Domain Join & User Data
2,008 views
Skip to first unread message
Leo Tarafa
Feb 16, 2017, 3:24:26 PM2/16/17
to Terraform
Hello all,
I am looking for a way to call the AWS AD connector in a terraform script to automatically join an instance to the domain. I can do it with no issues in the AWS GUI, but need to be able to script it. I'm also looking for a way to call in a powershell user_data script within my terraform script.
Here is what I have. The powershell section will grab the tag "Name" and rename the hostname to it, then reboot.It does not work within the TF script, but works on the GUI.
resource "aws_instance" "EUW1APXACNTP2" {
ami = "ami-123456"
availability_zone = "eu-west-1a"
ebs_optimized = false
instance_type = "t2.xlarge"
monitoring = true
key_name = "key"
subnet_id = "subnet-123456"
vpc_security_group_ids = ["sg-123456"]
associate_public_ip_address = false
private_ip = ""
source_dest_check = true
iam_instance_profile = "domain"
user_data = {
"<powershell>
$var1= (Invoke-RestMethod 'http://169.254.169.254/latest/meta-data/instance-id').ToString()
$var2= (Get-EC2Instance -InstanceId $var1).RunningInstance.Tags | where-object {$_.key -eq "Name"} | select $_.value
$var3= $var2.Value
Rename-Computer -NewName $var3 -force -restart
</powershell>"
}
root_block_device {
volume_type = "gp2"
volume_size = 100
delete_on_termination = true
}
tags {
"Environment" = "Production"
"Description" = "Citrix Controller"
"SnapshotSchedule" = "default"
"Name" = "EUW1APXACNTP2"
"Author" = "Me"
}
}
Any thoughts would be very much appreciated!
Thanks!
Andrew Hodgson
Feb 17, 2017, 9:14:58 AM2/17/17
to terrafo...@googlegroups.com
Hi,
I haven't tried this myself, as I have used my own scripts to join the servers to the domain, but you could look at this as a possible way of doing it:
- Create an SSM document (go here for the steps):
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
- Use the Terraform aws_ssm_association to associate the instance with the SSM configuration:
https://www.terraform.io/docs/providers/aws/r/ssm_association.html
I don't know if this will work since I haven't had huge exposure to SSM, but the way I understand it works is that it will contact the SSM server and identify the configuration it needs after booting.
In terms of the userdata, I have the same system as you renaming the system to the instance ID and rebooting. I do it like this:
resource "aws_instance" "openfire" {
count = "${var.openfire_count}"
ami = "${data.aws_ami.w2k12r2_base.image_id}"
instance_type = "${var.openfire_instance_type}"
key_name = "${aws_key_pair.management.key_name}"
subnet_id = "${element(aws_subnet.private.*.id, count.index)}"
vpc_security_group_ids = ["${aws_security_group.openfire.id}"]
iam_instance_profile = "${var.base_instance_profile_id}"
user_data = "${data.template_file.user_data_openfire.rendered}"
[tags go here]
}
data "template_file" "user_data_openfire" {
template = "${file("${path.module}/templates/openfire_userdata.tpl")}"
vars {
"xmpp_domain" = "${var.openfire_xmpp_domain}"
[remove a bunch of stuff]
}
}
The tpl file contains this:
<powershell>
$instanceid = (New-Object System.Net.WebClient).DownloadString("http://169.254.169.254/latest/meta-data/instance-id")
[remove a bunch of stuff]
# Finally rename the computer to the instance ID and restart
Rename-Computer -NewName $instanceid -Force -Restart
</powershell>
Hope this helps,
Andrew.
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Leo Tarafa [leot...@gmail.com]
Sent: 16 February 2017 20:24
To: Terraform
Subject: [terraform] Domain Join & User Data
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/fc10f82e-5bea-4c71-86e3-186e2c08001b%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/fc10f82e-5bea-4c71-86e3-186e2c08001b%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
I haven't tried this myself, as I have used my own scripts to join the servers to the domain, but you could look at this as a possible way of doing it:
- Create an SSM document (go here for the steps):
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
- Use the Terraform aws_ssm_association to associate the instance with the SSM configuration:
https://www.terraform.io/docs/providers/aws/r/ssm_association.html
I don't know if this will work since I haven't had huge exposure to SSM, but the way I understand it works is that it will contact the SSM server and identify the configuration it needs after booting.
