From 94413d23c30fb4859bee4f04f32de1e7a6d37c2a Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 29 Apr 2021 12:00:34 +0100 Subject: [PATCH] Documentation for azurerm_active_directory_domain_service --- website/allowed-subcategories | 2 +- ...ive_directory_domain_service.html.markdown | 136 ++++++++ ...ive_directory_domain_service.html.markdown | 268 +++++++++++++++ ...y_domain_service_replica_set.html.markdown | 311 ++++++++++++++++++ 4 files changed, 716 insertions(+), 1 deletion(-) create mode 100644 website/docs/d/active_directory_domain_service.html.markdown create mode 100644 website/docs/r/active_directory_domain_service.html.markdown create mode 100644 website/docs/r/active_directory_domain_service_replica_set.html.markdown diff --git a/website/allowed-subcategories b/website/allowed-subcategories index 5e7a536a4205..771e6f688b63 100644 --- a/website/allowed-subcategories +++ b/website/allowed-subcategories @@ -77,4 +77,4 @@ Stream Analytics Synapse Template Time Series Insights -VMware (AVS) +VMware (AVS) \ No newline at end of file diff --git a/website/docs/d/active_directory_domain_service.html.markdown b/website/docs/d/active_directory_domain_service.html.markdown new file mode 100644 index 000000000000..ca884ac10565 --- /dev/null +++ b/website/docs/d/active_directory_domain_service.html.markdown @@ -0,0 +1,136 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: Data Source: azurerm_active_directory_domain_service" +description: |- + Gets information about an Active Directory Domain Service. +--- + +# Data Source: azurerm_active_directory_domain_service + +Gets information about an Active Directory Domain Service. + +## Example Usage + +```hcl +data "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + resource_group_name = "example-aadds-rg" +} +``` + +## Argument Reference + +* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created. + +* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created. + +## Attributes Reference + +* `id` - The ID of the Domain Service. + +* `deployment_id` - A unique ID for the managed domain deployment. + +* `domain_configuration_type` - The forest type used by the managed domain. One of `ResourceTrusting`, for a _Resource Forest_, or blank, for a _User Forest_. + +* `domain_name` - The Active Directory domain of the Domain Service. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations. + +* `filtered_sync_enabled` - Whether filtered sync for users and groups in Azure Active Directory, is enabled. + +* `secure_ldap` - A `secure_ldap` block as defined below. + +* `location` - The Azure location where the Domain Service exists. + +* `notifications` - A `notifications` block as defined below. + +* `initial_replica_set` - A `replica_set` block as defined below. + +* `additional_replica_sets` - Zero or more `replica_set` block as defined below. + +* `resource_forest` - A `resource_forest` block as defined below. + +* `security` - A `security` block as defined below. + +* `sku` - The SKU of the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`. + +* `tags` - A mapping of tags assigned to the resource. + +--- + +A `secure_ldap` block exports the following: + +* `enabled` - Whether secure LDAP is enabled for the managed domain. + +* `external_access_enabled` - Whether external access to LDAPS over the Internet, is enabled. + +* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to. + +* `pfx_certificate` - The certificate to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file). + +--- + +A `notifications` block exports the following: + +* `additional_recipients` - A list of additional email addresses to notify when there are alerts in the managed domain. + +* `notify_dc_admins` - Whethermembers of the _AAD DC Administrators_ group are notified when there are alerts in the managed domain. + +* `notify_global_admins` - Whether all Global Administrators are notified when there are alerts in the managed domain. + +--- + +A `replica_set` block exports the following: + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the replica set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in the replica set. + +* `location` - The Azure location in which the replica set resides. + +* `replica_set_id` - A unique ID for the replica set. + +* `service_status` - The current service status for the replica set. + +* `subnet_id` - The ID of the subnet in which the replica set resides. + +--- + +A `resource_forest` block exports the following: + +* `resource_forest` - Resource forest + +* `forest_trust` - One or more `forest_trust` blocks as defined below. + +--- + +A `forest_trust` block exports the following: + +* `name` - A display name to identity the forest trust. + +* `remote_dns_ips` - A list of DNS server IP addresses for the trusted forest root domain. + +* `trust_direction` - The direction of trust. + +* `trust_password` - The password for authenticating the forest trust. + +* `trusted_domain_fqdn` - The fully-qualified DNS name for the trusted forest. + +--- + +A `security` block exports the following: + +* `ntlm_v1_enabled` - Whether legacy NTLM v1 support is enabled. + +* `sync_kerberos_passwords` - Whether Kerberos password hashes are synchronized to the managed domain. + +* `sync_ntlm_passwords` - Whether NTLM password hashes are synchronized to the managed domain. + +* `sync_on_prem_passwords` - Whether on-premises password hashes are synchronized to the managed domain. + +* `tls_v1_enabled` - Whether legacy TLS v1 support is enabled. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. diff --git a/website/docs/r/active_directory_domain_service.html.markdown b/website/docs/r/active_directory_domain_service.html.markdown new file mode 100644 index 000000000000..4a84bdb60f07 --- /dev/null +++ b/website/docs/r/active_directory_domain_service.html.markdown @@ -0,0 +1,268 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_active_directory_domain_service" +description: |- + Manages an Active Directory Domain Service. +--- + +# azurerm_active_directory_domain_service + +Manages an Active Directory Domain Service. + +~> Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance#create-required-azure-ad-resources) for details. + +## Example Usage + +```hcl +resource "azurerm_resource_group" "deploy" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "deploy" { + name = "deploy-vnet" + location = azurerm_resource_group.deploy.location + resource_group_name = azurerm_resource_group.deploy.name + address_space = ["10.0.1.0/16"] +} + +resource "azurerm_subnet" "deploy" { + name = "deploy-subnet" + resource_group_name = azurerm_resource_group.deploy.name + virtual_network_name = azurerm_virtual_network.deploy.name + address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_network_security_group" "deploy" { + name = "deploy-nsg" + location = azurerm_resource_group.deploy.location + resource_group_name = azurerm_resource_group.deploy.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "deploy" { + subnet_id = azurerm_subnet.deploy.id + network_security_group_id = azurerm_network_security_group.deploy.id +} + +resource "azuread_group" "dc_admins" { + name = "AAD DC Administrators" +} + +resource "azuread_user" "admin" { + user_principal_name = "dc-admin@$hashicorp-example.net" + display_name = "DC Administrator" + password = "Pa55w0Rd!!1" +} + +resource "azuread_group_member" "admin" { + group_object_id = azuread_group.dc_admins.object_id + member_object_id = azuread_user.admin.object_id +} + +resource "azuread_service_principal" "example" { + application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services +} + +resource "azurerm_resource_group" "aadds" { + name = "aadds-rg" + location = "westeurope" +} + +resource "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + location = azurerm_resource_group.aadds.location + resource_group_name = azurerm_resource_group.aadds.name + + domain_name = "widgetslogin.net" + sku = "Enterprise" + filtered_sync_enabled = false + + initial_replica_set { + location = azurerm_virtual_network.deploy.location + subnet_id = azurerm_subnet.deploy.id + } + + notifications { + additional_recipients = ["notifyA@example.net", "notifyB@example.org"] + notify_dc_admins = true + notify_global_admins = true + } + + security { + sync_kerberos_passwords = true + sync_ntlm_passwords = true + sync_on_prem_passwords = true + } + + tags = { + Environment = "prod" + } + + depends_on = [ + azuread_service_principal.example, + azurerm_subnet_network_security_group_association.deploy, + ] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `domain_name` - (Required) The Active Directory domain to use. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations. + +* `filtered_sync_enabled` - (Optional) Whether to enable filtered sync for users and groups in Azure Active Directory. Defaults to `false`. + +* `secure_ldap` - (Optional) A `secure_ldap` block as defined below. + +* `location` - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created. + +* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created. + +* `notifications` - (Optional) A `notifications` block as defined below. + +* `initial_replica_set` - (Required) An `initial_replica_set` block as defined below. The initial replica set inherits the same location as the Domain Service resource. + +* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created. + +* `security` - (Optional) A `security` block as defined below. + +* `sku` - (Required) The SKU to use when provisioning the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`. + +* `tags` - (Optional) A mapping of tags assigned to the resource. + +--- + +A `secure_ldap` block supports the following: + +* `enabled` - (Required) Whether to enable secure LDAP for the managed domain. Defaults to `false`. + +* `external_access_enabled` - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to `false`. + +* `pfx_certificate` - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file). + +* `pfx_certificate_password` - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file). + +--- + +A `notifications` block supports the following: + +* `additional_recipients` - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain. + +* `notify_dc_admins` - (Optional) Whether to notify members of the _AAD DC Administrators_ group when there are alerts in the managed domain. + +* `notify_global_admins` - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain. + +--- + +An `initial_replica_set` block supports the following: + +* `subnet_id` - (Required) The ID of the subnet in which to place the initial replica set. + +--- + +A `security` block supports the following: + +* `ntlm_v1_enabled` - (Optional) Whether to enable legacy NTLM v1 support. Defaults to `false`. + +* `sync_kerberos_passwords` - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to `false`. + +* `sync_ntlm_passwords` - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to `false`. + +* `sync_on_prem_passwords` - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to `false`. + +* `tls_v1_enabled` - (Optional) Whether to enable legacy TLS v1 support. Defaults to `false`. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The ID of the Domain Service. + +* `deployment_id` - A unique ID for the managed domain deployment. + +--- + +A `secure_ldap` block exports the following: + +* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to. + +--- + +An `initial_replica_set` block exports the following: + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the initial replica set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in the initial replica set. + +* `location` - The Azure location in which the initialreplica set resides. + +* `replica_set_id` - A unique ID for the replica set. + +* `service_status` - The current service status for the initial replica set. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `create` - (Defaults to 2 hours) Used when creating the Domain Service. +* `update` - (Defaults to 2 hours) Used when updating the Domain Service. +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. +* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service. + +## Import + +Domain Services can be imported using the resource ID, e.g. + +```shell +terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1 +``` diff --git a/website/docs/r/active_directory_domain_service_replica_set.html.markdown b/website/docs/r/active_directory_domain_service_replica_set.html.markdown new file mode 100644 index 000000000000..0dbb96183204 --- /dev/null +++ b/website/docs/r/active_directory_domain_service_replica_set.html.markdown @@ -0,0 +1,311 @@ +--- +subcategory: "Active Directory Domain Services" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_active_directory_domain_service_replica_set" +description: |- + Manages a Replica Set for an Active Directory Domain Service. +--- + +# azurerm_active_directory_domain_service_replica_set + +Manages a Replica Set for an Active Directory Domain Service. + +## Example Usage + +```hcl +resource "azurerm_resource_group" "primary" { + name = "aadds-primary-rg" + location = "West Europe" +} + +resource "azurerm_virtual_network" "primary" { + name = "aadds-primary-vnet" + location = azurerm_resource_group.primary.location + resource_group_name = azurerm_resource_group.primary.name + address_space = ["10.0.1.0/16"] +} + +resource "azurerm_subnet" "primary" { + name = "aadds-primary-subnet" + resource_group_name = azurerm_resource_group.primary.name + virtual_network_name = azurerm_virtual_network.primary.name + address_prefixes = ["10.0.1.0/24"] +} + +resource "azurerm_network_security_group" "primary" { + name = "aadds-primary-nsg" + location = azurerm_resource_group.primary.location + resource_group_name = azurerm_resource_group.primary.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "primary" { + subnet_id = azurerm_subnet.primary.id + network_security_group_id = azurerm_network_security_group.primary.id +} + +resource "azuread_group" "dc_admins" { + name = "AAD DC Administrators" +} + +resource "azuread_user" "admin" { + user_principal_name = "dc-admin@$hashicorp-example.net" + display_name = "DC Administrator" + password = "Pa55w0Rd!!1" +} + +resource "azuread_group_member" "admin" { + group_object_id = azuread_group.dc_admins.object_id + member_object_id = azuread_user.admin.object_id +} + +resource "azuread_service_principal" "example" { + application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services +} + +resource "azurerm_resource_group" "aadds" { + name = "aadds-rg" + location = "westeurope" +} + +resource "azurerm_active_directory_domain_service" "example" { + name = "example-aadds" + location = azurerm_resource_group.aadds.location + resource_group_name = azurerm_resource_group.aadds.name + + domain_name = "widgetslogin.net" + sku = "Enterprise" + filtered_sync_enabled = false + + initial_replica_set { + location = azurerm_virtual_network.primary.location + subnet_id = azurerm_subnet.primary.id + } + + notifications { + additional_recipients = ["notifyA@example.net", "notifyB@example.org"] + notify_dc_admins = true + notify_global_admins = true + } + + security { + sync_kerberos_passwords = true + sync_ntlm_passwords = true + sync_on_prem_passwords = true + } + + tags = { + Environment = "prod" + } + + depends_on = [ + azuread_service_principal.example, + azurerm_subnet_network_security_group_association.primary, + ] +} + +resource "azurerm_resource_group" "replica" { + name = "aadds-replica-rg" + location = "North Europe" +} + +resource "azurerm_virtual_network" "replica" { + name = "aadds-replica-vnet" + location = azurerm_resource_group.replica.location + resource_group_name = azurerm_resource_group.replica.name + address_space = ["10.20.0.0/16"] +} + +resource "azurerm_subnet" "aadds_replica" { + name = "aadds-replica-subnet" + resource_group_name = azurerm_resource_group.replica.name + virtual_network_name = azurerm_virtual_network.replica.name + address_prefixes = ["10.20.0.0/24"] +} + +resource "azurerm_network_security_group" "aadds_replica" { + name = "aadds-replica-nsg" + location = azurerm_resource_group.replica.location + resource_group_name = azurerm_resource_group.replica.name + + security_rule { + name = "AllowSyncWithAzureAD" + priority = 101 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowRD" + priority = 201 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "CorpNetSaw" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowPSRemoting" + priority = 301 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "5986" + source_address_prefix = "AzureActiveDirectoryDomainServices" + destination_address_prefix = "*" + } + + security_rule { + name = "AllowLDAPS" + priority = 401 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "636" + source_address_prefix = "*" + destination_address_prefix = "*" + } +} + +resource azurerm_subnet_network_security_group_association "replica" { + subnet_id = azurerm_subnet.aadds_replica.id + network_security_group_id = azurerm_network_security_group.aadds_replica.id +} + +resource "azurerm_virtual_network_peering" "primary_replica" { + name = "aadds-primary-replica" + resource_group_name = azurerm_virtual_network.primary.resource_group_name + virtual_network_name = azurerm_virtual_network.primary.name + remote_virtual_network_id = azurerm_virtual_network.replica.id + + allow_forwarded_traffic = true + allow_gateway_transit = false + allow_virtual_network_access = true + use_remote_gateways = false +} + +resource "azurerm_virtual_network_peering" "replica_primary" { + name = "aadds-replica-primary" + resource_group_name = azurerm_virtual_network.replica.resource_group_name + virtual_network_name = azurerm_virtual_network.replica.name + remote_virtual_network_id = azurerm_virtual_network.primary.id + + allow_forwarded_traffic = true + allow_gateway_transit = false + allow_virtual_network_access = true + use_remote_gateways = false +} + +resource "azurerm_virtual_network_dns_servers" "replica" { + virtual_network_id = azurerm_virtual_network.replica.id + dns_servers = azurerm_active_directory_domain_service.example.initial_replica_set.0.domain_controller_ip_addresses +} + +resource "azurerm_active_directory_domain_service_replica_set" "replica" { + domain_service_id = azurerm_active_directory_domain_service.example.id + location = azurerm_resource_group.replica.location + subnet_id = azurerm_subnet.aadds_replica.id + + depends_on = [ + azurerm_subnet_network_security_group_association.replica, + azurerm_virtual_network_peering.primary_replica, + azurerm_virtual_network_peering.replica_primary, + ] +} +``` + +## Argument Reference + +The following arguments are supported: + +* `domain_service_id` - (Required) The ID of the Domain Service for which to create this Replica Set. Changing this forces a new resource to be created. + +* `location` - (Required) The Azure location where this Replica Set should exist. Changing this forces a new resource to be created. + +* `subnet_id` - (Required) The ID of the subnet in which to place this Replica Set. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The ID of the Domain Service Replica Set. + +* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in this Replica Set, typically two. + +* `external_access_ip_address` - The publicly routable IP address for the domain controllers in this Replica Set. + +* `service_status` - The current service status for the replica set. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `create` - (Defaults to 2 hours) Used when creating the Domain Service. +* `update` - (Defaults to 2 hours) Used when updating the Domain Service. +* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service. +* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service. + +## Import + +Domain Services can be imported using the resource ID, e.g. + +```shell +terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1 +```