Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Active Directory Federation Services

This blueprint does the following:

Terraform:

  • (Optional) Creates a project.
  • (Optional) Creates a VPC.
  • Sets up managed AD
  • Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD.
  • Exposes AD FS using GLB.

Ansible:

  • Installs the required Windows features and joins the computer to the AD domain.
  • Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file.
  • Installs AD FS

In addition to this, we also include a Powershell script that facilitates the configuration required for Anthos when authenticating users with AD FS as IdP.

The diagram below depicts the architecture of the blueprint:

Architecture

Running the blueprint

Clone this repository or open it in cloud shell, then go through the following steps to create resources:

  • terraform init
  • terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org

Once the resources have been created, do the following:

  1. Create an A record to point the AD FS DNS domain name to the public IP address returned after the terraform configuration was applied.

  2. Run the ansible playbook

     ansible-playbook playbook.yaml
    

Testing the blueprint

  1. In your browser open the following URL:

     https://adfs.my-domain.org/adfs/ls/IdpInitiatedSignOn.aspx
    
  2. Enter the username and password of one of the users provisioned. The username has to be in the format: [email protected]

  3. Verify that you have successfully signed in.

Once done testing, you can clean up resources by running terraform destroy.

Variables

name description type required default
ad_dns_domain_name AD DNS domain name. string
adfs_dns_domain_name ADFS DNS domain name. string
prefix Prefix used for resource names. string
project_id Host project ID. string
ad_ip_cidr_block Managed AD IP CIDR block. string "10.0.0.0/24"
disk_size Disk size. number 50
disk_type Disk type. string "pd-ssd"
image Image. string "projects/windows-cloud/global/images/family/windows-2022"
instance_type Instance type. string "n1-standard-2"
network_config Network configuration. object({…}) null
project_create Parameters for the creation of the new project. object({…}) null
region Region. string "europe-west1"
subnet_ip_cidr_block Subnet IP CIDR block. string "10.0.1.0/28"
zone Zone. string "europe-west1-c"

Outputs

name description sensitive
ip_address IP address.

Test

module "test" {
  source = "./fabric/blueprints/cloud-operations/adfs"
  prefix = "test"
  project_create = {
    billing_account_id = "12345-12345-12345"
    parent             = "folders/123456789"
  }
  project_id           = "project-1"
  ad_dns_domain_name   = "example.com"
  adfs_dns_domain_name = "adfs.example.com"
}
# tftest modules=5 resources=20