schemaVersion: '0.3' description: |- This document will join or unjoin an EC2 Windows instance to an Active Directory domain. assumeRole: '{{AutomationAssumeRole}}' parameters: AutomationAssumeRole: default: '' description: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf. type: String InstanceId: description: (Required) The Instance running Windows Server. type: String DomainJoinActivity: allowedValues: - Join - Unjoin - '' default: '' description: '(Required) Select which AD domain activity to perform, join or unjoin.' type: String mainSteps: - name: assertInstanceIsWindows action: 'aws:assertAwsResourceProperty' description: '' inputs: Service: ec2 PropertySelector: '$.Reservations[0].Instances[0].Platform' Api: DescribeInstances DesiredValues: - windows InstanceIds: - '{{InstanceId}}' timeoutSeconds: 10 nextStep: chooseDomainJoinActivity - name: chooseDomainJoinActivity action: aws:branch timeoutSeconds: 60 description: Determine the appropriate AD domain activity, join or unjoin. inputs: Choices: - NextStep: joinDomain StringEquals: Join Variable: '{{DomainJoinActivity}}' - NextStep: unjoinDomain StringEquals: Unjoin Variable: '{{DomainJoinActivity}}' isCritical: 'true' isEnd: false - name: joinDomain action: aws:runCommand description: Execute PowerShell locally on EC2 instance to join the AD domain. inputs: Parameters: commands: |- If ((Get-CimInstance -ClassName 'Win32_ComputerSystem' -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'PartOfDomain') -eq $false) { Try { $targetOU = (Get-SSMParameterValue -Name 'defaultTargetOU' -ErrorAction Stop).Parameters[0].Value $domainName = (Get-SSMParameterValue -Name 'domainName' -ErrorAction Stop).Parameters[0].Value $domainJoinUserName = (Get-SSMParameterValue -Name 'domainJoinUserName' -ErrorAction Stop).Parameters[0].Value $domainJoinPassword = (Get-SSMParameterValue -Name 'domainJoinPassword' -WithDecryption:$true -ErrorAction Stop).Parameters[0].Value | ConvertTo-SecureString -AsPlainText -Force } Catch [System.Exception] { Write-Output " Failed to get SSM Parameter(s) $_" } $domainCredential = New-Object System.Management.Automation.PSCredential($domainJoinUserName, $domainJoinPassword) Try { Write-Output "Attempting to join $env:COMPUTERNAME to Active Directory domain: $domainName and moving $env:COMPUTERNAME to the following OU: $targetOU." Add-Computer -ComputerName $env:COMPUTERNAME -DomainName $domainName -Credential $domainCredential -OUPath $targetOU -Restart:$false -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to add computer to the domain $_" Exit 1 } } Else { Write-Output "$env:COMPUTERNAME is already part of the Active Directory domain $domainName." Exit 0 } InstanceIds: - '{{InstanceId}}' DocumentName: AWS-RunPowerShellScript timeoutSeconds: 600 nextStep: joinADEC2Tag isEnd: false onFailure: step:failADEC2Tag - name: joinADEC2Tag action: aws:createTags description: Add the ADJoined EC2 tag to reflect joining to AD domain. inputs: ResourceIds: - '{{InstanceId}}' ResourceType: EC2 Tags: - Value: Join-complete Key: ADJoined isEnd: false nextStep: rebootServer - name: unjoinDomain action: aws:runCommand description: Execute PowerShell locally on EC2 instance to unjoin from the AD domain. inputs: Parameters: commands: |- If ((Get-CimInstance -ClassName 'Win32_ComputerSystem' -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'PartOfDomain') -eq $true) { Try { $domainName = (Get-SSMParameterValue -Name 'domainName' -ErrorAction Stop).Parameters[0].Value $domainJoinUserName = (Get-SSMParameterValue -Name 'domainJoinUserName' -ErrorAction Stop).Parameters[0].Value $domainJoinPassword = (Get-SSMParameterValue -Name 'domainJoinPassword' -WithDecryption:$true -ErrorAction Stop).Parameters[0].Value | ConvertTo-SecureString -AsPlainText -Force } Catch [System.Exception] { Write-Output "Failed to get SSM Parameter(s) $_" } $domainCredential = New-Object System.Management.Automation.PSCredential($domainJoinUserName, $domainJoinPassword) If (-not (Get-WindowsFeature -Name 'RSAT-AD-Tools' -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'Installed')) { Write-Output 'Installing RSAT AD Tools to allow domain joining' Try { $Null = Add-WindowsFeature -Name 'RSAT-AD-Tools' -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to install RSAT AD Tools $_" Exit 1 } } $getADComputer = (Get-ADComputer -Identity $env:COMPUTERNAME -Credential $domainCredential) $distinguishedName = $getADComputer.DistinguishedName Try { Remove-Computer -ComputerName $env:COMPUTERNAME -UnjoinDomainCredential $domainCredential -Verbose -Force -Restart:$false -ErrorAction Stop Remove-ADComputer -Credential $domainCredential -Identity $distinguishedName -Server $domainName -Confirm:$False -Verbose -ErrorAction Stop } Catch [System.Exception] { Write-Output "Failed to remove $env:COMPUTERNAME from the $domainName domain and in a Windows Workgroup. $_" Exit 1 } } Else { Write-Output "$env:COMPUTERNAME is not part of the Active Directory domain $domainName and already part of a Windows Workgroup." Exit 0 } InstanceIds: - '{{InstanceId}}' DocumentName: AWS-RunPowerShellScript timeoutSeconds: 600 nextStep: unjoinADEC2Tag isEnd: false onFailure: step:failADEC2Tag - name: unjoinADEC2Tag action: aws:createTags description: Update the ADJoined EC2 tag to reflect removal from AD domain. inputs: ResourceIds: - '{{InstanceId}}' ResourceType: EC2 Tags: - Value: Unjoin-complete Key: ADJoined timeoutSeconds: 30 isEnd: false nextStep: stopServer - name: failADEC2Tag action: aws:createTags description: Update the ADJoined EC2 tag to reflect a failure in the AD domain join/unjoin process. inputs: ResourceIds: - '{{InstanceId}}' ResourceType: EC2 Tags: - Value: Failed Key: ADJoined timeoutSeconds: 30 isEnd: false nextStep: stopServer - name: rebootServer action: aws:executeAwsApi inputs: Service: ec2 Api: RebootInstances InstanceIds: - '{{InstanceId}}' isEnd: true - name: stopServer action: 'aws:executeAwsApi' inputs: Service: ec2 Api: StopInstances InstanceIds: - '{{InstanceId}}' isEnd: true