diff --git a/website/allowed-subcategories b/website/allowed-subcategories index 4367227f6561e..a5e21700dfaa9 100644 --- a/website/allowed-subcategories +++ b/website/allowed-subcategories @@ -1,3 +1,4 @@ +Active Directory Domain Services API Management Advisor Analysis Services diff --git a/website/docs/d/active_directory_domain_service.html.markdown b/website/docs/d/active_directory_domain_service.html.markdown new file mode 100644 index 0000000000000..0566de58d2db8 --- /dev/null +++ b/website/docs/d/active_directory_domain_service.html.markdown @@ -0,0 +1,136 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: Data Source: azurerm_active_directory_domain_service" +description: |- + Gets information about an Active Directory Domain Service. +--- + +# Data Source: azurerm_active_directory_domain_service + +Gets information about an Active Directory Domain Service. + +## Example Usage + +```hcl +data "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + resource_group_name = "example-aadds-rg" +} +``` + +## Argument Reference + +* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created. + +* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created. + +## Attributes Reference + +* `id` - The ID of the Domain Service. + +* `deployment_id` - A unique ID for the managed domain deployment. + +* `domain_configuration_type` - The forest type used by the managed domain. One of `ResourceTrusting`, for a _Resource Forest_, or blank, for a _User Forest_. + +* `domain_name` - The Active Directory domain of the Domain Service. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations. + +* `filtered_sync_enabled` - Whether filtered sync for users and groups in Azure Active Directory, is enabled. + +* `secure_ldap` - A `secure_ldap` block as defined below. + +* `location` - The Azure location where the Domain Service exists. + +* `notifications` - A `notifications` block as defined below. + +* `initial_replica_set` - A `replica_set` block as defined below. + +* `additional_replica_sets` - Zero or more `replica_set` block as defined below. + +* `resource_forest` - A `resource_forest` block as defined below. + +* `security` - A `security` block as defined below. + +* `sku` - The SKU of the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`. + +* `tags` - A mapping of tags assigned to the resource. + +--- + +A `secure_ldap` block exports the following: + +* `enabled` - Whether secure LDAP is enabled for the managed domain. + +* `external_access_enabled` - Whether external access to LDAPS over the Internet, is enabled. + +* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to. + +* `pfx_certificate` - The certificate to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file). + +--- + +A `notifications` block exports the following: + +* `additional_recipients` - A list of additional email addresses to notify when there are alerts in the managed domain. + +* `notify_dc_admins` - Whethermembers of the _AAD DC Administrators_ group are notified when there are alerts in the managed domain. + +* `notify_global_admins` - Whether all Global Administrators are notified when there are alerts in the managed domain. + +--- + +A `replica_set` block exports the following: + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the replica set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in the replica set. + +* `location` - The Azure location in which the replica set resides. + +* `replica_set_id` - A unique ID for the replica set. + +* `service_status` - The current service status for the replica set. + +* `subnet_id` - The ID of the subnet in which the replica set resides. + +--- + +A `resource_forest` block exports the following: + +* `resource_forest` - TODO figure out what goes in this property and maybe rename it to something more sensical. + +* `forest_trust` - One or more `forest_trust` blocks as defined below. + +--- + +A `forest_trust` block exports the following: + +* `name` - A display name to identity the forest trust. + +* `remote_dns_ips` - A list of DNS server IP addresses for the trusted forest root domain. + +* `trust_direction` - The direction of trust. + +* `trust_password` - The password for authenticating the forest trust. + +* `trusted_domain_fqdn` - The fully-qualified DNS name for the trusted forest. + +--- + +A `security` block exports the following: + +* `ntlm_v1_enabled` - Whether legacy NTLM v1 support is enabled. + +* `sync_kerberos_passwords` - Whether Kerberos password hashes are synchronized to the managed domain. + +* `sync_ntlm_passwords` - Whether NTLM password hashes are synchronized to the managed domain. + +* `sync_on_prem_passwords` - Whether on-premises password hashes are synchronized to the managed domain. + +* `tls_v1_enabled` - Whether legacy TLS v1 support is enabled. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. diff --git a/website/docs/r/active_directory_domain_service.html.markdown b/website/docs/r/active_directory_domain_service.html.markdown new file mode 100644 index 0000000000000..9de0ea8bab996 --- /dev/null +++ b/website/docs/r/active_directory_domain_service.html.markdown @@ -0,0 +1,294 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_active_directory_domain_service" +description: |- + Manages an Active Directory Domain Service. +--- + +# azurerm_active_directory_domain_service + +Manages an Active Directory Domain Service. + +~> Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance#create-required-azure-ad-resources) for details. + +## Example Usage + +```hcl +resource "azurerm_resource_group" "deploy" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "deploy" { + name = "deploy-vnet" + location = azurerm_resource_group.deploy.location + resource_group_name = azurerm_resource_group.deploy.name + address_space = ["10.0.1.0/16"] +} + +resource "azurerm_subnet" "deploy" { + name = "deploy-subnet" + resource_group_name = azurerm_resource_group.deploy.name + virtual_network_name = azurerm_virtual_network.deploy.name + address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_network_security_group" "deploy" { + name = "deploy-nsg" + location = azurerm_resource_group.deploy.location + resource_group_name = azurerm_resource_group.deploy.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "deploy" { + subnet_id = azurerm_subnet.deploy.id + network_security_group_id = azurerm_network_security_group.deploy.id +} + +resource "azuread_group" "dc_admins" { + name = "AAD DC Administrators" +} + +resource "azuread_user" "admin" { + user_principal_name = "dc-admin@$hashicorp-example.net" + display_name = "DC Administrator" + password = "Pa55w0Rd!!1" +} + +resource "azuread_group_member" "admin" { + group_object_id = azuread_group.dc_admins.object_id + member_object_id = azuread_user.admin.object_id +} + +resource "azuread_service_principal" "example" { + application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services +} + +resource "azurerm_resource_group" "aadds" { + name = "aadds-rg" + location = "westeurope" +} + +resource "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + location = azurerm_resource_group.aadds.location + resource_group_name = azurerm_resource_group.aadds.name + + domain_name = "widgetslogin.net" + sku = "Enterprise" + filtered_sync_enabled = false + + initial_replica_set { + location = azurerm_virtual_network.deploy.location + subnet_id = azurerm_subnet.deploy.id + } + + notifications { + additional_recipients = ["notifyA@example.net", "notifyB@example.org"] + notify_dc_admins = true + notify_global_admins = true + } + + security { + sync_kerberos_passwords = true + sync_ntlm_passwords = true + sync_on_prem_passwords = true + } + + tags = { + Environment = "prod" + } + + depends_on = [ + azuread_service_principal.example, + azurerm_subnet_network_security_group_association.deploy, + ] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `domain_configuration_type` - (Optional) The forest type to use when creating the managed domain. Set to `ResourceTrusting` to create a _Resource Forest_, omit this property to create a _User Forest_. Changing this forces a new resource to be created. + +* `domain_name` - (Required) The Active Directory domain to use. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations. + +* `filtered_sync_enabled` - (Optional) Whether to enable filtered sync for users and groups in Azure Active Directory. Defaults to `false`. + +* `secure_ldap` - (Optional) A `secure_ldap` block as defined below. + +* `location` - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created. + +* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created. + +* `notifications` - (Optional) A `notifications` block as defined below. + +* `initial_replica_set` - (Required) An `initial_replica_set` block as defined below. The initial replica set inherits the same location as the Domain Service resource. + +* `resource_forest` - (Optional) A `resource_forest` block as defined below. + +* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created. + +* `security` - (Optional) A `security` block as defined below. + +* `sku` - (Required) The SKU to use when provisioning the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`. + +* `tags` - (Optional) A mapping of tags assigned to the resource. + +--- + +A `secure_ldap` block supports the following: + +* `enabled` - (Required) Whether to enable secure LDAP for the managed domain. Defaults to `false`. + +* `external_access_enabled` - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to `false`. + +* `pfx_certificate` - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file). + +* `pfx_certificate_password` - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file). + +--- + +A `notifications` block supports