Add modules to manage Remote Desktop Services (#43406)

* Add windows module win_rds_settings

* Add windows module win_rds_rap

* Add windows module win_rds_cap

* Add tests for module win_rds_settings

* Add tests for module win_rds_rap

* Add tests for module win_rds_cap

* Validate user and computer groups in module win_rds_cap

* Validate user groups in module win_rds_rap

* Support additional formats (UPN, Down-Level Login Name, SID and Login Name) for user and computer group names in module win_rds_cap

* Support additional formats (UPN, Down-Level Login Name, SID and Login Name) for user group names in module win_rds_rap

* Validate computer group parameter and support additional formats (UPN, Down-Level Login Name, SID and Login Name) in module win_rds_rap

* Validate allowed ports parameter in module win_rds_rap

* Ensure user group list is not empty in module win_rds_rap

* Remove unwanted value in result object

* Ensure user group list is not empty in module win_rds_cap

* Ensure order parameter value never exceed the number of existing CAPs in module win_rds_cap

* Add diff mode support to win_rds_cap

* Add diff mode support to win_rds_rap

* Add diff mode support to win_rds_settings

* Add SSL bridging and messaging policy settings to module win_rds_settings

* Fix copyright

[skip ci]

* Add missing trailing dots in documentation

[skip ci]

* Fix incorrect variable passed to Fail-Json

* Minor changes and doc update

* Avoid using Powershell aliases

* Use WMI instead of PSProvider to handle group names to avoid conversion in UPN form

* Use CIM instead of WMI cmdlets

test/integration/targets/win_rds_cap/aliases

@@ -0,0 +1 @@
+shippable/windows/group4

test/integration/targets/win_rds_cap/defaults/main.yml

@@ -0,0 +1 @@
+test_win_rds_cap_name: Ansible Test CAP

test/integration/targets/win_rds_cap/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+# Cannot use win_feature to install RDS on Server 2008.
+# Run a brief check and skip hosts that don't support
+# that operation
+- name: check if win_feature will work on test host
+  win_command: powershell.exe "exit (-not (Get-Command -Name Add-WindowsFeature -ErrorAction SilentlyContinue))"
+  register: module_available
+  failed_when: False
+
+# Run actual tests
+- block:
+  - name: ensure Remote Desktop Gateway services are installed
+    win_feature:
+      name: RDS-Gateway,RDS-Licensing,RDS-RD-Server
+      state: present
+      include_management_tools: True
+    register: rds_install
+
+  - name: reboot server if needed
+    win_reboot:
+      post_reboot_delay: 10
+    when: rds_install.reboot_required
+
+  - include_tasks: tests.yml
+
+  always:
+    - name: delete all CAPs
+      win_shell: Import-Module RemoteDesktopServices; Remove-Item -Path RDS:\GatewayServer\CAP\* -Recurse
+
+  when: module_available.rc == 0

