detected by OS)
 - SQL Server firewall rules (TCP 1433, UDP 1434)
-- Basic SQL Server configuration
+- SQL Server configuration and ssm-user access
+- Windows Updates and cleanup
 
-**Used by**: `goad-mssql-base` and `goad-mssql-base-2016` warpgate templates
+**Used by**: `goad-mssql-base`, `goad-mssql-base-2016`, and `goad-mssql-base-2025` warpgate templates
 
 **Runtime tasks still needed**:
 
@@ -136,20 +144,21 @@ These playbooks expect:
 - **Network connectivity** to download:
   - PowerShell modules from PowerShell Gallery
   - Windows Updates from Microsoft
-  - SQL Server Express installer (for mssql_base.yml)
+  - SQL Server Express installer (for mssql_base_sql.yml)
 
 ## Variables
 
 These playbooks intentionally avoid requiring variables. They use sensible defaults for base image provisioning.
 
-The only configurable variable is in `mssql_base.yml`:
+The only configurable variable is in `mssql_base_sql.yml`:
 
 ```yaml
 vars:
-  sql_download_url: "https://go.microsoft.com/fwlink/p/?linkid=866658"  # SQL Server Express 2019
   sql_instance_name: "SQLEXPRESS"
 ```
 
+The SQL Server download URL is auto-detected based on the Windows Server version.
+
 ## Design Decisions
 
 ### Why Not Domain Join in Base Images?

ansible/playbooks/base/mssql_base_setup.yml

@@ -0,0 +1,118 @@
+---
+- name: Provision GOAD MSSQL Server Base Image - System Setup
+  hosts: all
+  gather_facts: true
+
+  tasks:
+    - name: Install PowerShellGet and NuGet provider
+      ansible.windows.win_shell: |
+        $ProgressPreference = 'SilentlyContinue'
+        $ErrorActionPreference = 'Stop'
+        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+        Install-PackageProvider -Name NuGet -Force -Confirm:$false
+        Install-Module PowerShellGet -Force -Confirm:$false
+      register: powershellget_install
+      retries: 3
+      delay: 10
+      until: powershellget_install is not failed
+
+    - name: Install required DSC modules
+      community.windows.win_psmodule:
+        name: "{{ item }}"
+        state: present
+        accept_license: true
+        skip_publisher_check: true
+      loop:
+        - ComputerManagementDsc
+        - ActiveDirectoryDsc
+        - xNetworking
+        - NetworkingDsc
+      environment:
+        LOCALAPPDATA: 'C:\Windows\system32\config\systemprofile\AppData\Local'
+      register: dsc_install
+      retries: 3
+      delay: 10
+      until: dsc_install is not failed
+
+    - name: Verify DSC LCM is ready
+      ansible.windows.win_powershell:
+        script: |
+          $ProgressPreference = 'SilentlyContinue'
+          $ErrorActionPreference = "Stop"
+          try {
+            $lcm = Get-DscLocalConfigurationManager
+            if ($lcm.LCMState -ne 'Idle') {
+              throw "LCM not ready, state: $($lcm.LCMState)"
+            }
+            Write-Output "DSC LCM is ready (state: Idle)"
+            $Ansible.Changed = $false
+          } catch {
+            $Ansible.Failed = $true
+            throw $_
+          }
+      register: dsc_ready
+      retries: 5
+      delay: 5
+      until: dsc_ready is not failed
+      changed_when: false
+
+    - name: Install IIS Web Server
+      ansible.windows.win_feature:
+        name:
+          - Web-Server
+          - Web-WebServer
+          - Web-Common-Http
+          - Web-Default-Doc
+          - Web-Dir-Browsing
+          - Web-Http-Errors
+          - Web-Static-Content
+          - Web-Health
+          - Web-Http-Logging
+          - Web-Performance
+          - Web-Stat-Compression
+          - Web-Security
+          - Web-Filtering
+          - Web-Mgmt-Tools
+          - Web-Mgmt-Console
+        state: present
+        include_management_tools: true
+      register: iis_install
+
+    - name: Install WebDAV Publishing
+      ansible.windows.win_feature:
+        name: Web-DAV-Publishing
+        state: present
+      register: webdav_install
+
+    - name: Reboot if IIS installation requires it
+      ansible.windows.win_reboot:
+        reboot_timeout: 600
+        post_reboot_delay: 60
+      when: iis_install.reboot_required or webdav_install.reboot_required
+
+    - name: Enable Remote Desktop
+      ansible.windows.win_dsc:
+        resource_name: RemoteDesktopAdmin
+        IsSingleInstance: 'Yes'
+        Ensure: present
+        UserAuthentication: Secure
+      register: rdp_result
+      retries: 3
+      delay: 10
+      until: rdp_result is not failed
+
+    - name: Allow RDP through Windows Firewall
+      ansible.windows.win_dsc:
+        resource_name: xFirewall
+        Name: "Administrator access for RDP (TCP-In)"
+        Ensure: present
+        Enabled: true
+        Profile: "Domain"
+        Direction: "Inbound"
+        Localport: "3389"
+        Protocol: "TCP"
+        Description: "Opens the listener port for RDP"
+      register: firewall_result
+      retries: 3
+      delay: 10
+      until: firewall_result is not failed