the following: + +* `additional_recipients` - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain. + +* `notify_dc_admins` - (Optional) Whether to notify members of the _AAD DC Administrators_ group when there are alerts in the managed domain. + +* `notify_global_admins` - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain. + +--- + +An `initial_replica_set` block supports the following: + +* `subnet_id` - (Required) The ID of the subnet in which to place the initial replica set. + +--- + +A `resource_forest` block supports the following: + +* `resource_forest` - (Required) TODO figure out what goes in this property and maybe rename it to something more sensical. + +* `forest_trust` - (Required) One or more `forest_trust` blocks as defined below. + +--- + +A `forest_trust` block supports the following: + +* `name` - (Required) A display name to identity the forest trust. + +* `remote_dns_ips` - (Required) A list of at least two DNS server IP addresses for the trusted forest root domain. + +* `trust_direction` - (Required) The direction of trust. + +* `trust_password` - (Required) The password for authenticating the forest trust. + +* `trusted_domain_fqdn` - (Required) The fully-qualified DNS name for the trusted forest. + +--- + +A `security` block supports the following: + +* `ntlm_v1_enabled` - (Optional) Whether to enable legacy NTLM v1 support. Defaults to `false`. + +* `sync_kerberos_passwords` - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to `false`. + +* `sync_ntlm_passwords` - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to `false`. + +* `sync_on_prem_passwords` - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to `false`. + +* `tls_v1_enabled` - (Optional) Whether to enable legacy TLS v1 support. Defaults to `false`. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The ID of the Domain Service. + +* `deployment_id` - A unique ID for the managed domain deployment. + +--- + +A `secure_ldap` block exports the following: + +* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to. + +--- + +An `initial_replica_set` block exports the following: + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the initial replica set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in the initial replica set. + +* `location` - The Azure location in which the initialreplica set resides. + +* `replica_set_id` - A unique ID for the replica set. + +* `service_status` - The current service status for the initial replica set. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `create` - (Defaults to 2 hours) Used when creating the Domain Service. +* `update` - (Defaults to 2 hours) Used when updating the Domain Service. +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. +* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service. + +## Import + +Domain Services can be imported using the resource ID, e.g. + +```shell +terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1 +``` diff --git a/website/docs/r/active_directory_domain_service_replica_set.html.markdown b/website/docs/r/active_directory_domain_service_replica_set.html.markdown new file mode 100644 index 0000000000000..0dbb96183204c --- /dev/null +++ b/website/docs/r/active_directory_domain_service_replica_set.html.markdown @@ -0,0 +1,311 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_active_directory_domain_service_replica_set" +description: |- + Manages a Replica Set for an Active Directory Domain Service. +--- + +# azurerm_active_directory_domain_service_replica_set + +Manages a Replica Set for an Active Directory Domain Service. + +## Example Usage + +```hcl +resource "azurerm_resource_group" "primary" { + name = "aadds-primary-rg" + location = "West Europe" +} + +resource "azurerm_virtual_network" "primary" { + name = "aadds-primary-vnet" + location = azurerm_resource_group.primary.location + resource_group_name = azurerm_resource_group.primary.name + address_space = ["10.0.1.0/16"] +} + +resource "azurerm_subnet" "primary" { + name = "aadds-primary-subnet" + resource_group_name = azurerm_resource_group.primary.name + virtual_network_name = azurerm_virtual_network.primary.name + address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_network_security_group" "primary" { + name = "aadds-primary-nsg" + location = azurerm_resource_group.primary.location + resource_group_name = azurerm_resource_group.primary.