azurermActiveDirectoryDomainService

Manages an Active Directory Domain Service.

\~> Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See official documentation for details.

-> Supported Modes: At present this resource only supports User Forest mode and not Resource Forest mode. Read more about the different operation modes for this service.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azureadGroupDcAdmins = new azuread.group.Group(this, "dc_admins", {
  display_name: "AAD DC Administrators",
  security_enabled: true,
});
const azureadServicePrincipalExample =
  new azuread.servicePrincipal.ServicePrincipal(this, "example", {
    application_id: "2565bd9d-da50-47d4-8b85-4c97f669dc36",
  });
const azureadUserAdmin = new azuread.user.User(this, "admin", {
  display_name: "DC Administrator",
  password: "Pa55w0Rd!!1",
  user_principal_name: "dc-admin@hashicorp-example.com",
});
const azurermResourceGroupAadds = new azurerm.resourceGroup.ResourceGroup(
  this,
  "aadds",
  {
    location: "westeurope",
    name: "aadds-rg",
  }
);
const azurermResourceGroupDeploy = new azurerm.resourceGroup.ResourceGroup(
  this,
  "deploy",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkDeploy = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "deploy_6",
  {
    address_space: ["10.0.1.0/16"],
    location: azurermResourceGroupDeploy.location,
    name: "deploy-vnet",
    resource_group_name: azurermResourceGroupDeploy.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkDeploy.overrideLogicalId("deploy");
const azureadGroupMemberAdmin = new azuread.groupMember.GroupMember(
  this,
  "admin_7",
  {
    group_object_id: azureadGroupDcAdmins.objectId,
    member_object_id: azureadUserAdmin.objectId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azureadGroupMemberAdmin.overrideLogicalId("admin");
const azurermNetworkSecurityGroupDeploy =
  new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "deploy_8", {
    location: azurermResourceGroupDeploy.location,
    name: "deploy-nsg",
    resource_group_name: azurermResourceGroupDeploy.name,
    security_rule: [
      {
        access: "Allow",
        destination_address_prefix: "*",
        destination_port_range: "443",
        direction: "Inbound",
        name: "AllowSyncWithAzureAD",
        priority: 101,
        protocol: "Tcp",
        source_address_prefix: "AzureActiveDirectoryDomainServices",
        source_port_range: "*",
      },
      {
        access: "Allow",
        destination_address_prefix: "*",
        destination_port_range: "3389",
        direction: "Inbound",
        name: "AllowRD",
        priority: 201,
        protocol: "Tcp",
        source_address_prefix: "CorpNetSaw",
        source_port_range: "*",
      },
      {
        access: "Allow",
        destination_address_prefix: "*",
        destination_port_range: "5986",
        direction: "Inbound",
        name: "AllowPSRemoting",
        priority: 301,
        protocol: "Tcp",
        source_address_prefix: "AzureActiveDirectoryDomainServices",
        source_port_range: "*",
      },
      {
        access: "Allow",
        destination_address_prefix: "*",
        destination_port_range: "636",
        direction: "Inbound",
        name: "AllowLDAPS",
        priority: 401,
        protocol: "Tcp",
        source_address_prefix: "*",
        source_port_range: "*",
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkSecurityGroupDeploy.overrideLogicalId("deploy");
const azurermSubnetDeploy = new azurerm.subnet.Subnet(this, "deploy_9", {
  address_prefixes: ["10.0.1.0/24"],
  name: "deploy-subnet",
  resource_group_name: azurermResourceGroupDeploy.name,
  virtual_network_name: azurermVirtualNetworkDeploy.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetDeploy.overrideLogicalId("deploy");
const azurermSubnetNetworkSecurityGroupAssociationDeploy =
  new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
    this,
    "deploy_10",
    {
      network_security_group_id: azurermNetworkSecurityGroupDeploy.id,
      subnet_id: azurermSubnetDeploy.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationDeploy.overrideLogicalId("deploy");
const azurermActiveDirectoryDomainServiceExample =
  new azurerm.activeDirectoryDomainService.ActiveDirectoryDomainService(
    this,
    "example_11",
    {
      depends_on: [
        `\${${azureadServicePrincipalExample.fqn}}`,
        `\${${azurermSubnetNetworkSecurityGroupAssociationDeploy.fqn}}`,
      ],
      domain_name: "widgetslogin.net",
      filtered_sync_enabled: false,
      initial_replica_set: [
        {
          subnet_id: azurermSubnetDeploy.id,
        },
      ],
      location: azurermResourceGroupAadds.location,
      name: "example-aadds",
      notifications: [
        {
          additional_recipients: ["notifyA@example.net", "notifyB@example.org"],
          notify_dc_admins: true,
          notify_global_admins: true,
        },
      ],
      resource_group_name: azurermResourceGroupAadds.name,
      security: [
        {
          sync_kerberos_passwords: true,
          sync_ntlm_passwords: true,
          sync_on_prem_passwords: true,
        },
      ],
      sku: "Enterprise",
      tags: {
        Environment: "prod",
      },
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermActiveDirectoryDomainServiceExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

