Entra Domain Services

---

Module to deploy entra domain services (former Azure Active Directory Domain Services). This module will create an entra domain services, a service principal 'Domain Services'and a group AADC Administratos in Entra ID.

Usage

provider "azurerm" {
  features {}

  skip_provider_registration = true
}

resource "azurerm_resource_group" "deploy" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
  name                = "deploy-vnet"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "deploy" {
  name                 = "deploy-subnet"
  resource_group_name  = azurerm_resource_group.deploy.name
  virtual_network_name = azurerm_virtual_network.deploy.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
  name                = "deploy-nsg"
  location            = azurerm_resource_group.deploy.location
  resource_group_name = azurerm_resource_group.deploy.name
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
  subnet_id                 = azurerm_subnet.deploy.id
  network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azurerm_resource_group" "aadds" {
  name     = "aadds-rg"
  location = "westeurope"
}

module "entra_domain_services" {
  source = "../.."

  domain                 = "example.onmicrosoft.com"
  subnet                 = azurerm_subnet.deploy
  notification_settings  = {}
  ldaps_settings         = null
  location               = "West Europe"
  resource_group_id      = azurerm_resource_group.aadds.id
  network_security_group = azurerm_network_security_group.deploy
}

More examples in examples folder!

Requirements

Name	Version
terraform	>=1.5.0
azapi	>= 1.0.0
azuread	>= 2.48.0
azurerm	>= 3.49.0

Inputs

Name	Description	Type	Default	Required
domain	The domain name for the Entra Domain Services. Domain must either be the tenant's domain or a custom domain verified in EID	string	n/a	yes
ldaps_settings	Configure LDAPS. To disable LDAPS, set the configuration to null. externalAccess: A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled. pfxCertificate: Base64encoded representation certificate required to configure Secure LDAP. pfxCertificatePassword: The password to decrypt the provided Secure LDAP certificate pfx file.	object({ externalAccess = optional(bool, false) pfxCertificate = string pfxCertificatePassword = string })	n/a	yes
location	The location of the resources.	string	n/a	yes
network_security_group	The nsg associated to the provided subnet. The nsg must not contain any rules defined inline in the nsg resource block.	object({ id = string name = string resource_group_name = string security_rule = optional(list(object({ name = string })), []) })	n/a	yes
resource_group_id	Id of the resource group where the resources will be created.	string	n/a	yes
subnet	The variable takes the subnet as input and takes the id and the address prefix for further configuration.	object({ id = string address_prefixes = list(string) })	n/a	yes
domain_configuration_type	The configuration type of this Active Directory Domain.	string	"FullySynced"	no
filtered_sync	Enabled or Disabled flag to turn on Group-based filtered sync	bool	true	no
notification_settings	Choose who should get email alerts for issues affecting this managed domain. additionalRecipients: A list of email addresses of additional receipients. notifyAADDCAdmins: Choose wether or not members of the Entra ID group AAD DC Administrators should be notified. notifyGlobalAdmins: Choose wether or not accounts with Entra ID role 'global admin' should be notified.	object({ additionalRecipients = optional(list(string), []) notifyAADDCAdmins = optional(bool, true) notifyGlobalAdmins = optional(bool, true) })	{}	no
security_settings	channelBinding: Require all LDAP clients to provide channel binding information when communicating with the directory. Any client that does not provide this information will fail. kerberosArmoring: Enable or disable Kerberos Armoring for your managed domain. This will provide a protected channel between the Kerberos client and the KDC. kerberosRc4Encryption: Enable or disable Kerberos RC4 encryption for your managed domain. When Kerberos RC4 encryption is disabled, all Kerberos requests that use RC4 encryption will fail. ldapSigning: Require all LDAP clients to request signing during bind time. Any bind request that does not request signing will fail. ntlmV1: Enable or disable NTLM v1 authentication for your managed domain. When NTLM v1 authentication is disabled, all NTLM v1 authentication requests will fail. syncKerberosPasswords: Enable or disable Kerberos password hash synchronization. When this is disabled, synchronized user accounts will be unable to use Kerberos authentication in the managed domain. syncNtlmPasswords: Enable or disable NTLM password hash synchronization. When this is disabled, synchronized user accounts will be unable to use NTLM authentication in the managed domain. syncOnPremPasswords: Enable or disable password hash synchronization for on-premises accounts. When this is disabled, on-premises user accounts will be unable to authenticate in the managed domain. Cloud-only users will be unaffected. tlsV1: Enable or disable TLS 1 legacy mode for your managed domain.	object({ channelBinding = optional(bool, true) kerberosArmoring = optional(bool, true) kerberosRc4Encryption = optional(bool, false) ldapSigning = optional(bool, true) ntlmV1 = optional(bool, false) syncKerberosPasswords = optional(bool, true) syncNtlmPasswords = optional(bool, false) syncOnPremPasswords = optional(bool, true) tlsV1 = optional(bool, false) })	{}	no
sku	The SKU for the Entra Domain Services (Standard/Enterprise/Premium).	string	"Enterprise"	no
sync_scope	All users including synced users from on prem are synced into the AAD DS domain or only users originated in the cloud.	string	"CloudOnly"	no
tags	A map of tags that will be set on every resource this module creates.	map(string)	{}	no

Outputs

No outputs.

  ## Resource types

  | Type | Used |
  |------|-------|
    | [azapi_resource](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) | 1 |
    | [azuread_app_role_assignment](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | 1 |
    | [azuread_group](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | 1 |
    | [azuread_service_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | 1 |
    | [azurerm_network_security_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | 11 |

  **`Used` only includes resource blocks.** `for_each` and `count` meta arguments, as well as resource blocks of modules are not considered.

Modules

No modules.

    ## Resources by Files

        ### main.tf

        | Name | Type |
        |------|------|
              | [azapi_resource.eds](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) | resource |
              | [azuread_app_role_assignment.eds](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
              | [azuread_group.aaddc_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
              | [azuread_service_principal.eds](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
              | [azurerm_network_security_rule.AllowPSRemoting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.AllowRD](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.AzureActiveDirectoryDomainServices](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.AzureFrontDoorFirstParty](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.AzureMonitor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.AzureUpdateDelivery](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.GuestAndHybridManagement](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.MicrosoftEntraID](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.Storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.allow_subnet_to_subnet_outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
              | [azurerm_network_security_rule.deny_all_outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |

Contribute

Please use Pull requests to contribute.

When a new Feature or Fix is ready to be released, create a new Github release and adhere to Semantic Versioning 2.0.0.