Created
July 5, 2020 04:17
-
-
Save markilott/cf38d9af8309ee4777244e30b17dfa40 to your computer and use it in GitHub Desktop.
AWS Managed AD Demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: "2010-09-09" | |
Description: >- | |
Creates- | |
- a Managed AD, with the domain name you specify | |
- admin server joined to the domain | |
- Secrets Manager secret with the AD Admin password | |
Requires- | |
- an existing VPC with at least 2 subnets | |
- EC2 Key Pair in the current region | |
- Windows Server 2016 AMI ID in the current region | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- | |
Label: | |
default: AD Domain Details | |
Parameters: | |
- domainName | |
- shortName | |
- | |
Label: | |
default: Network Details | |
Parameters: | |
- adVpc | |
- subnet1 | |
- subnet2 | |
- | |
Label: | |
default: Management Server Details | |
Parameters: | |
- keyPairName | |
- amiId | |
- instanceType | |
- rdpCidr | |
ParameterLabels: | |
domainName: | |
default: Domain name for the AD domain | |
shortName: | |
default: Short name for the AD domain | |
adVpc: | |
default: Select the VPC for the AD Servers | |
subnet1: | |
default: Select the first subnet | |
subnet2: | |
default: Select the second subnet | |
keyPairName: | |
default: Select a Key Pair | |
amiId: | |
default: Windows Server AMI ID | |
instanceType: | |
default: Instance type for the mgt server | |
rdpCidr: | |
default: CIDR range for access to the mgt server | |
Parameters: | |
adVpc: | |
Description: VPC for the Managed AD Servers | |
Type: AWS::EC2::VPC::Id | |
subnet1: | |
Description: AD server subnet 1 | |
Type: AWS::EC2::Subnet::Id | |
subnet2: | |
Description: AD server subnet 2 | |
Type: AWS::EC2::Subnet::Id | |
keyPairName: | |
Description: >- | |
Enter a Public/private key pair. If you do not have one in this region, | |
please create it before continuing | |
Type: 'AWS::EC2::KeyPair::KeyName' | |
amiId: | |
Description: Windows Server AMI ID in the current region | |
Type: String | |
Default: ami-08e79d0c6cf29d3f4 | |
instanceType: | |
Description: EC2 Instance Type | |
Type: String | |
Default: t3a.medium | |
rdpCidr: | |
Description: Enter a CIDR range | |
Type: String | |
Default: 0.0.0.0/0 | |
domainName: | |
Description: FQDN for the AD Domain | |
Type: String | |
Default: mydomain.internal | |
shortName: | |
Description: Short name (WINS/SMB) name for the AD Domain | |
Type: String | |
Default: MYDOMAIN | |
Resources: | |
# Managed AD ------------------------ | |
managedAd: | |
Type: AWS::DirectoryService::MicrosoftAD | |
Properties: | |
CreateAlias: true | |
Edition: Standard | |
EnableSso: false | |
Name: !Ref domainName | |
Password: !Join ['', ['{{resolve:secretsmanager:', !Ref adminSecret, ':SecretString:password}}' ]] | |
ShortName: !Ref shortName | |
VpcSettings: | |
SubnetIds: | |
- !Ref subnet1 | |
- !Ref subnet2 | |
VpcId: !Ref adVpc | |
adminSecret: | |
Type: AWS::SecretsManager::Secret | |
Properties: | |
Name: AD_Admin | |
Description: Admin password for the Managed AD | |
GenerateSecretString: | |
SecretStringTemplate: '{"username": "admin"}' | |
GenerateStringKey: password | |
PasswordLength: 14 | |
ExcludeCharacters: '"@/\' | |
# AD Mgt Server ------------------------ | |
mgtServer: | |
Type: AWS::EC2::Instance | |
DependsOn: managedAd | |
Properties: | |
IamInstanceProfile: !Ref instanceProfile | |
SsmAssociations: | |
- DocumentName: !Ref ssmDocument | |
KeyName: !Ref keyPairName | |
ImageId: !Ref amiId | |
SubnetId: !Ref subnet1 | |
SecurityGroupIds: | |
- !GetAtt mgtServerSecurityGroup.GroupId | |
InstanceType: !Ref instanceType | |
UserData: | |
Fn::Base64: | |
Fn::Join: | |
- ' ' | |
- - <powershell> | |
- Add-WindowsFeature RSAT-AD-Tools | |
- </powershell> | |
Tags: | |
- | |
Key: Name | |
Value: aws-managed-ad-mgt-server | |
instanceProfile: | |
DependsOn: ec2SsmRole | |
Type: AWS::IAM::InstanceProfile | |
Properties: | |
Roles: | |
- ec2SsmRole | |
InstanceProfileName: ec2SsmRole | |
ec2SsmRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- ec2.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM | |
RoleName: ec2SsmRole | |
mgtServerSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: Enables RDP to AD Mgt Server | |
VpcId: !Ref adVpc | |
SecurityGroupIngress: | |
- IpProtocol: tcp | |
FromPort: 3389 | |
ToPort: 3389 | |
CidrIp: !Ref rdpCidr | |
eip: | |
Type: AWS::EC2::EIP | |
Properties: | |
Domain: adVpc | |
InstanceId: !Ref mgtServer | |
# SSM for domain join ------------------------ | |
ssmDocument: | |
Type: AWS::SSM::Document | |
Properties: | |
Content: | |
schemaVersion: '1.2' | |
description: Join instances to an AWS Directory Service domain. | |
parameters: | |
directoryId: | |
type: String | |
default: !Ref managedAd | |
description: The ID of the AWS Directory Service directory | |
directoryName: | |
type: String | |
default: !Ref domainName | |
description: The name of the directory | |
dnsIpAddresses: | |
type: StringList | |
default: | |
- !Select [ '0', !GetAtt managedAd.DnsIpAddresses ] | |
- !Select [ '1', !GetAtt managedAd.DnsIpAddresses ] | |
description: The IP addresses of the DNS servers in the directory. | |
runtimeConfig: | |
aws:domainJoin: | |
properties: | |
directoryId: '{{ directoryId }}' | |
directoryName: '{{ directoryName }}' | |
dnsIpAddresses: '{{ dnsIpAddresses }}' | |
# Outputs ------------------------------------------------------------------ | |
Outputs: | |
directoryId: | |
Description: ID of the Managed AD | |
Value: !Ref managedAd | |
Export: | |
Name: !Sub ${AWS::StackName}-dirId | |
primaryDns: | |
Description: DNS IPs of the Managed AD | |
Value: !Select [ '0', !GetAtt managedAd.DnsIpAddresses ] | |
secondaryDns: | |
Description: DNS IPs of the Managed AD | |
Value: !Select [ '1', !GetAtt managedAd.DnsIpAddresses ] | |
dirAlias: | |
Description: The Alias for the Managed AD | |
Value: | |
!GetAtt managedAd.Alias | |
Export: | |
Name: !Sub ${AWS::StackName}-dirAlias | |
mgtServerIpAddr: | |
Description: Public IP Address of the mgt server | |
Value: !Ref eip | |
adminUsername: | |
Description: Admin user for the domain | |
Value: !Sub '${shortName}\admin' | |
adminPassword: | |
Description: Check Secrets Manager for the Admin password | |
Value: !Ref adminSecret | |
Export: | |
Name: !Sub ${AWS::StackName}-adminSecret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment