AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates a AWS Managed Microsoft AD Directory into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qup6rad4) Metadata: cfn-lint: config: ignore_checks: - W9006 - E9101 - W9901 QuickStartDocumentation: EntrypointName: Parameters for deploying AWS Managed Microsoft AD into an existing VPC Order: '6' AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - DHCPOptionSet - PrivateSubnet1ID - PrivateSubnet2ID - Label: default: AWS Managed Microsoft Active Directory configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - NonWindowsDomainJoin - ADEdition - AppInsightsApplicationName - SetupAppInsightsMonitoring - Label: default: Microsoft Windows Server management instance Parameters: - MgmtServer - MgmtServerEnableAdvancedAudtingandMetrics - MgmtServerInstanceType - MgmtAmi - MgmtDataDriveSizeGiB - MgmtServerNetBIOSName - KeyPairName - Label: default: Microsoft Active Directory Certificate Services configuration Parameters: - PKI - PKIEnableAdvancedAudtingandMetrics - CaServerInstanceType - CaAmi - CaDataDriveSizeGiB - OrCaServerNetBIOSName - EntCaServerNetBIOSName - CaKeyLength - CaHashAlgorithm - OrCaValidityPeriodUnits - CaValidityPeriodUnits - UseS3ForCRL - S3CRLBucketName - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: ADEdition: default: AWS Managed Microsoft AD Edition AppInsightsApplicationName: default: Application Insights Application name CaAmi: default: CA SSM Parameter Value for latest AMI ID CaDataDriveSizeGiB: default: CA Data Drive Size CaHashAlgorithm: default: CA Hash Algorithm CaKeyLength: default: CA Key Length CaServerInstanceType: default: CA Instance Type CaValidityPeriodUnits: default: Enterprise Root or Subordinate CA Certificate Validity Period in Years DHCPOptionSet: default: Create a DHCP Options set DomainAdminPassword: default: Admin Account Password DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS Name EntCaServerNetBIOSName: default: Enterprise Root or Subordinate CA NetBIOS Name KeyPairName: default: Key Pair Name MgmtAmi: default: Management Server SSM Parameter Value for latest AMI ID MgmtDataDriveSizeGiB: default: Data Drive Size MgmtServer: default: Deploy Management Server MgmtServerEnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics for Management Instance MgmtServerInstanceType: default: Management Server Instance Type MgmtServerNetBIOSName: default: Management Server NetBIOS Name NonWindowsDomainJoin: default: Whether to create an AD user with minimum permissions that can be used by non-Windows instances to join the domain OrCaServerNetBIOSName: default: Offline Root CA NetBIOS Name (Only Used For Two Tier PKI) OrCaValidityPeriodUnits: default: Offline Root CA Certificate Validity Period in Years (Only Used For Two Tier PKI) PKI: default: CA Deployment Type PKIEnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics for PKI Instance(s) PrivateSubnet1ID: default: Subnet 1 ID PrivateSubnet2ID: default: Subnet 2 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix SetupAppInsightsMonitoring: default: Setup Application Insights Monitoring S3CRLBucketName: default: CA CRL S3 Bucket Name UseS3ForCRL: default: Use S3 for CA CRL Location VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: ADEdition: AllowedValues: - Standard - Enterprise Default: Enterprise Description: The AWS Managed Microsoft AD Edition you wish to deploy Type: String AppInsightsApplicationName: Description: Application name to be used with AppInsights monitoring. Type: String Default: '' MaxLength: '300' AllowedPattern: '^[a-zA-Z0-9\-]*$' CaAmi: AllowedPattern: '^[\w\/-]+$' Default: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base Description: Enterprise Root CA SSM Parameter Value to grab the latest AMI ID Type: String CaDataDriveSizeGiB: Default: '2' Description: Size of the data drive in GiB for the CA instance(s) Type: Number MinValue: '2' MaxValue: '16384' CaHashAlgorithm: AllowedValues: - SHA256 - SHA384 - SHA512 Default: SHA256 Description: CA(s) Hash Algorithm for Signing Certificates Type: String CaKeyLength: AllowedValues: - '2048' - '4096' Default: '2048' Description: CA(s) Cryptographic Provider Key Length Type: String CaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the CA instance(s) Type: String CaValidityPeriodUnits: Default: '5' Description: Validity Period in Years Type: Number MinValue: '1' DHCPOptionSet: AllowedValues: - 'Yes' - 'No' Default: 'Yes' Description: Do you want to create and apply a new DHCP Options Set Type: String DomainAdminPassword: AllowedPattern: '(?