WIP docs for azurerm_active_directory_domain_service

hashicorp · Apr 29, 2021 · 3209bc8 · 3209bc8
1 parent 2c08c80
commit 3209bc8
Showing 1 changed file with 292 additions and 0 deletions.
diff --git a/website/docs/r/active_directory_domain_service.html.markdown b/website/docs/r/active_directory_domain_service.html.markdown
@@ -0,0 +1,292 @@
+---
+subcategory: "Active Directory Domain Services"
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_active_directory_domain_service"
+description: |-
+  Manages an Active Directory Domain Service.
+---
+
+# azurerm_active_directory_domain_service
+
+Manages an Active Directory Domain Service.
+
+~> Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance#create-required-azure-ad-resources) for details.
+
+## Example Usage
+
+```hcl
+resource "azurerm_resource_group" "deploy" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_virtual_network" "deploy" {
+  name                = "deploy-vnet"
+  location            = azurerm_resource_group.deploy.location
+  resource_group_name = azurerm_resource_group.deploy.name
+  address_space       = ["10.0.1.0/16"]
+
+  lifecycle {
+    ignore_changes = [dns_servers]
+  }
+}
+
+resource "azurerm_subnet" "deploy" {
+  name                 = "deploy-subnet"
+  resource_group_name  = azurerm_resource_group.deploy.name
+  virtual_network_name = azurerm_virtual_network.deploy.name
+  address_prefixes     = ["10.0.1.0/24"]
+}
+
+resource "azurerm_network_security_group" "deploy" {
+  name                = "deploy-nsg"
+  location            = azurerm_resource_group.deploy.location
+  resource_group_name = azurerm_resource_group.deploy.name
+
+  security_rule {
+    name                       = "AllowSyncWithAzureAD"
+    priority                   = 101
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "AzureActiveDirectoryDomainServices"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "AllowRD"
+    priority                   = 201
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "3389"
+    source_address_prefix      = "CorpNetSaw"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "AllowPSRemoting"
+    priority                   = 301
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "5986"
+    source_address_prefix      = "AzureActiveDirectoryDomainServices"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "AllowLDAPS"
+    priority                   = 401
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "636"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource azurerm_subnet_network_security_group_association "deploy" {
+  subnet_id                 = azurerm_subnet.deploy.id
+  network_security_group_id = azurerm_network_security_group.deploy.id
+}
+
+resource "azuread_group" "dc_admins" {
+  name = "AAD DC Administrators"
+}
+
+resource "azuread_user" "admin" {
+  user_principal_name = "dc-admin@$hashicorp-example.net"
+  display_name        = "DC Administrator"
+  password            = "Pa55w0Rd!!1"
+}
+
+resource "azuread_group_member" "admin" {
+  group_object_id  = azuread_group.dc_admins.object_id
+  member_object_id = azuread_user.admin.object_id
+}
+
+resource "azuread_service_principal" "example" {
+  application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
+}
+
+resource "azurerm_resource_group" "aadds" {
+  name     = "aadds-rg"
+  location = "westeurope"
+}
+
+resource "azurerm_active_directory_domain_service" "example" {
+  name                = "example-adds"
+  location            = azurerm_resource_group.aadds.location
+  resource_group_name = azurerm_resource_group.aadds.name
+
+  domain_name           = "widgetslogin.net"
+  sku                   = "Enterprise"
+  filtered_sync_enabled = false
+
+  replica_set {
+    location  = azurerm_virtual_network.deploy.location
+    subnet_id = azurerm_subnet.deploy.id
+  }
+
+  security {
+    sync_kerberos_passwords = true
+    sync_ntlm_passwords     = true
+    sync_on_prem_passwords  = true
+  }
+
+  tags = {
+    Environment = "prod"
+  }
+
+  depends_on = [
+    azuread_service_principal.example,
+    azurerm_subnet_network_security_group_association.deploy,
+  ]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `domain_configuration_type` - (Optional) The forest type to use when creating the managed domain. Set to `ResourceTrusting` to create a _Resource Forest_, omit this property to create a _User Forest_. Changing this forces a new resource to be created.