test/integration/targets/win_rds_cap/tasks/tests.yml

@@ -0,0 +1,264 @@
+---
+- name: test create a new CAP (check mode)
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_cap_check
+  check_mode: yes
+
+- name: get result of create a new CAP (check mode)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: new_cap_actual_check
+
+- name: assert results of create a new CAP (check mode)
+  assert:
+    that:
+    - new_cap_check.changed == true
+    - new_cap_actual_check.stdout_lines[0] == "False"
+
+- name: test create a new CAP
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_cap
+
+- name: get result of create a new CAP
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: new_cap_actual
+
+- name: assert results of create a new CAP
+  assert:
+    that:
+    - new_cap.changed == true
+    - new_cap_actual.stdout_lines[0] == "True"
+
+- name: test create a new CAP (idempotent)
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_cap_again
+
+- name: get result of create a new CAP (idempotent)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: new_cap_actual_again
+
+- name: assert results of create a new CAP (idempotent)
+  assert:
+    that:
+    - new_cap_again.changed == false
+    - new_cap_actual_again.stdout_lines[0] == "True"
+
+- name: test edit a CAP
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups:
+      # Test with different group name formats
+      - users@builtin
+      - .\guests
+    computer_groups:
+      - administrators
+    auth_method: both
+    session_timeout: 20
+    session_timeout_action: reauth
+    allow_only_sdrts_servers: true
+    idle_timeout: 10
+    redirect_clipboard: false
+    redirect_drives: false
+    redirect_printers: false
+    redirect_serial: false
+    redirect_pnp: false
+    state: disabled
+  register: edit_cap
+
+- name: get result of edit a CAP
+  win_shell: |
+    Import-Module RemoteDesktopServices;
+    $cap_path = "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}"
+    $cap = @{}
+    Get-ChildItem -Path "$cap_path" | foreach { $cap.Add($_.Name,$_.CurrentValue) }
+    $cap.DeviceRedirection = @{}
+    Get-ChildItem -Path "$cap_path\DeviceRedirection" | foreach { $cap.DeviceRedirection.Add($_.Name, ($_.CurrentValue -eq 1)) }
+    $cap.UserGroups = @(Get-ChildItem -Path "$cap_path\UserGroups" | Select -ExpandProperty Name)
+    $cap.ComputerGroups = @(Get-ChildItem -Path "$cap_path\ComputerGroups" | Select -ExpandProperty Name)
+    $cap | ConvertTo-Json
+  register: edit_cap_actual_json
+
+- name: parse result of edit a CAP.
+  set_fact:
+    edit_cap_actual: '{{ edit_cap_actual_json.stdout | from_json }}'
+
+- name: assert results of edit a CAP
+  assert:
+    that:
+    - edit_cap.changed == true
+    - edit_cap_actual.Status == "0"
+    - edit_cap_actual.EvaluationOrder == "1"
+    - edit_cap_actual.AllowOnlySDRTSServers == "1"
+    - edit_cap_actual.AuthMethod == "3"
+    - edit_cap_actual.IdleTimeout == "10"
+    - edit_cap_actual.SessionTimeoutAction == "1"
+    - edit_cap_actual.SessionTimeout == "20"
+    - edit_cap_actual.DeviceRedirection.Clipboard == false
+    - edit_cap_actual.DeviceRedirection.DiskDrives == false
+    - edit_cap_actual.DeviceRedirection.PlugAndPlayDevices == false
+    - edit_cap_actual.DeviceRedirection.Printers == false
+    - edit_cap_actual.DeviceRedirection.SerialPorts == false
+    - edit_cap_actual.UserGroups | length == 2
+    - edit_cap_actual.UserGroups[0] == "Users@BUILTIN"
+    - edit_cap_actual.UserGroups[1] == "Guests@BUILTIN"
+    - edit_cap_actual.ComputerGroups | length == 1
+    - edit_cap_actual.ComputerGroups[0] == "Administrators@BUILTIN"
+
+- name: test remove all computer groups of CAP
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    computer_groups: []
+  register: remove_computer_groups_cap
+
+- name: get result of remove all computer groups of CAP
+  win_shell: |
+    Import-Module RemoteDesktopServices;
+    $cap_path = "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}"
+    Write-Host @(Get-ChildItem -Path "$cap_path\ComputerGroups" | Select -ExpandProperty Name).Count
+  register: remove_computer_groups_cap_actual
+
+- name: assert results of remove all computer groups of CAP
+  assert:
+    that:
+    - remove_computer_groups_cap.changed == true
+    - remove_computer_groups_cap_actual.stdout_lines[0] == "0"
+
+- name: test create a CAP in second position
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }} Second'
+    user_groups:
+      - users@builtin
+    order: 2
+    state: present
+  register: second_cap
+
+- name: get result of create a CAP in second position
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Get-Item "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }} Second\EvaluationOrder").CurrentValue
+  register: second_cap_actual
+
+- name: assert results of create a CAP in second position
+  assert:
+    that:
+    - second_cap.changed == true
+    - second_cap.warnings is not defined
+    - second_cap_actual.stdout_lines[0] == "2"
+
+- name: test create a CAP with order greater than existing CAP count
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }} Last'
+    user_groups:
+      - users@builtin
+    order: 50
+    state: present
+  register: cap_big_order
+
+- name: get result of create a CAP with order greater than existing CAP count
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Get-Item "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }} Last\EvaluationOrder").CurrentValue
+  register: cap_big_order_actual
+
+- name: assert results of create a CAP with order greater than existing CAP count
+  assert:
+    that:
+    - cap_big_order.changed == true
+    - cap_big_order.warnings | length == 1
+    - cap_big_order_actual.stdout_lines[0] == "3"
+
+- name: test remove CAP (check mode)
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    state: absent
+  register: remove_cap_check
+  check_mode: yes
+
+- name: get result of remove CAP (check mode)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: remove_cap_actual_check
+
+- name: assert results of remove CAP (check mode)
+  assert:
+    that:
+    - remove_cap_check.changed == true
+    - remove_cap_actual_check.stdout_lines[0] == "True"
+
+- name: test remove CAP
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    state: absent
+  register: remove_cap_check
+
+- name: get result of remove CAP
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: remove_cap_actual_check
+
+- name: assert results of remove CAP
+  assert:
+    that:
+    - remove_cap_check.changed == true
+    - remove_cap_actual_check.stdout_lines[0] == "False"
+
+- name: test remove CAP (idempotent)
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    state: absent
+  register: remove_cap_check
+
+- name: get result of remove CAP (idempotent)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\CAP\{{ test_win_rds_cap_name }}")
+  register: remove_cap_actual_check
+
+- name: assert results of remove CAP (idempotent)
+  assert:
+    that:
+    - remove_cap_check.changed == false
+    - remove_cap_actual_check.stdout_lines[0] == "False"
+
+- name: fail when create a new CAP without user group
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    state: present
+  register: new_cap_without_group
+  check_mode: yes
+  failed_when: "new_cap_without_group.msg != 'User groups must be defined to create a new CAP.'"
+
+- name: fail when create a new CAP with an empty user group list
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups: []
+    state: present
+  register: new_cap_empty_group_list
+  check_mode: yes
+  failed_when: "new_cap_empty_group_list.msg is not search('cannot be an empty list')"
+
+- name: fail when create a new CAP with an invalid user group
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    user_groups:
+      - fake_group
+    state: present
+  register: new_cap_invalid_user_group
+  check_mode: yes
+  failed_when: new_cap_invalid_user_group.changed != false or new_cap_invalid_user_group.msg is not search('is not a valid account')
+
+- name: fail when create a new CAP with an invalid computer group
+  win_rds_cap:
+    name: '{{ test_win_rds_cap_name }}'
+    computer_groups:
+      - fake_group
+    state: present
+  register: new_cap_invalid_computer_group
+  check_mode: yes
+  failed_when: new_cap_invalid_computer_group.changed != false or new_cap_invalid_computer_group.msg is not search('is not a valid account')

