{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "QS(0001) - This template creates a VPC infrastructure for a multi-AZ, multi-tier deployment of a Windows based Application infrastructure. It installs 2 Active Directory Domain Controllers into subnets in separate AZs inside a VPC, as well as Remote Desktop Gateway instances and managed NAT gateways into the public subnet for each Availability Zone. The default Domain Administrator password will be the one retrieved from the instance. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template.",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Network Configuration"
},
"Parameters": [
"VPCCIDR",
"PrivateSubnet1CIDR",
"PrivateSubnet2CIDR",
"PublicSubnet1CIDR",
"PublicSubnet2CIDR"
]
},
{
"Label": {
"default": "Amazon EC2 Configuration"
},
"Parameters": [
"KeyPairName",
"RDGWInstanceType",
"ADServer1InstanceType",
"ADServer1NetBIOSName",
"ADServer1PrivateIP",
"ADServer2InstanceType",
"ADServer2NetBIOSName",
"ADServer2PrivateIP"
]
},
{
"Label": {
"default": "Microsoft Active Directory Configuration"
},
"Parameters": [
"DomainDNSName",
"DomainNetBIOSName",
"RestoreModePassword",
"DomainAdminUser",
"DomainAdminPassword"
]
}
],
"ParameterLabels": {
"KeyPairName": {
"default": "Key Pair Name"
},
"ADServer1InstanceType": {
"default": "Domain Controller 1 Instance Type"
},
"ADServer2InstanceType": {
"default": "Domain Controller 2 Instance Type"
},
"RDGWInstanceType": {
"default": "Remote Desktop Gateway Server Instance Type"
},
"DomainDNSName": {
"default": "Domain DNS Name"
},
"DomainNetBIOSName": {
"default": "Domain NetBIOS Name"
},
"ADServer1NetBIOSName": {
"default": "Domain Controller 1 NetBIOS Name"
},
"ADServer2NetBIOSName": {
"default": "Domain Controller 2 NetBIOS Name"
},
"RestoreModePassword": {
"default": "Restore Mode Password"
},
"DomainAdminUser": {
"default": "Domain Admin User Name"
},
"DomainAdminPassword": {
"default": "Domain Admin Password"
},
"PublicSubnet1CIDR": {
"default": "Public Subnet 1 CIDR"
},
"PublicSubnet2CIDR": {
"default": "Public Subnet 2 CIDR"
},
"PrivateSubnet1CIDR": {
"default": "Private Subnet 1 CIDR"
},
"PrivateSubnet2CIDR": {
"default": "Private Subnet 2 CIDR"
},
"VPCCIDR": {
"default": "VPC CIDR"
},
"ADServer1PrivateIP": {
"default": "Domain Controller 1 Private IP Address"
},
"ADServer2PrivateIP": {
"default": "Domain Controller 2 Private IP Address"
}
}
}
},
"Parameters": {
"KeyPairName": {
"Description": "Public/private key pairs allow you to securely connect to your instance after it launches",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"ADServer1InstanceType": {
"Description": "Amazon EC2 instance type for the first Active Directory Instance",
"Type": "String",
"Default": "m4.xlarge",
"AllowedValues": [
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
]
},
"ADServer2InstanceType": {
"Description": "Amazon EC2 instance type for the second Active Directory Instance",
"Type": "String",
"Default": "m4.xlarge",
"AllowedValues": [
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
]
},
"RDGWInstanceType": {
"Description": "Amazon EC2 instance type for the Remote Desktop Gatweway Instance",
"Type": "String",
"Default": "m4.xlarge",
"AllowedValues": [
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
]
},
"DomainDNSName": {
"Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com",
"Type": "String",
"Default": "example.com",
"MinLength": "3",
"MaxLength": "25",
"AllowedPattern": "[a-zA-Z0-9\\-]+\\..+"
},
"DomainNetBIOSName": {
"Description": "NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE",
"Type": "String",
"Default": "example",
"MinLength": "1",
"MaxLength": "15",
"AllowedPattern": "[a-zA-Z0-9\\-]+"
},
"ADServer1NetBIOSName": {
"Description": "NetBIOS name of the 1st AD Server (upto 15 characters)",
"Type": "String",
"Default": "DC1",
"MinLength": "1",
"MaxLength": "15",
"AllowedPattern": "[a-zA-Z0-9\\-]+"
},
"ADServer2NetBIOSName": {
"Description": "NetBIOS name of the 2nd AD Server (upto 15 characters)",
"Type": "String",
"Default": "DC2",
"MinLength": "1",
"MaxLength": "15",
"AllowedPattern": "[a-zA-Z0-9\\-]+"
},
"RestoreModePassword": {
"Description": "Password for a separate Administrator account when the domain controller is in Restore Mode. Must be at least 8 characters containing letters, numbers and symbols",
"Type": "String",
"MinLength": "8",
"MaxLength": "32",
"AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*",
"NoEcho": "True"
},
"DomainAdminUser": {
"Description": "User name for the account that will be added as Domain Administrator. This is separate from the default \"Administrator\" account",
"Type": "String",
"Default": "StackAdmin",
"MinLength": "5",
"MaxLength": "25",
"AllowedPattern": "[a-zA-Z0-9]*"
},
"DomainAdminPassword": {
"Description": "Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols",
"Type": "String",
"MinLength": "8",
"MaxLength": "32",
"AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*",
"NoEcho": "true"
},
"PublicSubnet1CIDR": {
"Description": "CIDR Block for the Public DMZ Subnet located in AZ1",
"Type": "String",
"Default": "10.0.32.0/20",
"AllowedPattern": "[a-zA-Z0-9]+\\..+"
},
"PublicSubnet2CIDR": {
"Description": "CIDR Block for the Public DMZ Subnet located in AZ2",
"Type": "String",
"Default": "10.0.96.0/20",
"AllowedPattern": "[a-zA-Z0-9]+\\..+"
},
"PrivateSubnet1CIDR": {
"Description": "CIDR Block for Private Subnet 1 located in AZ1",
"Type": "String",
"Default": "10.0.0.0/19",
"AllowedPattern": "[a-zA-Z0-9]+\\..+"
},
"PrivateSubnet2CIDR": {
"Description": "CIDR Block for Private Subnet 2 located in AZ2",
"Type": "String",
"Default": "10.0.64.0/19",
"AllowedPattern": "[a-zA-Z0-9]+\\..+"
},
"VPCCIDR": {
"Description": "CIDR Block for the VPC",
"Type": "String",
"Default": "10.0.0.0/16",
"AllowedPattern": "[a-zA-Z0-9]+\\..+"
},
"ADServer1PrivateIP": {
"Description": "Fixed private IP for the first Active Directory server located in AZ1",
"Type": "String",
"Default": "10.0.0.10"
},
"ADServer2PrivateIP": {
"Description": "Fixed private IP for the second Active Directory serverr located in AZ2",
"Type": "String",
"Default": "10.0.64.10"
}
},
"Mappings": {
"AWSAMIRegionMap": {
"AMI": {
"WS2012R2": "Windows_Server-2012-R2_RTM-English-64Bit-Base-2019.07.12"
},
"ap-northeast-1": {
"WS2012R2": "ami-06823103be2218b98"
},
"ap-northeast-2": {
"WS2012R2": "ami-050e65d9f2ec90145"
},
"ap-south-1": {
"WS2012R2": "ami-045e1f06f29929467"
},
"ap-southeast-1": {
"WS2012R2": "ami-0c322369af7718803"
},
"ap-southeast-2": {
"WS2012R2": "ami-0813db0de4ddab990"
},
"ca-central-1": {
"WS2012R2": "ami-0850dfaa3ee6f6233"
},
"eu-central-1": {
"WS2012R2": "ami-024652d0a3df40e74"
},
"eu-west-1": {
"WS2012R2": "ami-0d2f69fcc5f00c97a"
},
"eu-west-2": {
"WS2012R2": "ami-0998a91bb1756752d"
},
"sa-east-1": {
"WS2012R2": "ami-044d56b6baa621d7d"
},
"us-east-1": {
"WS2012R2": "ami-094a644f1fb9e4ce3"
},
"us-east-2": {
"WS2012R2": "ami-0a1a54d8690206089"
},
"us-west-1": {
"WS2012R2": "ami-094dcbdb1aa24c8da"
},
"us-west-2": {
"WS2012R2": "ami-0f8967b5f815400c0"
}
}
},
"Resources": {
"DHCPOptions": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainName": {
"Ref": "DomainDNSName"
},
"DomainNameServers": [
"AmazonProvidedDNS"
],
"NtpServers": [
{
"Ref": "ADServer1PrivateIP"
}
],
"NetbiosNameServers": [
{
"Ref": "ADServer1PrivateIP"
},
{
"Ref": "ADServer2PrivateIP"
}
],
"NetbiosNodeType": "2",
"Tags": [
{
"Key": "Domain",
"Value": {
"Ref": "DomainDNSName"
}
}
]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "VPCCIDR"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"VPCDHCPOptionsAssociation": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"DhcpOptionsId": {
"Ref": "DHCPOptions"
}
}
},
"PublicSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet1CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
},
{
"Key": "Role",
"Value": "DMZ 1 Subnet"
}
]
}
},
"PublicSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet2CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
},
{
"Key": "Role",
"Value": "DMZ 2 Subnet"
}
]
}
},
"PrivateSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet1CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Private"
},
{
"Key": "Role",
"Value": "AD1 Subnet"
}
]
}
},
"PrivateSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet2CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Private"
},
{
"Key": "Role",
"Value": "AD2 Subnet"
}
]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "DMZ"
}
]
}
},
"PublicRoute": {
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation1": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet1"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"PublicSubnetRouteTableAssociation2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet2"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"PrivateRouteTable1": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "AZ1 Private"
}
]
}
},
"PrivateRoute1": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateRouteTable1"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NATGateway1"
}
}
},
"PrivateRouteTable2": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "AZ2 Private"
}
]
}
},
"PrivateRoute2": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateRouteTable2"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NATGateway2"
}
}
},
"PrivateSubnetRouteTableAssociation1": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet1"
},
"RouteTableId": {
"Ref": "PrivateRouteTable1"
}
}
},
"PrivateSubnetRouteTableAssociation2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet2"
},
"RouteTableId": {
"Ref": "PrivateRouteTable2"
}
}
},
"RDGW1EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Ref": "RDGateway1"
}
}
},
"RDGW2EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Ref": "RDGateway2"
}
}
},
"NATGateway1EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"NATGateway2EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"NATGateway1": {
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NATGateway1EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet1"
}
}
},
"NATGateway2": {
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NATGateway2EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet2"
}
}
},
"DomainController1": {
"Type": "AWS::EC2::Instance",
"DependsOn": "NATGateway1",
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"installADDS",
"configureSites",
"installADCS",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r DomainController1",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Set-StaticIP.ps1": {
"content": {
"Fn::Join": [
"",
[
"$netip = Get-NetIPConfiguration;",
"$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};",
"Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;",
"Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;",
"\n"
]
]
}
},
"c:\\cfn\\modules\\AWSQuickStart.zip": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip"
},
"c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/ConvertTo-EnterpriseAdmin.ps1"
},
"c:\\cfn\\scripts\\New-CertificateAuthority.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/New-CertificateAuthority.ps1"
},
"c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/xAdcsDeployment_0.1.0.0.zip"
},
"c:\\cfn\\scripts\\Unzip-Archive.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1"
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
},
"commands": {
"a-disable-win-fw": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False\""
]
]
},
"waitAfterCompletion": "0"
},
"b-set-execution-policy": {
"command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force",
"waitAfterCompletion": "0"
},
"c-unpack-dsc-resource": {
"command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'",
"waitAfterCompletion": "0"
},
"d-unpack-quickstart-module": {
"command": "powershell.exe -Command C:\\cfn\\scripts\\Unzip-Archive.ps1 -Source C:\\cfn\\modules\\AWSQuickStart.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'",
"waitAfterCompletion": "0"
}
}
},
"rename": {
"commands": {
"a-set-static-ip": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1"
]
]
},
"waitAfterCompletion": "45"
},
"b-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe Rename-Computer -NewName ",
{
"Ref": "ADServer1NetBIOSName"
},
" -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"installADDS": {
"commands": {
"1-install-prereqs": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Install-WindowsFeature AD-Domain-Services, rsat-adds -IncludeAllSubFeature\""
]
]
},
"waitAfterCompletion": "0"
},
"2-install-adds": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command ",
"\"Install-ADDSForest -DomainName ",
{
"Ref": "DomainDNSName"
},
" ",
"-SafeModeAdministratorPassword (ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force) ",
"-DomainMode Win2012R2 ",
"-DomainNetbiosName ",
{
"Ref": "DomainNetBIOSName"
},
" ",
"-ForestMode Win2012R2 ",
"-Confirm:$false ",
"-Force\""
]
]
},
"waitAfterCompletion": "forever"
},
"3-restart-service": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command Restart-Service NetLogon -EA 0"
