AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates a managed Microsoft AD Directory Service into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0021) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - PrivateSubnet1CIDR - PrivateSubnet1ID - PrivateSubnet2CIDR - PrivateSubnet2ID - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: Microsoft Active Directory Configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - ADEdition - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix ParameterLabels: DomainAdminPassword: default: Domain Admin Password DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS Name ADEdition: default: AWS Microsoft AD edition PrivateSubnet1CIDR: default: Private Subnet 1 CIDR PrivateSubnet1ID: default: Private Subnet 1 ID PrivateSubnet2CIDR: default: Private Subnet 2 CIDR PrivateSubnet2ID: default: Private Subnet 2 ID PublicSubnet1CIDR: default: Public Subnet 1 CIDR PublicSubnet2CIDR: default: Public Subnet 2 CIDR QSS3BucketName: default: Quick Start S3 Bucket Name QSS3KeyPrefix: default: Quick Start S3 Key Prefix VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: DomainAdminPassword: Description: Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols Type: String MinLength: '8' MaxLength: '32' AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* NoEcho: 'true' DomainDNSName: Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com Type: String Default: example.com MinLength: '2' MaxLength: '255' AllowedPattern: '[a-zA-Z0-9\-]+\..+' DomainNetBIOSName: Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE Type: String Default: example MinLength: '1' MaxLength: '15' AllowedPattern: '[a-zA-Z0-9\-]+' ADEdition: AllowedValues: - Standard - Enterprise Default: Enterprise Description: The AWS Microsoft AD edition. Valid values include Standard and Enterprise. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet1ID: Description: ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PrivateSubnet2ID: Description: ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR Block for the public DMZ subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR Block for the public DMZ subnet 2 located in Availability Zone 2 Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-microsoft-activedirectory/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC Resources: DHCPOptions: Type: AWS::EC2::DHCPOptions DependsOn: MicrosoftAD Properties: DomainName: !Ref 'DomainDNSName' DomainNameServers: !GetAtt 'MicrosoftAD.DnsIpAddresses' Tags: - Key: Domain Value: !Ref 'DomainDNSName' VPCDHCPOptionsAssociation: Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref 'VPCID' DhcpOptionsId: !Ref 'DHCPOptions' ADAdminSecrets: Type: AWS::SecretsManager::Secret Properties: Name: !Sub 'ADAdminSecret-${AWS::StackName}' Description: Admin User Seccrets for Manged AD Quick Start SecretString: !Sub '{"username":"Admin","password":"${DomainAdminPassword}"}' MicrosoftAD: Type: AWS::DirectoryService::MicrosoftAD Properties: Name: !Ref 'DomainDNSName' Edition: !Ref 'ADEdition' ShortName: !Ref 'DomainNetBIOSName' Password: !Ref 'DomainAdminPassword' VpcSettings: SubnetIds: - !Ref 'PrivateSubnet1ID' - !Ref 'PrivateSubnet2ID' VpcId: !Ref 'VPCID' DomainMemberSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Domain Members VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet2CIDR' Outputs: ADServer1PrivateIP: Value: !Select - '0' - !GetAtt 'MicrosoftAD.DnsIpAddresses' Description: AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses) ADServer2PrivateIP: Value: !Select - '1' - !GetAtt 'MicrosoftAD.DnsIpAddresses' Description: AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses) DirectoryID: Value: !Ref 'MicrosoftAD' Description: Directory Services ID DomainAdmin: Value: !Join - '' - - !Ref 'DomainNetBIOSName' - \admin Description: Domain administrator account DomainMemberSGID: Value: !Ref 'DomainMemberSG' Description: Domain Member Security Group ID ADSecretsArn: Value: !Ref 'ADAdminSecrets' Description: Managed AD Admin Secrets