+
+* `domain_name` - (Required) The Active Directory domain to use. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations.
+
+* `filtered_sync_enabled` - (Optional) Whether to enable filtered sync for users and groups in Azure Active Directory. Defaults to `false`.
+
+* `ldaps` - (Optional) An `ldaps` block as defined below.
+
+* `location` - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.
+
+* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.
+
+* `notifications` - (Optional) A `notifications` block as defined below.
+
+* `replica_set` - (Required) One or more `replica_set` blocks as defined below. A managed domain must have at least one replica set, and the first must have the same location as the Active Directory Domain Service resource.
+
+* `resource_forest` - (Optional) A `resource_forest` block as defined below.
+
+* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.
+
+* `security` - (Optional) A `security` block as defined below.
+
+* `sku` - (Required) The SKU to use when provisioning the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`.
+
+* `tags` - (Optional) A mapping of tags assigned to the resource.
+
+---
+
+An `ldaps` block supports the following:
+
+* `enabled` - (Required) Whether to enable secure LDAP for the managed domain. Defaults to `false`.
+
+* `external_access_enabled` - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to `false`.
+
+* `pfx_certificate` - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).
+
+* `pfx_certificate_password` - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).
+
+---
+
+A `notifications` block supports the following:
+
+* `additional_recipients` - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.
+
+* `notify_dc_admins` - (Optional) Whether to notify members of the _AAD DC Administrators_ group when there are alerts in the managed domain.
+
+* `notify_global_admins` - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.
+
+---
+
+A `replica_set` block supports the following:
+
+* `location` - (Required) The Azure location in which to place the replica set.
+
+* `subnet_id` - (Required) The ID of the subnet in which to place the replica set.
+
+---
+
+A `resource_forest` block supports the following:
+
+* `resource_forest` - (Required) TODO figure out what goes in this property and maybe rename it to something more sensical.
+
+* `forest_trust` - (Required) One or more `forest_trust` blocks as defined below.
+
+---
+
+A `forest_trust` block supports the following:
+
+* `name` - (Required) A display name to identity the forest trust.
+
+* `remote_dns_ips` - (Required) A list of at least two DNS server IP addresses for the trusted forest root domain.
+
+* `trust_direction` - (Required) The direction of trust.
+
+* `trust_password` - (Required) The password for authenticating the forest trust.
+
+* `trusted_domain_fqdn` - (Required) The fully-qualified DNS name for the trusted forest.
+
+---
+
+A `security` block supports the following:
+
+* `ntlm_v1_enabled` - (Optional) Whether to enable legacy NTLM v1 support. Defaults to `false`.
+
+* `sync_kerberos_passwords` - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to `false`.
+
+* `sync_ntlm_passwords` - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to `false`.
+
+* `sync_on_prem_passwords` - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to `false`.
+
+* `tls_v1_enabled` - (Optional) Whether to enable legacy TLS v1 support. Defaults to `false`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The ID of the Domain Service.
+
+* `deployment_id` - A unique ID for the managed domain deployment.
+
+---
+
+An `ldaps` block exports the following:
+
+* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to.
+
+---
+
+A `replica_set` block exports the following:
+
+* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the replica set, typically two.
+
+* `external_access_ip_address` - The publicly routable IP addresses for domain services.
+
+* `replica_set_id` - A unique ID for the replica set.
+
+* `service_status` - The current service status for the replica set.
+
+## Timeouts
+
+The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:
+
+* `create` - (Defaults to 2 hours) Used when creating the Domain Service.
+* `update` - (Defaults to 2 hours) Used when updating the Domain Service.
+* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service.
+* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service.
+
+## Import
+
+Domain Services can be imported using the resource ID, e.g.
+
+```shell
+terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1
+```