]
]
},
"waitAfterCompletion": "180"
},
"4-create-adminuser": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command ",
"\"New-ADUser ",
"-Name ",
{
"Ref": "DomainAdminUser"
},
" ",
"-UserPrincipalName ",
{
"Ref": "DomainAdminUser"
},
"@",
{
"Ref": "DomainDNSName"
},
" ",
"-AccountPassword (ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force) ",
"-Enabled $true ",
"-PasswordNeverExpires $true\""
]
]
},
"waitAfterCompletion": "0"
},
"5-update-adminuser": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1 -Members ",
{
"Ref": "DomainAdminUser"
}
]
]
},
"waitAfterCompletion": "0"
}
}
},
"configureSites": {
"commands": {
"a-rename-default-site": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe ",
"\"",
"Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -filter {Name -eq 'Default-First-Site-Name'} | Rename-ADObject -NewName AZ1",
"\""
]
]
},
"waitAfterCompletion": "0"
},
"b-create-site-2": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe New-ADReplicationSite AZ2"
]
]
},
"waitAfterCompletion": "0"
},
"c-create-publicsubnet-1": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command New-ADReplicationSubnet -Name ",
{
"Ref": "PublicSubnet1CIDR"
},
" -Site AZ1"
]
]
},
"waitAfterCompletion": "0"
},
"d-create-publicsubnet-2": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command New-ADReplicationSubnet -Name ",
{
"Ref": "PublicSubnet2CIDR"
},
" -Site AZ2"
]
]
},
"waitAfterCompletion": "0"
},
"e-create-privatesubnet-1": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command New-ADReplicationSubnet -Name ",
{
"Ref": "PrivateSubnet1CIDR"
},
" -Site AZ1"
]
]
},
"waitAfterCompletion": "0"
},
"f-create-privatesubnet-2": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command New-ADReplicationSubnet -Name ",
{
"Ref": "PrivateSubnet2CIDR"
},
" -Site AZ2"
]
]
},
"waitAfterCompletion": "0"
},
"g-set-site-link": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Get-ADReplicationSiteLink -Filter * | Set-ADReplicationSiteLink -SitesIncluded @{add='AZ2'} -ReplicationFrequencyInMinutes 15\""
]
]
},
"waitAfterCompletion": "0"
}
}
},
"installADCS": {
"commands": {
"a-install-ca": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ",
{
"Ref": "DomainAdminUser"
},
" -Password ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -DomainDNSName ",
{
"Ref": "DomainDNSName"
}
]
]
},
"waitAfterCompletion": "0"
}
}
},
"finalize": {
"commands": {
"a-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "DomainController1WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"InstanceType": {
"Ref": "ADServer1InstanceType"
},
"SubnetId": {
"Ref": "PrivateSubnet1"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ADServer1NetBIOSName"
}
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "100",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "DomainController1SG"
}
],
"PrivateIpAddress": {
"Ref": "ADServer1PrivateIP"
},
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"DomainController2": {
"Type": "AWS::EC2::Instance",
"DependsOn": "DomainController1WaitCondition",
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"join",
"addDomainController",
"installADCS",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.DomainController2.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r DomainController2",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Set-StaticIP.ps1": {
"content": {
"Fn::Join": [
"",
[
"$netip = Get-NetIPConfiguration;",
"$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};",
"Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;",
"Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ",
{
"Ref": "ADServer1PrivateIP"
},
"\n"
]
]
}
},
"c:\\cfn\\modules\\AWSQuickStart.zip": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip"
},
"c:\\cfn\\scripts\\New-CertificateAuthority.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/New-CertificateAuthority.ps1"
},
"c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/xAdcsDeployment_0.1.0.0.zip"
},
"c:\\cfn\\scripts\\Unzip-Archive.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1"
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
},
"commands": {
"a-disable-win-fw": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False\""
]
]
},
"waitAfterCompletion": "0"
},
"b-set-execution-policy": {
"command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force",
