This blueprint does the following:
Terraform:
- (Optional) Creates a project.
- (Optional) Creates a VPC.
- Sets up managed AD
- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD.
- Exposes AD FS using GLB.
Ansible:
- Installs the required Windows features and joins the computer to the AD domain.
- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file.
- Installs AD FS
In addition to this, we also include a Powershell script that facilitates the configuration required for Anthos when authenticating users with AD FS as IdP.
The diagram below depicts the architecture of the blueprint:
Clone this repository or open it in cloud shell, then go through the following steps to create resources:
terraform initterraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org
Once the resources have been created, do the following:
-
Create an A record to point the AD FS DNS domain name to the public IP address returned after the terraform configuration was applied.
-
Run the ansible playbook
ansible-playbook playbook.yaml
-
In your browser open the following URL:
https://adfs.my-domain.org/adfs/ls/IdpInitiatedSignOn.aspx -
Enter the username and password of one of the users provisioned. The username has to be in the format: [email protected]
-
Verify that you have successfully signed in.
Once done testing, you can clean up resources by running terraform destroy.
| name | description | type | required | default |
|---|---|---|---|---|
| ad_dns_domain_name | AD DNS domain name. | string |
✓ | |
| adfs_dns_domain_name | ADFS DNS domain name. | string |
✓ | |
| prefix | Prefix used for resource names. | string |
✓ | |
| project_id | Host project ID. | string |
✓ | |
| ad_ip_cidr_block | Managed AD IP CIDR block. | string |
"10.0.0.0/24" |
|
| disk_size | Disk size. | number |
50 |
|
| disk_type | Disk type. | string |
"pd-ssd" |
|
| image | Image. | string |
"projects/windows-cloud/global/images/family/windows-2022" |
|
| instance_type | Instance type. | string |
"n1-standard-2" |
|
| network_config | Network configuration. | object({…}) |
null |
|
| project_create | Parameters for the creation of the new project. | object({…}) |
null |
|
| region | Region. | string |
"europe-west1" |
|
| subnet_ip_cidr_block | Subnet IP CIDR block. | string |
"10.0.1.0/28" |
|
| zone | Zone. | string |
"europe-west1-c" |
| name | description | sensitive |
|---|---|---|
| ip_address | IP address. |
module "test" {
source = "./fabric/blueprints/cloud-operations/adfs"
prefix = "test"
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "project-1"
ad_dns_domain_name = "example.com"
adfs_dns_domain_name = "adfs.example.com"
}
# tftest modules=5 resources=20