Skip to content

Commit

Permalink
WIP docs for azurerm_active_directory_domain_service
Browse files Browse the repository at this point in the history
  • Loading branch information
manicminer committed May 13, 2021
1 parent c1905f6 commit a17c1f5
Showing 1 changed file with 292 additions and 0 deletions.
292 changes: 292 additions & 0 deletions website/docs/r/active_directory_domain_service.html.markdown
Original file line number Diff line number Diff line change
@@ -0,0 +1,292 @@
---
subcategory: "Active Directory Domain Services"
layout: "azurerm"
page_title: "Azure Resource Manager: azurerm_active_directory_domain_service"
description: |-
Manages an Active Directory Domain Service.
---

# azurerm_active_directory_domain_service

Manages an Active Directory Domain Service.

~> Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance#create-required-azure-ad-resources) for details.

## Example Usage

```hcl
resource "azurerm_resource_group" "deploy" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "deploy" {
name = "deploy-vnet"
location = azurerm_resource_group.deploy.location
resource_group_name = azurerm_resource_group.deploy.name
address_space = ["10.0.1.0/16"]
lifecycle {
ignore_changes = [dns_servers]
}
}
resource "azurerm_subnet" "deploy" {
name = "deploy-subnet"
resource_group_name = azurerm_resource_group.deploy.name
virtual_network_name = azurerm_virtual_network.deploy.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_network_security_group" "deploy" {
name = "deploy-nsg"
location = azurerm_resource_group.deploy.location
resource_group_name = azurerm_resource_group.deploy.name
security_rule {
name = "AllowSyncWithAzureAD"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "AzureActiveDirectoryDomainServices"
destination_address_prefix = "*"
}
security_rule {
name = "AllowRD"
priority = 201
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "CorpNetSaw"
destination_address_prefix = "*"
}
security_rule {
name = "AllowPSRemoting"
priority = 301
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5986"
source_address_prefix = "AzureActiveDirectoryDomainServices"
destination_address_prefix = "*"
}
security_rule {
name = "AllowLDAPS"
priority = 401
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource azurerm_subnet_network_security_group_association "deploy" {
subnet_id = azurerm_subnet.deploy.id
network_security_group_id = azurerm_network_security_group.deploy.id
}
resource "azuread_group" "dc_admins" {
name = "AAD DC Administrators"
}
resource "azuread_user" "admin" {
user_principal_name = "dc-admin@$hashicorp-example.net"
display_name = "DC Administrator"
password = "Pa55w0Rd!!1"
}
resource "azuread_group_member" "admin" {
group_object_id = azuread_group.dc_admins.object_id
member_object_id = azuread_user.admin.object_id
}
resource "azuread_service_principal" "example" {
application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}
resource "azurerm_resource_group" "aadds" {
name = "aadds-rg"
location = "westeurope"
}
resource "azurerm_active_directory_domain_service" "example" {
name = "example-adds"
location = azurerm_resource_group.aadds.location
resource_group_name = azurerm_resource_group.aadds.name
domain_name = "widgetslogin.net"
sku = "Enterprise"
filtered_sync_enabled = false
replica_set {
location = azurerm_virtual_network.deploy.location
subnet_id = azurerm_subnet.deploy.id
}
security {
sync_kerberos_passwords = true
sync_ntlm_passwords = true
sync_on_prem_passwords = true
}
tags = {
Environment = "prod"
}
depends_on = [
azuread_service_principal.example,
azurerm_subnet_network_security_group_association.deploy,
]
}
```

## Argument Reference

The following arguments are supported:

* `domain_configuration_type` - (Optional) The forest type to use when creating the managed domain. Set to `ResourceTrusting` to create a _Resource Forest_, omit this property to create a _User Forest_. Changing this forces a new resource to be created.

* `domain_name` - (Required) The Active Directory domain to use. See [official documentation](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain) for constraints and recommendations.

* `filtered_sync_enabled` - (Optional) Whether to enable filtered sync for users and groups in Azure Active Directory. Defaults to `false`.

* `ldaps` - (Optional) An `ldaps` block as defined below.

* `location` - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.

* `name` - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.

* `notifications` - (Optional) A `notifications` block as defined below.

* `replica_set` - (Required) One or more `replica_set` blocks as defined below. A managed domain must have at least one replica set, and the first must have the same location as the Active Directory Domain Service resource.

* `resource_forest` - (Optional) A `resource_forest` block as defined below.

* `resource_group_name` - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.

* `security` - (Optional) A `security` block as defined below.

* `sku` - (Required) The SKU to use when provisioning the Domain Service resource. One of `Standard`, `Enterprise` or `Premium`.

* `tags` - (Optional) A mapping of tags assigned to the resource.

---

An `ldaps` block supports the following:

* `enabled` - (Required) Whether to enable secure LDAP for the managed domain. Defaults to `false`.

* `external_access_enabled` - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to `false`.

* `pfx_certificate` - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).

* `pfx_certificate_password` - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).

---

A `notifications` block supports the following:

* `additional_recipients` - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.

* `notify_dc_admins` - (Optional) Whether to notify members of the _AAD DC Administrators_ group when there are alerts in the managed domain.

* `notify_global_admins` - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.

---

A `replica_set` block supports the following:

* `location` - (Required) The Azure location in which to place the replica set.

* `subnet_id` - (Required) The ID of the subnet in which to place the replica set.

---

A `resource_forest` block supports the following:

* `resource_forest` - (Required) TODO figure out what goes in this property and maybe rename it to something more sensical.

* `forest_trust` - (Required) One or more `forest_trust` blocks as defined below.

---

A `forest_trust` block supports the following:

* `name` - (Required) A display name to identity the forest trust.

* `remote_dns_ips` - (Required) A list of at least two DNS server IP addresses for the trusted forest root domain.

* `trust_direction` - (Required) The direction of trust.

* `trust_password` - (Required) The password for authenticating the forest trust.

* `trusted_domain_fqdn` - (Required) The fully-qualified DNS name for the trusted forest.

---

A `security` block supports the following:

* `ntlm_v1_enabled` - (Optional) Whether to enable legacy NTLM v1 support. Defaults to `false`.

* `sync_kerberos_passwords` - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to `false`.

* `sync_ntlm_passwords` - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to `false`.

* `sync_on_prem_passwords` - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to `false`.

* `tls_v1_enabled` - (Optional) Whether to enable legacy TLS v1 support. Defaults to `false`.

## Attributes Reference

In addition to all arguments above, the following attributes are exported:

* `id` - The ID of the Domain Service.

* `deployment_id` - A unique ID for the managed domain deployment.

---

An `ldaps` block exports the following:

* `external_access_ip_address` - The publicly routable IP address for LDAPS clients to connect to.

---

A `replica_set` block exports the following:

* `domain_controller_ip_addresses` - A list of subnet IP addresses for the domain controllers in the replica set, typically two.

* `external_access_ip_address` - The publicly routable IP addresses for domain services.

* `replica_set_id` - A unique ID for the replica set.

* `service_status` - The current service status for the replica set.

## Timeouts

The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions:

* `create` - (Defaults to 2 hours) Used when creating the Domain Service.
* `update` - (Defaults to 2 hours) Used when updating the Domain Service.
* `read` - (Defaults to 5 minutes) Used when retrieving the Domain Service.
* `delete` - (Defaults to 30 minutes) Used when deleting the Domain Service.

## Import

Domain Services can be imported using the resource ID, e.g.

```shell
terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1
```

0 comments on commit a17c1f5

Please sign in to comment.