"waitAfterCompletion": "0"
},
"c-unpack-dsc-resource": {
"command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'",
"waitAfterCompletion": "0"
},
"d-unpack-quickstart-module": {
"command": "powershell.exe -Command C:\\cfn\\scripts\\Unzip-Archive.ps1 -Source C:\\cfn\\modules\\AWSQuickStart.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'",
"waitAfterCompletion": "0"
}
}
},
"rename": {
"commands": {
"a-set-static-ip": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1"
]
]
},
"waitAfterCompletion": "45"
},
"b-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe Rename-Computer -NewName ",
{
"Ref": "ADServer2NetBIOSName"
},
" -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"join": {
"commands": {
"a-join-domain": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Add-Computer -DomainName ",
{
"Ref": "DomainDNSName"
},
" -Credential ",
"(New-Object System.Management.Automation.PSCredential('",
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
},
"',",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force))) ",
"-Restart\""
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"addDomainController": {
"commands": {
"1-install-prereqs": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Install-WindowsFeature AD-Domain-Services, rsat-adds -IncludeAllSubFeature\""
]
]
},
"waitAfterCompletion": "0"
},
"2-add-dc": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Install-ADDSDomainController -InstallDns -DomainName ",
{
"Ref": "DomainDNSName"
},
" -Credential ",
"(New-Object System.Management.Automation.PSCredential('",
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
},
"',",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force))) ",
"-SafeModeAdministratorPassword ",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force) ",
"-Confirm:$false -Force\""
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"installADCS": {
"commands": {
"a-install-ca": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ",
{
"Ref": "DomainAdminUser"
},
" -Password ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -DomainDNSName ",
{
"Ref": "DomainDNSName"
}
]
]
},
"waitAfterCompletion": "0"
}
}
},
"finalize": {
"commands": {
"a-update-dns-servers-dc2": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ",
{
"Ref": "ADServer1PrivateIP"
},
",",
{
"Ref": "ADServer2PrivateIP"
},
"\""
]
]
},
"waitAfterCompletion": "0"
},
"b-update-dns-servers-dc1": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command ",
"\"Invoke-Command -Scriptblock{ ",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ",
{
"Ref": "ADServer2PrivateIP"
},
",",
{
"Ref": "ADServer1PrivateIP"
},
" } -ComputerName ",
{
"Ref": "ADServer1NetBIOSName"
},
" -Credential ",
"(New-Object System.Management.Automation.PSCredential('",
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
},
"',",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force))) ",
"\""
]
]
},
"waitAfterCompletion": "0"
},
"c-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "DomainController2WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"InstanceType": {
"Ref": "ADServer2InstanceType"
},
"SubnetId": {
"Ref": "PrivateSubnet2"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ADServer2NetBIOSName"
}
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "100",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "DomainController2SG"
}
],
"PrivateIpAddress": {
"Ref": "ADServer2PrivateIP"
},
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"RDGateway1": {
"Type": "AWS::EC2::Instance",
"DependsOn": "DomainController2",
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"join",
"installRDS",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.RDGateway1.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r RDGateway1",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Configure-RDGW.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/Configure-RDGW.ps1"
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
},
"commands": {
"a-set-execution-policy": {
"command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force",
"waitAfterCompletion": "0"
}
}
},
"rename": {
"commands": {
"1-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command Rename-Computer -NewName RDGW1 -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"join": {
"commands": {
