Skip to content

Latest commit

 

History

History
51 lines (40 loc) · 3.01 KB

instance-domain-join.md

File metadata and controls

51 lines (40 loc) · 3.01 KB
Raw

EKS Windows Worker changes

This document gives list of steps to attach to domain join SSM document.

1. Launch EKS Windows worker instances

##### ACTION REQUIRED - START #####
$eksWindowsStack = "xxxxx" # Name of the Cloudformation stack that created EKS Windows worker nodes.
##### ACTION REQUIRED - END #####

2. Attach Customer Master Key IAM Policy to EKS Windows NodeInstanceRole

# Retrieve the EKS Windows Worker nodeinstancerole.
$nodeInstanceRole = aws cloudformation describe-stack-resources --stack-name $eksWindowsStack --query "StackResources[?ResourceType=='AWS::IAM::Role'].PhysicalResourceId" --output text

# Retrieve the EKS Windows Autoscaling group name.
$autoScalingGroup = aws cloudformation describe-stack-resources --stack-name $eksWindowsStack --query "StackResources[?ResourceType=='AWS::AutoScaling::AutoScalingGroup'].PhysicalResourceId" --output text

# Attach Customer Master key IAM policy to EKS Windows nodeinstancerole.
aws iam attach-role-policy --role-name $nodeInstanceRole --policy-arn $CMKPolicyArn

# Attach SSM Policy to EC2 Instance
aws iam attach-role-policy --role-name $nodeInstanceRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

3. Attach Domain Join SSM document to EKS Windows Autoscaling group

# Create SSM association between autoscaling group and SSM Document
aws ssm create-association --name $domainjoinSSMdoc --document-version 1 --targets "Key=tag:aws:autoscaling:groupName,Values=$autoScalingGroup"

# Validate the association is created
# The following command will show the status of command. If it is unsuccessful, you can
# check the error message by checking the 'command history' under 'run command' in the
# AWS Systems Manager Service. The output of the command can be checked by clicking on the instance id.
aws ssm list-associations --association-filter-list "key=Name, value=$domainjoinSSMdoc"

4. Create and join gMSA AD security group (Optional)

If the AD security group exists already prior to domain join, the worker instance will be added to that security group during domain join. Otherwise, you need to execute this document to create and join AD. AD security group creation shouldn't be executed concurrently. Concurrent execution will result into duplicate AD group creation. Hence this needs to be run one instance at a time. This SSM document shoudn't be attached to autoscaling group

aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $autoScalingGroup --query "AutoScalingGroups[*].Instances[*].InstanceId" --output text

##### ACTION REQUIRED - START #####
# Replace XXXXX with each of the above instance id.
# You need to send the following commands one by one.
$commandId = aws ssm send-command --document-name $adGroupCreateSSMdoc --targets "Key=InstanceIds, Values=XXXXX" --parameters "ADSecurityGroup=$gMSAADSecurityGroup" --query "Command.CommandId" --output text

aws ssm list-command-invocations --command-id $commandId
##### ACTION REQUIRED - END #####