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "primary" { + subnet_id = azurerm_subnet.primary.id + network_security_group_id = azurerm_network_security_group.primary.id +} + +resource "azuread_group" "dc_admins" { + name = "AAD DC Administrators" +} + +resource "azuread_user" "admin" { + user_principal_name = "dc-admin@$hashicorp-example.net" + display_name = "DC Administrator" + password = "Pa55w0Rd!!1" +} + +resource "azuread_group_member" "admin" { + group_object_id = azuread_group.dc_admins.object_id + member_object_id = azuread_user.admin.object_id +} + +resource "azuread_service_principal" "example" { + application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services +} + +resource "azurerm_resource_group" "aadds" { + name = "aadds-rg" + location = "westeurope" +} + +resource "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + location = azurerm_resource_group.aadds.location + resource_group_name = azurerm_resource_group.aadds.name + + domain_name = "widgetslogin.net" + sku = "Enterprise" + filtered_sync_enabled = false + + initial_replica_set { + location = azurerm_virtual_network.primary.location + subnet_id = azurerm_subnet.primary.id + } + + notifications { + additional_recipients = ["notifyA@example.net", "notifyB@example.org"] + notify_dc_admins = true + notify_global_admins = true + } + + security { + sync_kerberos_passwords = true + sync_ntlm_passwords = true + sync_on_prem_passwords = true + } + + tags = { + Environment = "prod" + } + + depends_on = [ + azuread_service_principal.example, + azurerm_subnet_network_security_group_association.primary, + ] +} + +resource "azurerm_resource_group" "replica" { + name = "aadds-replica-rg" + location = "North Europe" +} + +resource "azurerm_virtual_network" "replica" { + name = "aadds-replica-vnet" + location = azurerm_resource_group.replica.location + resource_group_name = azurerm_resource_group.replica.name + address_space = ["10.20.0.0/16"] +} + +resource "azurerm_subnet" "aadds_replica" { + name = "aadds-replica-subnet" + resource_group_name = azurerm_resource_group.replica.name + virtual_network_name = azurerm_virtual_network.replica.name + address_prefixes = ["10.20.0.0/24"] +} + +resource "azurerm_network_security_group" "aadds_replica" { + name = "aadds-replica-nsg" + location = azurerm_resource_group.replica.location + resource_group_name = azurerm_resource_group.replica.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "replica" { + subnet_id = azurerm_subnet.aadds_replica.id + network_security_group_id = azurerm_network_security_group.aadds_replica.id +} + +resource "azurerm_virtual_network_peering" "primary_replica" { + name = "aadds-primary-replica" + resource_group_name = azurerm_virtual_network.primary.resource_group_name + virtual_network_name = azurerm_virtual_network.primary.name + remote_virtual_network_id = azurerm_virtual_network.replica.id + + allow_forwarded_traffic = true + allow_gateway_transit = false + allow_virtual_network_access = true + use_remote_gateways = false +} + +resource "azurerm_virtual_network_peering" "replica_primary" { + name = "aadds-replica-primary" + resource_group_name = azurerm_virtual_network.replica.resource_group_name + virtual_network_name = azurerm_virtual_network.replica.name + remote_virtual_network_id = azurerm_virtual_network.primary.id + + allow_forwarded_traffic = true + allow_gateway_transit = false + allow_virtual_network_access = true + use_remote_gateways = false +} + +resource "azurerm_virtual_network_dns_servers" "replica" { + virtual_network_id = azurerm_virtual_network.replica.id + dns_servers = azurerm_active_directory_domain_service.example.initial_replica_set.0.domain_controller_ip_addresses +} + +resource "azurerm_active_directory_domain_service_replica_set" "replica" { + domain_service_id = azurerm_active_directory_domain_service.example.id + location = azurerm_resource_group.replica.location + subnet_id = azurerm_subnet.aadds_replica.id + + depends_on = [ + azurerm_subnet_network_security_group_association.replica, + azurerm_virtual_network_peering.primary_replica, + azurerm_virtual_network_peering.replica_primary, + ] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `domain_service_id` - (Required) The ID of the Domain Service for which to create this Replica Set. Changing this forces a new resource to be created. + +* `location` - (Required) The Azure location where this Replica Set should exist. Changing this forces a new resource to be created. + +* `subnet_id` - (Required) The ID of the subnet in which to place this Replica Set. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The ID of the Domain Service Replica Set. + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in this Replica Set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in this Replica Set. + +* `service_status` - The current service status for the replica set. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `create` - (Defaults to 2 hours) Used when creating the Domain Service. +* `update` - (Defaults to 2 hours) Used when updating the Domain Service. +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. +* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service. + +## Import + +Domain Services can be imported using the resource ID, e.g. + +```shell +terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1 +```