azurermActiveDirectoryDomainServiceReplicaSet
Manages a Replica Set for an Active Directory Domain Service.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azureadGroupDcAdmins = new azuread.group.Group(this, "dc_admins", {
display_name: "aad-dc-administrators",
security_enabled: true,
});
const azureadServicePrincipalExample =
new azuread.servicePrincipal.ServicePrincipal(this, "example", {
application_id: "2565bd9d-da50-47d4-8b85-4c97f669dc36",
});
const azureadUserAdmin = new azuread.user.User(this, "admin", {
display_name: "DC Administrator",
password: "Pa55w0Rd!!1",
user_principal_name: "dc-admin@hashicorp-example.net",
});
const azurermResourceGroupAadds = new azurerm.resourceGroup.ResourceGroup(
this,
"aadds",
{
location: "westeurope",
name: "aadds-rg",
}
);
const azurermResourceGroupPrimary = new azurerm.resourceGroup.ResourceGroup(
this,
"primary",
{
location: "West Europe",
name: "aadds-primary-rg",
}
);
const azurermResourceGroupReplica = new azurerm.resourceGroup.ResourceGroup(
this,
"replica",
{
location: "North Europe",
name: "aadds-replica-rg",
}
);
const azurermVirtualNetworkPrimary = new azurerm.virtualNetwork.VirtualNetwork(
this,
"primary_7",
{
address_space: ["10.0.1.0/16"],
location: azurermResourceGroupPrimary.location,
name: "aadds-primary-vnet",
resource_group_name: azurermResourceGroupPrimary.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkPrimary.overrideLogicalId("primary");
const azurermVirtualNetworkReplica = new azurerm.virtualNetwork.VirtualNetwork(
this,
"replica_8",
{
address_space: ["10.20.0.0/16"],
location: azurermResourceGroupReplica.location,
name: "aadds-replica-vnet",
resource_group_name: azurermResourceGroupReplica.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkReplica.overrideLogicalId("replica");
const azurermVirtualNetworkPeeringPrimaryReplica =
new azurerm.virtualNetworkPeering.VirtualNetworkPeering(
this,
"primary_replica",
{
allow_forwarded_traffic: true,
allow_gateway_transit: false,
allow_virtual_network_access: true,
name: "aadds-primary-replica",
remote_virtual_network_id: azurermVirtualNetworkReplica.id,
resource_group_name: azurermVirtualNetworkPrimary.resourceGroupName,
use_remote_gateways: false,
virtual_network_name: azurermVirtualNetworkPrimary.name,
}
);
const azurermVirtualNetworkPeeringReplicaPrimary =
new azurerm.virtualNetworkPeering.VirtualNetworkPeering(
this,
"replica_primary",
{
allow_forwarded_traffic: true,
allow_gateway_transit: false,
allow_virtual_network_access: true,
name: "aadds-replica-primary",
remote_virtual_network_id: azurermVirtualNetworkPrimary.id,
resource_group_name: azurermVirtualNetworkReplica.resourceGroupName,
use_remote_gateways: false,
virtual_network_name: azurermVirtualNetworkReplica.name,
}
);
const azureadGroupMemberAdmin = new azuread.groupMember.GroupMember(
this,
"admin_11",
{
group_object_id: azureadGroupDcAdmins.objectId,
member_object_id: azureadUserAdmin.objectId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azureadGroupMemberAdmin.overrideLogicalId("admin");
const azurermNetworkSecurityGroupAaddsReplica =
new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "aadds_replica", {
location: azurermResourceGroupReplica.location,
name: "aadds-replica-nsg",
resource_group_name: azurermResourceGroupReplica.name,
security_rule: [
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "443",
direction: "Inbound",
name: "AllowSyncWithAzureAD",
priority: 101,
protocol: "Tcp",
source_address_prefix: "AzureActiveDirectoryDomainServices",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "3389",
direction: "Inbound",
name: "AllowRD",
priority: 201,
protocol: "Tcp",
source_address_prefix: "CorpNetSaw",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "5986",
direction: "Inbound",
name: "AllowPSRemoting",
priority: 301,
protocol: "Tcp",
source_address_prefix: "AzureActiveDirectoryDomainServices",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "636",
direction: "Inbound",
name: "AllowLDAPS",
priority: 401,
protocol: "Tcp",
source_address_prefix: "*",
source_port_range: "*",
},
],
});
const azurermNetworkSecurityGroupPrimary =
new azurerm.networkSecurityGroup.NetworkSecurityGroup(this, "primary_13", {
location: azurermResourceGroupPrimary.location,
name: "aadds-primary-nsg",
resource_group_name: azurermResourceGroupPrimary.name,
security_rule: [
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "443",
direction: "Inbound",
name: "AllowSyncWithAzureAD",
priority: 101,
protocol: "Tcp",
source_address_prefix: "AzureActiveDirectoryDomainServices",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "3389",
direction: "Inbound",
name: "AllowRD",
priority: 201,
protocol: "Tcp",
source_address_prefix: "CorpNetSaw",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "5986",
direction: "Inbound",
name: "AllowPSRemoting",
priority: 301,
protocol: "Tcp",
source_address_prefix: "AzureActiveDirectoryDomainServices",
source_port_range: "*",
},
{
access: "Allow",
destination_address_prefix: "*",
destination_port_range: "636",
direction: "Inbound",
name: "AllowLDAPS",
priority: 401,
protocol: "Tcp",
source_address_prefix: "*",
source_port_range: "*",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermNetworkSecurityGroupPrimary.overrideLogicalId("primary");
const azurermSubnetAaddsReplica = new azurerm.subnet.Subnet(
this,
"aadds_replica_14",
{
address_prefixes: ["10.20.0.0/24"],
name: "aadds-replica-subnet",
resource_group_name: azurermResourceGroupReplica.name,
virtual_network_name: azurermVirtualNetworkReplica.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetAaddsReplica.overrideLogicalId("aadds_replica");
const azurermSubnetPrimary = new azurerm.subnet.Subnet(this, "primary_15", {
address_prefixes: ["10.0.1.0/24"],
name: "aadds-primary-subnet",
resource_group_name: azurermResourceGroupPrimary.name,
virtual_network_name: azurermVirtualNetworkPrimary.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetPrimary.overrideLogicalId("primary");
const azurermSubnetNetworkSecurityGroupAssociationPrimary =
new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
this,
"primary_16",
{
network_security_group_id: azurermNetworkSecurityGroupPrimary.id,
subnet_id: azurermSubnetPrimary.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationPrimary.overrideLogicalId(
"primary"
);
const azurermSubnetNetworkSecurityGroupAssociationReplica =
new azurerm.subnetNetworkSecurityGroupAssociation.SubnetNetworkSecurityGroupAssociation(
this,
"replica_17",
{
network_security_group_id: azurermNetworkSecurityGroupAaddsReplica.id,
subnet_id: azurermSubnetAaddsReplica.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetNetworkSecurityGroupAssociationReplica.overrideLogicalId(
"replica"
);
const azurermActiveDirectoryDomainServiceExample =
new azurerm.activeDirectoryDomainService.ActiveDirectoryDomainService(
this,
"example_18",
{
depends_on: [
`\${${azureadServicePrincipalExample.fqn}}`,
`\${${azurermSubnetNetworkSecurityGroupAssociationPrimary.fqn}}`,
],
domain_name: "widgetslogin.net",
filtered_sync_enabled: false,
initial_replica_set: [
{
location: azurermVirtualNetworkPrimary.location,
subnet_id: azurermSubnetPrimary.id,
},
],
location: azurermResourceGroupAadds.location,
name: "example-aadds",
notifications: [
{
additional_recipients: ["notifyA@example.net", "notifyB@example.org"],
notify_dc_admins: true,
notify_global_admins: true,
},
],
resource_group_name: azurermResourceGroupAadds.name,
security: [
{
sync_kerberos_passwords: true,
sync_ntlm_passwords: true,
sync_on_prem_passwords: true,
},
],
sku: "Enterprise",
tags: {
Environment: "prod",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermActiveDirectoryDomainServiceExample.overrideLogicalId("example");
const azurermActiveDirectoryDomainServiceReplicaSetReplica =
new azurerm.activeDirectoryDomainServiceReplicaSet.ActiveDirectoryDomainServiceReplicaSet(
this,
"replica_19",
{
depends_on: [
`\${${azurermSubnetNetworkSecurityGroupAssociationReplica.fqn}}`,
`\${${azurermVirtualNetworkPeeringPrimaryReplica.fqn}}`,
`\${${azurermVirtualNetworkPeeringReplicaPrimary.fqn}}`,
],
domain_service_id: azurermActiveDirectoryDomainServiceExample.id,
location: azurermResourceGroupReplica.location,
subnet_id: azurermSubnetAaddsReplica.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermActiveDirectoryDomainServiceReplicaSetReplica.overrideLogicalId(
"replica"
);
const azurermVirtualNetworkDnsServersReplica =
new azurerm.virtualNetworkDnsServers.VirtualNetworkDnsServers(
this,
"replica_20",
{
dns_servers: `\${${azurermActiveDirectoryDomainServiceExample.initialReplicaSet}.0.domain_controller_ip_addresses}`,
virtual_network_id: azurermVirtualNetworkReplica.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkDnsServersReplica.overrideLogicalId("replica");
Argument Reference
The following arguments are supported:
-
domainServiceId- (Required) The ID of the Domain Service for which to create this Replica Set. Changing this forces a new resource to be created. -
location- (Required) The Azure location where this Replica Set should exist. Changing this forces a new resource to be created. -
subnetId- (Required) The ID of the subnet in which to place this Replica Set. Changing this forces a new resource to be created.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
-
id- The ID of the Domain Service Replica Set. -
domainControllerIpAddresses- A list of subnet IP addresses for the domain controllers in this Replica Set, typically two. -
externalAccessIpAddress- The publicly routable IP address for the domain controllers in this Replica Set. -
serviceStatus- The current service status for the replica set.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 3 hours) Used when creating the Domain Service.update- (Defaults to 2 hours) Used when updating the Domain Service.read- (Defaults to 5 minutes) Used when retrieving the Domain Service.delete- (Defaults to 60 minutes) Used when deleting the Domain Service.
Import
Domain Service Replica Sets can be imported using the resource ID of the parent Domain Service and the Replica Set ID, e.g.