=^.{8,32}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*' Description: Password for the Admin user account. Must be at least 8 characters containing letters, numbers and symbols MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainDNSName: AllowedPattern: '^([a-zA-Z0-9]+[\.\-])+([a-zA-Z0-9])+$' Default: example.com Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: '64' MinLength: '2' Type: String DomainNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: example Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: '15' MinLength: '1' Type: String EntCaServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: ENTCA1 Description: NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String KeyPairName: Description: Public/private key pairs allow you to securely connect to your instance after it launches Type: AWS::EC2::KeyPair::KeyName MgmtAmi: AllowedPattern: '^[\w\/-]+$' Default: '/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base' Description: Management Server SSM Parameter Value to grab the latest AMI ID Type: String MgmtDataDriveSizeGiB: Default: '2' Description: Size of the Management Server Data Drive in GiB MinValue: '1' MaxValue: '16384' Type: Number MgmtServer: AllowedValues: - 'true' - 'false' Default: 'false' Description: Do you want to deploy a Management Server Type: String MgmtServerEnableAdvancedAudtingandMetrics: Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows AllowedValues: - 'true' - 'false' Type: String Default: 'false' MgmtServerInstanceType: AllowedValues: - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Management Server Type: String MgmtServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: MGMT1 Description: NetBIOS name of the Management Server server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String NonWindowsDomainJoin: AllowedValues: - 'true' - 'false' Default: 'false' Description: | Do you want to create an AD User with minimal permissions allowing non-Windows instances to join the domain. The username and password will be stored in Secrets Manager and a policy to access the secret will be created. Type: String OrCaServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: ORCA1 Description: NetBIOS name of the Offline Root CA server (Only Used For Two Tier PKI) (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String OrCaValidityPeriodUnits: Default: '10' Description: Validity Period in Years (Only Used For Two Tier PKI) Type: Number MinValue: '1' PKI: AllowedValues: - One-Tier - Two-Tier - 'No' Default: 'No' Description: Deploy Two Tier (Offline Root with Subordinate Enterprise CA) or One Tier (Enterprise Root CA) PKI Infrastructure Type: String PKIEnableAdvancedAudtingandMetrics: AllowedValues: - 'true' - 'false' Default: 'false' Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows Type: String PrivateSubnet1ID: Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2ID: Description: ID of subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id QSS3BucketName: AllowedPattern: '^[a-z0-9]+[a-z0-9\.\-]*[a-z0-9]+$' ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-) It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: AllowedPattern: '^[a-z]+\-[a-z\-]+\-[0-9]{1}$' Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: '^[a-zA-Z0-9\-\/]+$' ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-activedirectory/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String S3CRLBucketName: AllowedPattern: '^[a-z0-9]+[a-z0-9\.\-]*[a-z0-9]+$' Default: examplebucket Description: S3 bucket name for CA CRL(s) storage. Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String SetupAppInsightsMonitoring: AllowedValues: - 'true' - 'false' Default: 'false' Description: Setup Application Insights monitoring for Active directory resources. Type: String UseS3ForCRL: AllowedValues: - 'Yes' - 'No' Default: 'No' Description: Store CA CRL(s) in an S3 bucket Type: String VPCCIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: NonWindowsDomainJoin: RuleCondition: !Equals [!Ref NonWindowsDomainJoin, 'true'] Assertions: - AssertDescription: To enable creation of an AD user for non-Windows Domain joins, you need to create a Management Server Instance Assert: !Equals [!Ref MgmtServer, 'true'] SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC S3CRLBucketNameValidation: RuleCondition: !And - !Equals [!Ref UseS3ForCRL, 'Yes'] - !Not [!Equals [!Ref PKI, 'No']] Assertions: - AssertDescription: CRL BucketName cannot must be valid BucketName Assert: !Not [!Equals [!Ref S3CRLBucketName, 'examplebucket']] Conditions: ShouldCreateDHCPOption: !Not [!Equals [!Ref DHCPOptionSet, 'No']] ShouldCreateMgmtServer: !Equals [!Ref MgmtServer, 'true'] ShouldCreateNonWindowsDomainJoinADUser: !Equals [!Ref NonWindowsDomainJoin, 'true'] ShouldCreateOneTierPkiResource: !Equals [!Ref PKI, 'One-Tier'] ShouldCreateTwoTierPkiResource: !Equals [!Ref PKI, 'Two-Tier'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] AppInsightsEnabled: !Equals [!Ref SetupAppInsightsMonitoring, 'true'] UsingDefaultAppName: !Equals [!Ref AppInsightsApplicationName, ''] Resources: DHCPOptions: Condition: ShouldCreateDHCPOption Type: AWS::EC2::DHCPOptions Properties: DomainName: !Ref DomainDNSName DomainNameServers: !GetAtt MicrosoftAD.DnsIpAddresses Tags: - Key: Domain Value: !Ref DomainDNSName VPCDHCPOptionsAssociation: Condition: ShouldCreateDHCPOption Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref VPCID DhcpOptionsId: !Ref DHCPOptions ADAdminSecrets: Type: AWS::SecretsManager::Secret Properties: Name: !Sub ADAdminSecret-${AWS::StackName} Description: Admin User Secrets for Managed AD Quick Start SecretString: !Sub '{"username":"Admin","password":"${DomainAdminPassword}"}' NonWindowsDomainJoinSecrets: Type: AWS::SecretsManager::Secret Condition: ShouldCreateNonWindowsDomainJoinADUser Properties: Name: !Sub aws/directory-services/${MicrosoftAD}/seamless-domain-join Description: User Secrets for seamless domain joins in context of the Managed AD Quick Start GenerateSecretString: RequireEachIncludedType: True SecretStringTemplate: '{"awsSeamlessDomainUsername": "awsSeamlessDomain"}' GenerateStringKey: 'awsSeamlessDomainPassword' PasswordLength: 32 ExcludePunctuation: True NonWindowsDomainJoinPolicy: Type: AWS::IAM::ManagedPolicy Condition: ShouldCreateNonWindowsDomainJoinADUser Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'secretsmanager:GetSecretValue' - 'secretsmanager:DescribeSecret' Resource: !Ref NonWindowsDomainJoinSecrets ManagedPolicyName: !Sub SM-Secret-DJ-${MicrosoftAD}-Read MicrosoftAD: Type: AWS::DirectoryService::MicrosoftAD Properties: Name: !Ref DomainDNSName Edition: !Ref ADEdition ShortName: !Ref DomainNetBIOSName Password: !Ref DomainAdminPassword VpcSettings: SubnetIds: - !Ref PrivateSubnet1ID - !Ref PrivateSubnet2ID VpcId: !Ref VPCID DomainMemberSG: Type: AWS::EC2::SecurityGroup Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: "Standard Amazon practice" Properties: GroupDescription: Domain Members VpcId: !Ref VPCID Tags: - Key: Name Value: DomainMembersSecurityGroup DomainMembersIngressRDP: Type: AWS::EC2::SecurityGroupIngress Properties: Description: RDP GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref DomainMemberSG DomainMembersIngressWinRMHTTP: Type: AWS::EC2::SecurityGroupIngress Properties: Description: WinRM-HTTP GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 5985 ToPort: 5985 SourceSecurityGroupId: !Ref DomainMemberSG DomainMembersIngressWinRMHTTPS: Type: AWS::EC2::SecurityGroupIngress Properties: Description: WinRM-HTTPS GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 5986 ToPort: 5986 SourceSecurityGroupId: !Ref DomainMemberSG MgmtStack: Condition: ShouldCreateMgmtServer Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/mgmt-1.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AdministratorSecret: !Ref ADAdminSecrets DirectoryID: !Ref MicrosoftAD DomainController1IP: !Select [0, !GetAtt MicrosoftAD.DnsIpAddresses] DomainController2IP: !Select [1, !GetAtt MicrosoftAD.DnsIpAddresses] DomainDNSName: !Ref DomainDNSName DomainMembersSG: !Ref DomainMemberSG DomainNetBIOSName: !Ref DomainNetBIOSName EnableAdvancedAudtingandMetrics: !Ref MgmtServerEnableAdvancedAudtingandMetrics KeyPairName: !Ref KeyPairName MgmtAmi: !Ref MgmtAmi MgmtDataDriveSizeGiB: !Ref MgmtDataDriveSizeGiB MgmtServerInstanceType: !Ref MgmtServerInstanceType MgmtServerNetBIOSName: !Ref MgmtServerNetBIOSName MgmtServerSubnet: !Ref PrivateSubnet1ID NonWindowsDomainJoin: !Ref NonWindowsDomainJoin NonWindowsDomainJoinSecret: !If [ShouldCreateNonWindowsDomainJoinADUser, !Ref NonWindowsDomainJoinSecrets, !Ref AWS::NoValue] QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix VPCCIDR: !Ref VPCCIDR EntCAStack: Condition: ShouldCreateOneTierPkiResource Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-pki/templates/one-tier.template' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AMI: !Ref CaAmi AdministratorSecret: !Ref ADAdminSecrets DirectoryType: AWSManaged DomainController1IP: !Select [0, !GetAtt MicrosoftAD.DnsIpAddresses] DomainController2IP: !Select [1, !GetAtt MicrosoftAD.DnsIpAddresses] DomainDNSName: !Ref DomainDNSName DomainMembersSG: !Ref DomainMemberSG DomainNetBIOSName: !Ref DomainNetBIOSName EnableAdvancedAudtingandMetrics: !Ref PKIEnableAdvancedAudtingandMetrics EntCaDataDriveSizeGiB: !Ref CaDataDriveSizeGiB EntCaHashAlgorithm: !Ref CaHashAlgorithm EntCaKeyLength: !Ref CaKeyLength EntCaServerInstanceType: !Ref CaServerInstanceType EntCaServerNetBIOSName: !Ref EntCaServerNetBIOSName EntCaServerSubnet: !Ref PrivateSubnet1ID EntCaValidityPeriodUnits: !Ref CaValidityPeriodUnits KeyPairName: !Ref KeyPairName QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-microsoft-pki/' S3CRLBucketName: !Ref S3CRLBucketName UseS3ForCRL: !Ref UseS3ForCRL VPCCIDR: !Ref VPCCIDR VPCID: !Ref VPCID TwoTierCAStack: Condition: ShouldCreateTwoTierPkiResource Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-pki/templates/two-tier.template' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AMI: !Ref CaAmi AdministratorSecret: !Ref ADAdminSecrets DirectoryType: 'AWSManaged' DomainController1IP: !Select [0, !GetAtt MicrosoftAD.DnsIpAddresses] DomainController2IP: !Select [1, !GetAtt MicrosoftAD.DnsIpAddresses] DomainDNSName: !Ref DomainDNSName DomainMembersSG: !Ref DomainMemberSG DomainNetBIOSName: !Ref DomainNetBIOSName EnableAdvancedAudtingandMetrics: !Ref PKIEnableAdvancedAudtingandMetrics KeyPairName: !Ref KeyPairName OrCaDataDriveSizeGiB: !Ref CaDataDriveSizeGiB OrCaHashAlgorithm: !Ref CaHashAlgorithm OrCaKeyLength: !Ref CaKeyLength OrCaServerInstanceType: !Ref CaServerInstanceType OrCaServerNetBIOSName: !Ref OrCaServerNetBIOSName OrCaServerSubnet: !Ref PrivateSubnet1ID OrCaValidityPeriodUnits: !Ref OrCaValidityPeriodUnits QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-microsoft-pki/ S3CRLBucketName: !Ref S3CRLBucketName SubCaDataDriveSizeGiB: !Ref CaDataDriveSizeGiB SubCaHashAlgorithm: !Ref CaHashAlgorithm SubCaKeyLength: !Ref CaKeyLength SubCaServerInstanceType: !Ref CaServerInstanceType SubCaServerNetBIOSName: !Ref EntCaServerNetBIOSName SubCaServerSubnet: !Ref PrivateSubnet1ID SubCaValidityPeriodUnits: !Ref CaValidityPeriodUnits UseS3ForCRL: !Ref UseS3ForCRL VPCCIDR: !Ref VPCCIDR VPCID: !Ref VPCID ADResourceGroup: Condition: AppInsightsEnabled Type: AWS::ResourceGroups::Group Properties: Name: !If [UsingDefaultAppName, !Sub "ApplicationInsights-${AWS::StackName}", !Ref AppInsightsApplicationName] ResourceQuery: Query: TagFilters: - Key: 'aws:cloudformation:stack-name' Values: - !Sub "${AWS::StackName}" Type: 'TAG_FILTERS_1_0' ApplicationInsightsAD: Condition: AppInsightsEnabled Type: AWS::ApplicationInsights::Application Properties: ResourceGroupName: !Ref 'ADResourceGroup' AutoConfigurationEnabled: true DependsOn: ADResourceGroup Outputs: ADSecretsArn: Description: Managed AD Admin Secrets Value: !Ref ADAdminSecrets ADServer1PrivateIP: Description: AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses) Value: !Select [0, !GetAtt MicrosoftAD.DnsIpAddresses] ADServer2PrivateIP: Description: AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses) Value: !Select [1, !GetAtt MicrosoftAD.DnsIpAddresses] DirectoryID: Description: Directory Services ID Value: !Ref MicrosoftAD DomainAdmin: Description: Domain administrator account Value: !Sub ${DomainNetBIOSName}\admin DomainMemberSGID: Description: Domain Member Security Group ID Value: !Ref DomainMemberSG NonWindowsDomainJoinSecrets: Condition: ShouldCreateNonWindowsDomainJoinADUser Description: ARN for the Secret that has Password and User bane for the domain join user Value: !Ref NonWindowsDomainJoinSecrets NonWindowsDomainJoinPolicy: Condition: ShouldCreateNonWindowsDomainJoinADUser Description: ARN of the policy with permissions to read the secret holding the credentials for the domain join user Value: !Ref NonWindowsDomainJoinPolicy