deploy ec2 instance and join to aws managed Domain

[Tony Wong]

I created a AWS managed domain. I used packer to and created custom AMi on aws.

how do i use terraform to created the instance and join it to the domain?

[david...@mycit.ie]

Use the "User_Data" Within Terraform: 

This will host your PowerShell Script to Join your Machine to the Domain

https://www.terraform.io/docs/providers/aws/r/instance.html 

 

[Tony Wong]

=I am not getting dns settings set with this. I was able to rename the computer and password

variable "admin_password" {}
variable "ami" {}
variable "aws_instance_type" {}
variable "key_name" {}
variable "user_data_path" {}
provider "aws" {
  region = "us-west-1"
}

data "template_file" "init" {
  template = <<EOF
    <powershell>
     $admin = [ADSI]("WinNT://./administrator, user")
     $admin.SetPassword("${var.admin_password}")
     Set-DNSClientServerAddress –interfaceIndex 12 –ServerAddresses (“172.31.2.31”,”172.31.22.29”)
     $NewComputerName = "win2016-test"
     Rename-Computer -NewName $NewComputerName
     Start-Sleep -Seconds 5
     Restart-Computer -Force
    </powershell>
EOF
    vars = {
      admin_password = "${var.admin_password}"
    }
}

resource "aws_instance" "ec2" {
  ami           = var.ami
  instance_type = var.aws_instance_type
  key_name      = var.key_name
  user_data     = data.template_file.init.rendered

  connection {
    host     = coalesce(self.public_ip, self.private_ip)
    type     = "winrm"
    user     = "Administrator"
    password = var.admin_password
  }

  tags = {
    Srv = "windows"
  }
}

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/52a55097-94cd-4106-92d4-cd914db78d1bn%40googlegroups.com.

[Tony Wong]

any idea how to join my ec2 instance to my aws managed domain? I looks at using SSM document but cant figure out how.

I already got the AWS AD domain setup and giving 2 DNS IPs. 

I verified I was able to join the domain manually on the ec2 instance

[david...@mycit.ie]

Looking at The following  https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html 

Also Stack Overflow:  https://stackoverflow.com/questions/59989650/join-ec2-instance-to-ad-domain-via-terraform  

 

[Tony Wong]

I got ec2 and aws AD domain provisioned. Trying to use the SSM document to join the domain but unable to do so. no errors from output

the EC2 instance still is in workgroup

ssm.tf is here

resource "aws_ssm_document" "join_domain_doc" {
   name  = "join_domain_doc"
   document_type = "Command"

   content = <<DOC
{
        "schemaVersion": "1.0",
        "description": "Join an instance to a domain",
        "runtimeConfig": {
           "aws:domainJoin": {
               "properties": {
                    "directoryId": "${aws_directory_service_directory.AD.id}",
                    "directoryName": "${var.dir_domain_name}",
                    "directoryOU": "${var.dir_computer_ou}",
                    "dnsIpAddresses": ["172.31.2.172", "172.31.31.146"]
               }
           }
        }
}
DOC

   depends_on = ["aws_directory_service_directory.AD"]
}

resource "aws_ssm_association" "join_domain_doc" {
   name = "join_domain_doc"
   instance_id = "${aws_instance.ec2.id}"
   depends_on = ["aws_ssm_document.join_domain_doc", "aws_instance.ec2"]
}

any idea?

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f2a7919c-b322-4f8e-9587-5cf27e59609dn%40googlegroups.com.

[Adam]

Is the SSM document deployed to AWS? If so, have you run it manually and checked the output (you can run them and send output to Cloudwatch). Once you get that, you can post the error here and someone may help. Without any errors, it's practically impossible to help you.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CALmkhkoXDAS1hLaHCa7_AE9z4obP_BkBQzpLNvULaZUF95UqbQ%40mail.gmail.com.

[david...@mycit.ie]

Isn't the Topic "Error creating SSM document: InvalidDocumentContent" that you also Started the Same issue? 

[Tony Wong]

That has been resolved 

My instance is not joining domain

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/81ab99cd-41fe-44ee-8f8e-53d50a314b1en%40googlegroups.com.

[Tony Wong]

How do I send output to cloudwatch?

[david...@mycit.ie]

https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudwatch-agent.html 

[Adam]

If you scroll down, you'll see a "cloudwatch output" check box.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/fbd10ab9-421d-4346-84aa-c09a769da301n%40googlegroups.com.

[Tony Wong]

do you see a problem with this? There is no error now but machine is not joining. 

I changed it to schemaversion 2

resource "aws_ssm_document" "join_domain" {
   name  = "join_domain"

   document_type = "Command"

   content = <<DOC
{

   "schemaVersion": "2.0",
   "description": "Run a PowerShell script to securely domain-join a Windows instance",
   "mainSteps": [{
      "action": "aws:runPowerShellScript",
      "name": "runPowerShellWithSecureString",
      "inputs": {
         "runCommand": [
            "$ipdns = (Get-SSMParameterValue -Name /domain/dns_ip).Parameters[0].Value\n",
            "$domain = (Get-SSMParameterValue -Name /domain/name).Parameters[0].Value\n",
            "$ouPath = (Get-SSMParameterValue -Name /domain/ou_path).Parameters[0].Value\n",
            "$username = (Get-SSMParameterValue -Name /domain/username).Parameters[0].Value\n",
            "$domain_username = \"$domain\\$username\"\n",
            "echo $domain_username\n",
            "$password = (Get-SSMParameterValue -Name /domain/password -WithDecryption $True).Parameters[0].Value | ConvertTo-SecureString -asPlainText -Force\n",
            "$credential = New-Object System.Management.Automation.PSCredential($domain_username,$password)\n",
            "Set-DnsClientServerAddress \"Ethernet\" -ServerAddresses $ipdns\n",
            "Add-Computer -DomainName $domain -OUPath \"$ouPath\" -Credential $credential\n",
            "Restart-Computer -Force"
         ]
      }
   }]
}
DOC

   depends_on = ["aws_directory_service_directory.AD"]
}

resource "aws_ssm_association" "join_domain" {
   name = "join_domain"
   targets {
    key    = "InstanceIds"
    values = ["${aws_instance.ec2.id}"]
  }
}

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAJQCwJxTKo0QJfONDgnn%2BefJdh2Aouo_9yCx6yZ76DfirrzkeQ%40mail.gmail.com.

[Fernando 🐼]

you can probably get better and quicker support by either contacting aws support or terraform discuss group

https://discuss.hashicorp.com/c/terraform-core/27

-- 

Fernando 

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CALmkhkpOY3xktAqJcvFw9Udb1CrnqT7wXSwnSwibmZmwgmhO%2Bw%40mail.gmail.com.

[Adam]

Could you post the output of the SSM document running?

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAM7yfUBsW%3Do48fWsSpyOsDfLqKdczmHaFDp%2Btv6fwbeTi_6EQw%40mail.gmail.com.

[Tony Wong]

do you mean my output from terraform?

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAJQCwJyb%3DdNN41iC_FdoAfbNUr3bR6ECKbq8C5z1ZQ9NuAui-w%40mail.gmail.com.

[Adam]

No. The output from the ssm document running via cloudwatch. 

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CALmkhkpGpaLLAPHukL4Xp9riamF2uibSuuMMUzgJMsc1Xg7EWQ%40mail.gmail.com.