test/integration/targets/win_rds_rap/aliases

@@ -0,0 +1 @@
+shippable/windows/group4

test/integration/targets/win_rds_rap/defaults/main.yml

@@ -0,0 +1 @@
+test_win_rds_rap_name: Ansible Test RAP

test/integration/targets/win_rds_rap/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+# Cannot use win_feature to install RDS on Server 2008.
+# Run a brief check and skip hosts that don't support
+# that operation
+- name: check if win_feature will work on test host
+  win_command: powershell.exe "exit (-not (Get-Command -Name Add-WindowsFeature -ErrorAction SilentlyContinue))"
+  register: module_available
+  failed_when: False
+
+# Run actual tests
+- block:
+  - name: ensure Remote Desktop Gateway services are installed
+    win_feature:
+      name: RDS-Gateway,RDS-Licensing,RDS-RD-Server
+      state: present
+      include_management_tools: True
+    register: rds_install
+
+  - name: reboot server if needed
+    win_reboot:
+      post_reboot_delay: 10
+    when: rds_install.reboot_required
+
+  - include_tasks: tests.yml
+
+  always:
+    - name: delete all RAPs
+      win_shell: Import-Module RemoteDesktopServices; Remove-Item -Path RDS:\GatewayServer\RAP\* -Recurse
+
+  when: module_available.rc == 0

test/integration/targets/win_rds_rap/tasks/tests.yml

@@ -0,0 +1,254 @@
+---
+- name: test create a new RAP (check mode)
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_rap_check
+  check_mode: yes
+
+- name: get result of create a new RAP (check mode)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: new_rap_actual_check
+
+- name: assert results of create a new RAP (check mode)
+  assert:
+    that:
+    - new_rap_check.changed == true
+    - new_rap_actual_check.stdout_lines[0] == "False"
+
+- name: test create a new RAP
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_rap
+
+- name: get result of create a new RAP
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: new_rap_actual
+
+- name: assert results of create a new RAP
+  assert:
+    that:
+    - new_rap.changed == true
+    - new_rap_actual.stdout_lines[0] == "True"
+
+- name: test create a new RAP (idempotent)
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+      - users@builtin
+    state: present
+  register: new_rap_again
+
+- name: get result of create a new RAP (idempotent)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: new_rap_actual_again
+
+- name: assert results of create a new RAP (idempotent)
+  assert:
+    that:
+    - new_rap_again.changed == false
+    - new_rap_actual_again.stdout_lines[0] == "True"
+
+- name: test edit a RAP
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    description: 'Description of {{ test_win_rds_rap_name }}'
+    user_groups:
+      # Test with different group name formats
+      - users@builtin
+      - .\guests
+    computer_group_type: ad_network_resource_group
+    computer_group: administrators
+    allowed_ports:
+      - 3389
+      - 3390
+      - 3391
+    state: disabled
+  register: edit_rap
+
+- name: get result of edit a RAP
+  win_shell: |
+    Import-Module RemoteDesktopServices;
+    $rap_path = "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}"
+    $rap = @{}
+    Get-ChildItem -Path "$rap_path" | foreach { $rap.Add($_.Name,$_.CurrentValue) }
+    $rap.UserGroups = @(Get-ChildItem -Path "$rap_path\UserGroups" | Select -ExpandProperty Name)
+    $rap | ConvertTo-Json
+  register: edit_rap_actual_json
+
+- name: parse result of edit a RAP.
+  set_fact:
+    edit_rap_actual: '{{ edit_rap_actual_json.stdout | from_json }}'
+
+- name: assert results of edit a RAP
+  assert:
+    that:
+    - edit_rap.changed == true
+    - edit_rap_actual.Status == "0"
+    - edit_rap_actual.Description == "Description of {{ test_win_rds_rap_name }}"
+    - edit_rap_actual.PortNumbers == "3389,3390,3391"
+    - edit_rap_actual.UserGroups | length == 2
+    - edit_rap_actual.UserGroups[0] == "Users@BUILTIN"
+    - edit_rap_actual.UserGroups[1] == "Guests@BUILTIN"
+    - edit_rap_actual.ComputerGroupType == "1"
+    - edit_rap_actual.ComputerGroup == "Administrators@BUILTIN"
+
+- name: test edit a RAP (indempotent)
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    description: 'Description of {{ test_win_rds_rap_name }}'
+    user_groups:
+      - users@builtin
+      - guests@builtin
+    computer_group_type: ad_network_resource_group
+    computer_group: Administrators@BUILTIN
+    allowed_ports:
+      - 3389
+      - 3390
+      - 3391
+    state: disabled
+  register: edit_rap_again
+
+- name: assert results of edit a RAP (indempotent)
+  assert:
+    that:
+    - edit_rap_again.changed == false
+
+- name: test allow all ports
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    allowed_ports: any
+  register: edit_rap_allow_all_ports
+
+- name: get result of allow all ports
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Get-Item "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}\PortNumbers").CurrentValue
+  register: edit_rap_allow_all_ports_actual
+
+- name: assert results of allow all ports
+  assert:
+    that:
+    - edit_rap_allow_all_ports.changed == true
+    - edit_rap_allow_all_ports_actual.stdout_lines[0] == "*"
+
+- name: test remove RAP (check mode)
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    state: absent
+  register: remove_rap_check
+  check_mode: yes
+
+- name: get result of remove RAP (check mode)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: remove_rap_actual_check
+
+- name: assert results of remove RAP (check mode)
+  assert:
+    that:
+    - remove_rap_check.changed == true
+    - remove_rap_actual_check.stdout_lines[0] == "True"
+
+- name: test remove RAP
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    state: absent
+  register: remove_rap
+
+- name: get result of remove RAP
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: remove_rap_actual
+
+- name: assert results of remove RAP
+  assert:
+    that:
+    - remove_rap.changed == true
+    - remove_rap_actual.stdout_lines[0] == "False"
+
+- name: test remove RAP (idempotent)
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    state: absent
+  register: remove_rap_again
+
+- name: get result of remove RAP (idempotent)
+  win_shell: Import-Module RemoteDesktopServices; Write-Host (Test-Path "RDS:\GatewayServer\RAP\{{ test_win_rds_rap_name }}")
+  register: remove_rap_actual_again
+
+- name: assert results of remove RAP (idempotent)
+  assert:
+    that:
+    - remove_rap_again.changed == false
+    - remove_rap_actual_again.stdout_lines[0] == "False"
+
+- name: fail when create a new RAP without user group
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    state: present
+  register: new_rap_without_group
+  check_mode: yes
+  failed_when: "new_rap_without_group.msg != 'User groups must be defined to create a new RAP.'"
+
+- name: fail when create a new RAP with an empty user group list
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups: []
+    state: present
+  register: new_rap_empty_group_list
+  check_mode: yes
+  failed_when: "new_rap_empty_group_list.msg is not search('cannot be an empty list')"
+
+- name: fail when create a new RAP with an invalid user group
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - fake_group
+    state: present
+  register: new_rap_invalid_group
+  check_mode: yes
+  failed_when: new_rap_invalid_group.changed != false or new_rap_invalid_group.msg is not search('is not a valid account')
+
+- name: fail when create a new RAP with an invalid AD computer group
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+    computer_group_type: ad_network_resource_group
+    computer_group: fake_ad_group
+    state: present
+  register: new_rap_invalid_ad_computer_group
+  check_mode: yes
+  failed_when: new_rap_invalid_ad_computer_group.changed != false or new_rap_invalid_ad_computer_group.msg is not search('is not a valid account')
+
+- name: fail when create a new RAP with an invalid gateway managed computer group
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+    computer_group_type: rdg_group
+    computer_group: fake_rdg_group
+    state: present
+  register: new_rap_invalid_rdg_computer_group
+  check_mode: yes
+  failed_when: new_rap_invalid_rdg_computer_group.changed != false or new_rap_invalid_rdg_computer_group.msg is not search('is not a valid gateway managed computer group')
+
+- name: fail when create a new RAP with invalid port numbers
+  win_rds_rap:
+    name: '{{ test_win_rds_rap_name }}'
+    user_groups:
+      - administrators
+    allowed_ports:
+      - '{{ item }}'
+    state: present
+  loop:
+    - invalid_port_number
+    - 65536
+  register: new_rap_invalid_port
+  check_mode: yes
+  failed_when: new_rap_invalid_port.changed != false or new_rap_invalid_port.msg is not search('is not a valid port number')