In terms of the userdata, I have the same system as you renaming the system to the instance ID and rebooting. I do it like this:
resource "aws_instance" "openfire" {
count = "${var.openfire_count}"
ami = "${data.aws_ami.w2k12r2_base.image_id}"
instance_type = "${var.openfire_instance_type}"
key_name = "${aws_key_pair.management.key_name}"
subnet_id = "${element(aws_subnet.private.*.id, count.index)}"
vpc_security_group_ids = ["${aws_security_group.openfire.id}"]
iam_instance_profile = "${var.base_instance_profile_id}"
user_data = "${data.template_file.user_data_openfire.rendered}"
[tags go here]
}
data "template_file" "user_data_openfire" {
template = "${file("${path.module}/templates/openfire_userdata.tpl")}"
vars {
"xmpp_domain" = "${var.openfire_xmpp_domain}"
[remove a bunch of stuff]
}
}
The tpl file contains this:
<powershell>
$instanceid = (New-Object System.Net.WebClient).DownloadString("http://169.254.169.254/latest/meta-data/instance-id")
[remove a bunch of stuff]
# Finally rename the computer to the instance ID and restart
Rename-Computer -NewName $instanceid -Force -Restart
</powershell>
Hope this helps,
Andrew.
________________________________________
From: terrafo...@googlegroups.com [terrafo...@googlegroups.com] on behalf of Leo Tarafa [leot...@gmail.com]
Sent: 16 February 2017 20:24
To: Terraform
Subject: [terraform] Domain Join & User Data
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-too...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/fc10f82e-5bea-4c71-86e3-186e2c08001b%40googlegroups.com<https://groups.google.com/d/msgid/terraform-tool/fc10f82e-5bea-4c71-86e3-186e2c08001b%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
Leo Tarafa
Feb 20, 2017, 9:23:19 PM2/20/17
to Terraform
Thank you so much for your reply. i will give this a shot tomorrow. Thanks again!
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com<mailto:terraform-tool+unsubscribe@googlegroups.com>.
Daniel Graves
Feb 22, 2017, 11:00:41 PM2/22/17
to Terraform
I do the same thing as you're posting here, except I make sure that i'm referencing the "Connection" block so that Winrm knows how to connect remotely and run the provisioner, so make sure you're using a local admin account.
Leo Tarafa
Feb 23, 2017, 12:03:10 PM2/23/17
to Terraform
I've finally got this working just right. it's a bit messy, bit it works every time.
resource "aws_instance" "BOOM" {
ami = "ami-111111"
availability_zone = "eu-west-1c"
ebs_optimized = false
instance_type = "t2.xlarge"
monitoring = true
key_name = "key"
subnet_id = "subnet-1111111"
vpc_security_group_ids = ["sg-1111111", "sg-1111111", "sg-1111111"]
associate_public_ip_address = false
private_ip = ""
source_dest_check = true
iam_instance_profile = "domainjoin"
user_data = "${file("userdata.txt")}"
root_block_device {
volume_type = "gp2"
volume_size = 100
delete_on_termination = true
}
tags {
"Environment" = "Production"
"Description" = "BBOM"
"SnapshotSchedule" = "default"
"Name" = "BOOM"
"Author" = "Me"
}
}
resource "aws_ssm_association" "BOOM" {
instance_id = "${aws_instance.BOOM.id}"
}
-------------------------------------------
Contents of userdata.txt file
<powershell>
$var1= (Invoke-RestMethod 'http://169.254.169.254/latest/meta-data/instance-id').ToString()
$var2= (Get-EC2Instance -InstanceId $var1).RunningInstance.Tags | where-object {$_.key -eq "Name"} | select $_.value
$var3= $var2.Value
Rename-Computer -NewName $var3 -force -restart
</powershell>
-----------------------------------------------------
Nikolai Shornikov
Oct 9, 2017, 4:31:21 PM10/9/17
to Terraform
Behind this door, in my recent experience, is still a mess of race conditions. Most of the time, this works, but even if you have your user data kill the ssm service (so that it doesnt kick in for a split second before the restart), ec2config will bring it back, and itll do just that. Maybe a long enough sleep in user data would do the trick.
The solution that ultimately worked for me "every time" was having an action in the SSM document perform the rename, without a restart. This way the rename is fully done before the domain join plugin picks up, and that plugin is restart-aware.
Reply all
Reply to author
Forward
0 new messages