-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathactive-directory-managed.yml
165 lines (146 loc) · 4.54 KB
/
active-directory-managed.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
AWSTemplateFormatVersion: 2010-09-09
Description: >-
This template creates a managed Microsoft AD Directory Service within an AWS managed VPC
along with Elastic Network Interfaces (ENIs) in private subnets within separate
Availability Zones (AZs) inside the specified VPC. The default Domain Administrator user is 'admin'.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Network Configuration
Parameters:
- pVpcId
- pPrivateSubnet1Id
- pPrivateSubnet2Id
- Label:
default: Microsoft Active Directory Configuration
Parameters:
- pDomainDnsName
- pDomainNetBiosName
- pDomainAdminPasswordSecretName
- pAdEdition
ParameterLabels:
pDomainAdminPasswordSecretName:
default: Name of secret in AWS Secrets Manager for domain admin password
pDomainDnsName:
default: Domain DNS Name
pDomainNetBiosName:
default: Domain NetBIOS Name
pAdEdition:
default: AWS Microsoft AD edition
pPrivateSubnet1Id:
default: Private Subnet 1 ID
pPrivateSubnet2Id:
default: Private Subnet 2 ID
pVpcId:
default: VPC ID
Parameters:
pDomainAdminPasswordSecretName:
Description: Name of secret in AWS Secrets Manager for the domain admin user. The password must be stored in a key named `password`.
Type: String
Default: ''
pDomainDnsName:
Description: >-
Fully qualified domain name (FQDN) of the forest root domain e.g.
example.com
Type: String
Default: example.com
MinLength: '2'
MaxLength: '255'
AllowedPattern: '[a-zA-Z0-9\-]+\..+'
pDomainNetBiosName:
Description: >-
NetBIOS name of the domain (upto 15 characters) for users of earlier
versions of Windows e.g. EXAMPLE
Type: String
Default: EXAMPLE
MinLength: '1'
MaxLength: '15'
AllowedPattern: '[a-zA-Z0-9\-]+'
pAdEdition:
AllowedValues:
- Standard
- Enterprise
Default: Standard
Description: >-
The AWS Microsoft AD edition. Valid values include Standard and
Enterprise.
Type: String
pPrivateSubnet1Id:
Description: 'ID of the private subnet 1 in Availability Zone 1'
Type: AWS::EC2::Subnet::Id
pPrivateSubnet2Id:
Description: 'ID of the private subnet 2 in Availability Zone 2'
Type: AWS::EC2::Subnet::Id
pVpcId:
Description: 'ID of the VPC'
Type: AWS::EC2::VPC::Id
pCreateVpcDhcpOptions:
Description: Create VPC DHCP Options (true | false)
Type: String
Default: false
AllowedValues: [true, false]
Rules:
SubnetsInVPC:
Assertions:
- Assert:
'Fn::EachMemberIn':
- 'Fn::ValueOfAll':
- 'AWS::EC2::Subnet::Id'
- VpcId
- 'Fn::RefAll': 'AWS::EC2::VPC::Id'
AssertDescription: All subnets must in the VPC
Conditions:
cCreateVpcDhcpOptions: !Equals [ !Ref 'pCreateVpcDhcpOptions', 'true' ]
Resources:
rDhcpOptions:
Type: AWS::EC2::DHCPOptions
Condition: cCreateVpcDhcpOptions
Properties:
DomainName: !Ref pDomainDnsName
DomainNameServers: !GetAtt rMicrosoftAd.DnsIpAddresses
Tags:
- Key: Domain
Value: !Ref pDomainDnsName
rVpcDhcpOptionsAssociation:
Type: AWS::EC2::VPCDHCPOptionsAssociation
Condition: cCreateVpcDhcpOptions
Properties:
VpcId: !Ref pVpcId
DhcpOptionsId: !Ref rDhcpOptions
rMicrosoftAd:
Type: AWS::DirectoryService::MicrosoftAD
Properties:
Name: !Ref pDomainDnsName
Edition: !Ref pAdEdition
ShortName: !Ref pDomainNetBiosName
Password: !Sub '{{resolve:secretsmanager:${pDomainAdminPasswordSecretName}:SecretString:password}}'
VpcSettings:
SubnetIds:
- !Ref pPrivateSubnet1Id
- !Ref pPrivateSubnet2Id
VpcId: !Ref pVpcId
Outputs:
oAdServer1PrivateIp:
Value: !Select
- '0'
- !GetAtt rMicrosoftAd.DnsIpAddresses
Description: >-
AD Server 1 Private IP Address (this may vary based on Directory Service
order of IP addresses)
oAdServer2PrivateIp:
Value: !Select
- '1'
- !GetAtt rMicrosoftAd.DnsIpAddresses
Description: >-
AD Server 2 Private IP Address (this may vary based on Directory Service
order of IP addresses)
oDirectoryId:
Value: !Ref rMicrosoftAd
Description: Directory Services ID
oDomainAdmin:
Value: !Join
- ''
- - !Ref pDomainNetBiosName
- \admin
Description: Domain administrator account