test/integration/targets/win_rds_settings/aliases

@@ -0,0 +1 @@
+shippable/windows/group4

test/integration/targets/win_rds_settings/defaults/main.yml

@@ -0,0 +1,2 @@
+test_win_rds_settings_path: '{{win_output_dir}}\win_rds_settings'
+rds_cert_suject: rdg.test.com

test/integration/targets/win_rds_settings/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+# Cannot use win_feature to install RDS on Server 2008.
+# Run a brief check and skip hosts that don't support
+# that operation
+- name: check if win_feature will work on test host
+  win_command: powershell.exe "exit (-not (Get-Command -Name Add-WindowsFeature -ErrorAction SilentlyContinue))"
+  register: module_available
+  failed_when: False
+
+# Run actual tests
+- block:
+  - name: gather facts
+    setup:
+      filter: ansible_hostname
+
+  - name: ensure Remote Desktop Gateway services are installed
+    win_feature:
+      name: RDS-Gateway,RDS-Licensing,RDS-RD-Server
+      state: present
+      include_management_tools: True
+    register: rds_install
+
+  - name: reboot server if needed
+    win_reboot:
+      post_reboot_delay: 10
+    when: rds_install.reboot_required
+
+  - name: ensure testing folders exists
+    win_file:
+      path: '{{test_win_rds_settings_path}}'
+      state: directory
+
+  - name: deploy test artifacts
+    win_template:
+      src: '{{item}}.j2'
+      dest: '{{test_win_rds_settings_path}}\{{item | basename}}'
+    with_items:
+    - rds_base_cfg.xml
+
+  - name: import RDS test configuration
+    win_shell: |
+      $ts = Get-WmiObject Win32_TSGatewayServer -namespace root\cimv2\TerminalServices
+      $import_xml = Get-Content {{test_win_rds_settings_path}}\rds_base_cfg.xml
+      $import_result = $ts.Import(45, $import_xml)
+      exit $import_result.ReturnValue
+
+  - name: write certreq file
+    win_copy:
+      content: |-
+        [NewRequest]
+        Subject = "CN={{ rds_cert_suject }}"
+        KeyLength = 2048
+        KeyAlgorithm = RSA
+        MachineKeySet = true
+        RequestType = Cert
+        KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
+        [EnhancedKeyUsageExtension]
+        OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
+      dest: '{{test_win_rds_settings_path}}\certreq.txt'
+
+  - name: create self signed cert from certreq
+    win_command: certreq -new -machine {{test_win_rds_settings_path}}\certreq.txt {{test_win_rds_settings_path}}\certreqresp.txt
+
+  - name: register certificate thumbprint
+    raw: '(gci Cert:\LocalMachine\my | ? {$_.subject -eq "CN={{ rds_cert_suject }}"})[0].Thumbprint'
+    register: rds_cert_thumbprint
+
+  - include_tasks: tests.yml
+
+  always:
+    - name: restore RDS base configuration
+      win_shell: |
+        $ts = Get-WmiObject Win32_TSGatewayServer -namespace root\cimv2\TerminalServices
+        $import_xml = Get-Content {{test_win_rds_settings_path}}\rds_base_cfg.xml
+        $import_result = $ts.Import(45, $import_xml)
+        exit $import_result.ReturnValue
+
+    - name: remove certificate
+      raw: 'remove-item cert:\localmachine\my\{{ item }} -force -ea silentlycontinue'
+      with_items:
+        - "{{ rds_cert_thumbprint.stdout_lines[0] }}"
+
+    - name: cleanup test artifacts
+      win_file:
+        path: '{{test_win_rds_settings_path}}'
+        state: absent
+
+  when: module_available.rc == 0

test/integration/targets/win_rds_settings/tasks/tests.yml

@@ -0,0 +1,89 @@
+---
+- name: test change RDS settings (check mode)
+  win_rds_settings:
+    max_connections: 50
+    certificate_hash: '{{rds_cert_thumbprint.stdout_lines[0]}}'
+    ssl_bridging: https_https
+    enable_only_messaging_capable_clients: yes
+  register: configure_rds_check
+  check_mode: yes
+
+- name: get result of change RDS settings (check mode)
+  win_shell: |
+    Import-Module RemoteDesktopServices
+    (Get-Item RDS:\GatewayServer\MaxConnections).CurrentValue
+    (Get-Item RDS:\GatewayServer\SSLCertificate\Thumbprint).CurrentValue
+    (Get-Item RDS:\GatewayServer\SSLBridging).CurrentValue
+    (Get-Item RDS:\GatewayServer\EnableOnlyMessagingCapableClients).CurrentValue
+  register: configure_rds_actual_check
+
+- name: assert results of change RDS settings (check mode)
+  assert:
+    that:
+    - configure_rds_check.changed == true
+    - configure_rds_actual_check.stdout_lines[0] != "50"
+    - configure_rds_actual_check.stdout_lines[1] != rds_cert_thumbprint.stdout_lines[0]
+    - configure_rds_actual_check.stdout_lines[2] == "0"
+    - configure_rds_actual_check.stdout_lines[3] == "0"
+
+- name: test change RDS settings
+  win_rds_settings:
+    max_connections: 50
+    certificate_hash: '{{rds_cert_thumbprint.stdout_lines[0]}}'
+    ssl_bridging: https_https
+    enable_only_messaging_capable_clients: yes
+  register: configure_rds
+
+- name: get result of change RDS settings
+  win_shell: |
+    Import-Module RemoteDesktopServices
+    (Get-Item RDS:\GatewayServer\MaxConnections).CurrentValue
+    (Get-Item RDS:\GatewayServer\SSLCertificate\Thumbprint).CurrentValue
+    (Get-Item RDS:\GatewayServer\SSLBridging).CurrentValue
+    (Get-Item RDS:\GatewayServer\EnableOnlyMessagingCapableClients).CurrentValue
+  register: configure_rds_actual
+
+- name: assert results of change RDS settings
+  assert:
+    that:
+    - configure_rds.changed == true
+    - configure_rds_actual.stdout_lines[0] == "50"
+    - configure_rds_actual.stdout_lines[1] == rds_cert_thumbprint.stdout_lines[0]
+    - configure_rds_actual.stdout_lines[2] == "2"
+    - configure_rds_actual.stdout_lines[3] == "1"
+
+- name: test change RDS settings (idempotent)
+  win_rds_settings:
+    max_connections: 50
+    certificate_hash: '{{rds_cert_thumbprint.stdout_lines[0]}}'
+    ssl_bridging: https_https
+    enable_only_messaging_capable_clients: yes
+  register: configure_rds_again
+
+- name: assert results of change RDS settings (idempotent)
+  assert:
+    that:
+    - configure_rds_again.changed == false
+
+- name: test disable connection limit
+  win_rds_settings:
+    max_connections: -1
+  register: disable_limit
+
+- name: get result of disable connection limit
+  win_shell: |
+    Import-Module RemoteDesktopServices
+    (Get-Item RDS:\GatewayServer\MaxConnections).CurrentValue -eq (Get-Item RDS:\GatewayServer\MaxConnectionsAllowed).CurrentValue
+  register: disable_limit_actual
+
+- name: assert results of disable connection limit
+  assert:
+    that:
+    - disable_limit.changed == true
+    - disable_limit_actual.stdout_lines[0] == "True"
+
+- name: fail with invalid certificate thumbprint
+  win_rds_settings:
+    certificate_hash: 72E8BD0216FA14100192A3E8B7B150C65B4B0817
+  register: fail_invalid_cert
+  failed_when: fail_invalid_cert.msg is not search('Unable to locate certificate')

test/integration/targets/win_rds_settings/templates/rds_base_cfg.xml.j2

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-16"?>
+<?TSGateway version="1.0"?>
+<TsgServer>
+    <ServerName>{{ ansible_hostname }}</ServerName>
+    <ServerSettings>
+        <MaxConnections>4294967295</MaxConnections>
+        <UnlimitedConnections>1</UnlimitedConnections>
+        <CentralCapEnabled>0</CentralCapEnabled>
+        <RequestSOH>0</RequestSOH>
+        <OnlyConsentCapableClients>0</OnlyConsentCapableClients>
+        <LogEvents>
+            <LogEvent>
+                <Name>LogChannelDisconnect</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogFailureChannelConnect</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogFailureConnectionAuthorizationCheck</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogFailureResourceAuthorizationCheck</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogSuccessfulChannelConnect</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogSuccessfulConnectionAuthorizationCheck</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+            <LogEvent>
+                <Name>LogSuccessfulResourceAuthorizationCheck</Name>
+                <Enabled>1</Enabled>
+            </LogEvent>
+        </LogEvents>
+        <AuthenticationPlugin>native</AuthenticationPlugin>
+        <AuthorizationPlugin>native</AuthorizationPlugin>
+        <ConsentMessageText/>
+        <AdminMessageText/>
+        <AdminMsgStartDate/>
+        <AdminMsgEndDate/>
+        <SslBridging>0</SslBridging>
+        <HttpIPAddress>*</HttpIPAddress>
+        <UdpIPAddress>*</UdpIPAddress>
+        <HttpPort>443</HttpPort>
+        <UdpPort>3391</UdpPort>
+        <IsUdpEnabled>1</IsUdpEnabled>
+        <EnforceChannelBinding>1</EnforceChannelBinding>
+    </ServerSettings>
+    <Caps/>
+    <Raps/>
+    <ResourceGroups/>
+</TsgServer>