domainName - (Required) The Active Directory domain to use. See official documentation for constraints and recommendations. Changing this forces a new resource to be created.
domainConfigurationType - (Optional) The configuration type of this Active Directory Domain. Possible values are fullySynced and resourceTrusting. Changing this forces a new resource to be created.
filteredSyncEnabled - (Optional) Whether to enable group-based filtered sync (also called scoped synchronisation). Defaults to false.
secureLdap - (Optional) A secureLdap block as defined below.
location - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.
name - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.
notifications - (Optional) A notifications block as defined below.
initialReplicaSet - (Required) An initialReplicaSet block as defined below. The initial replica set inherits the same location as the Domain Service resource.
resourceGroupName - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.
security - (Optional) A security block as defined below.
sku - (Required) The SKU to use when provisioning the Domain Service resource. One of standard, enterprise or premium.
tags - (Optional) A mapping of tags assigned to the resource.

A secureLdap block supports the following:

enabled - (Required) Whether to enable secure LDAP for the managed domain. For more information, please see official documentation on enabling LDAPS, paying particular attention to the section on network security to avoid unnecessarily exposing your service to Internet-borne bruteforce attacks.
externalAccessEnabled - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to false.
pfxCertificate - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).
pfxCertificatePassword - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).

A notifications block supports the following:

additionalRecipients - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.
notifyDcAdmins - (Optional) Whether to notify members of the AAD DC Administrators group when there are alerts in the managed domain.
notifyGlobalAdmins - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.

An initialReplicaSet block supports the following:

subnetId - (Required) The ID of the subnet in which to place the initial replica set. Changing this forces a new resource to be created.

A security block supports the following:

kerberosArmoringEnabled - (Optional) Whether to enable Kerberos Armoring. Defaults to false.
kerberosRc4EncryptionEnabled - (Optional) Whether to enable Kerberos RC4 Encryption. Defaults to false.
ntlmV1Enabled - (Optional) Whether to enable legacy NTLM v1 support. Defaults to false.
syncKerberosPasswords - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to false.
syncNtlmPasswords - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to false.
syncOnPremPasswords - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to false.
tlsV1Enabled - (Optional) Whether to enable legacy TLS v1 support. Defaults to false.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The ID of the Domain Service.
deploymentId - A unique ID for the managed domain deployment.
resourceId - The Azure resource ID for the domain service.

A secureLdap block exports the following:

certificateExpiry - The expiry time of the certificate.
certificateThumbprint - The thumbprint of the certificate.
publicCertificate - The public certificate.

An initialReplicaSet block exports the following:

domainControllerIpAddresses - A list of subnet IP addresses for the domain controllers in the initial replica set, typically two.
externalAccessIpAddress - The publicly routable IP address for the domain controllers in the initial replica set.
location - The Azure location in which the initialreplica set resides.
id - A unique ID for the replica set.
serviceStatus - The current service status for the initial replica set.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 3 hours) Used when creating the Domain Service.
update - (Defaults to 2 hours) Used when updating the Domain Service.
read - (Defaults to 5 minutes) Used when retrieving the Domain Service.
delete - (Defaults to 60 minutes) Used when deleting the Domain Service.

Import

Domain Services can be imported using the resource ID, together with the Replica Set ID that you wish to designate as the initial replica set, e.g.

terraform import azurerm_active_directory_domain_service.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.AAD/domainServices/instance1/initialReplicaSetId/00000000-0000-0000-0000-000000000000