"a-set-dns-servers": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ",
{
"Ref": "ADServer1PrivateIP"
},
",",
{
"Ref": "ADServer2PrivateIP"
},
"\""
]
]
},
"waitAfterCompletion": "30"
},
"b-join-domain": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Add-Computer -DomainName ",
{
"Ref": "DomainDNSName"
},
" -Credential ",
"(New-Object System.Management.Automation.PSCredential('",
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
},
"',",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force))) ",
"-Restart\""
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"installRDS": {
"commands": {
"a-install-rds": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Install-WindowsFeature RDS-Gateway,RSAT-RDS-Gateway\""
]
]
}
},
"b-configure-rdgw": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned",
" C:\\cfn\\scripts\\Configure-RDGW.ps1 -ServerFQDN RDGW1.",
{
"Ref": "DomainDNSName"
},
" -DomainNetBiosName ",
{
"Ref": "DomainNetBIOSName"
},
" -GroupName 'domain admins'"
]
]
}
}
}
},
"finalize": {
"commands": {
"1-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "RDGW1WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"InstanceType": {
"Ref": "RDGWInstanceType"
},
"SubnetId": {
"Ref": "PublicSubnet1"
},
"Tags": [
{
"Key": "Name",
"Value": "RDGW1"
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "50",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "RDGWSecurityGroup"
},
{
"Ref": "DomainMemberSG"
}
],
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"RDGateway2": {
"Type": "AWS::EC2::Instance",
"DependsOn": "DomainController2",
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"join",
"installRDS",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.RDGateway2.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r RDGateway2",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Configure-RDGW.ps1": {
"source": "https://s3.amazonaws.com/aws-quickstart/quickstart-microsoft-activedirectory/scripts/Configure-RDGW.ps1"
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
},
"commands": {
"a-set-execution-policy": {
"command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force",
"waitAfterCompletion": "0"
}
}
},
"rename": {
"commands": {
"1-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command Rename-Computer -NewName RDGW2 -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"join": {
"commands": {
"a-set-dns-servers": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ",
{
"Ref": "ADServer2PrivateIP"
},
",",
{
"Ref": "ADServer1PrivateIP"
},
"\""
]
]
},
"waitAfterCompletion": "30"
},
"b-join-domain": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"",
"Add-Computer -DomainName ",
{
"Ref": "DomainDNSName"
},
" -Credential ",
"(New-Object System.Management.Automation.PSCredential('",
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
},
"',",
"(ConvertTo-SecureString ",
"'",
{
"Ref": "DomainAdminPassword"
},
"'",
" -AsPlainText -Force))) ",
"-Restart\""
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"installRDS": {
"commands": {
"a-install-rds": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -Command \"Install-WindowsFeature RDS-Gateway,RSAT-RDS-Gateway\""
]
]
}
},
"b-configure-rdgw": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned",
" C:\\cfn\\scripts\\Configure-RDGW.ps1 -ServerFQDN RDGW2.",
{
"Ref": "DomainDNSName"
},
" -DomainNetBiosName ",
{
"Ref": "DomainNetBIOSName"
},
" -GroupName 'domain admins'"
]
]
}
}
}
},
"finalize": {
"commands": {
"1-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "RDGW2WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"InstanceType": {
"Ref": "RDGWInstanceType"
},
"SubnetId": {
"Ref": "PublicSubnet2"
},
"Tags": [
{
"Key": "Name",
"Value": "RDGW2"
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "50",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "RDGWSecurityGroup"
},
{
"Ref": "DomainMemberSG"
}
],
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"DomainController1WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "DomainController1",
"Properties": {
"Handle": {
"Ref": "DomainController1WaitHandle"
},
"Timeout": "3600"
}
},
"DomainController1WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"DomainController2WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "DomainController2",
"Properties": {
"Handle": {
"Ref": "DomainController2WaitHandle"
},
"Timeout": "3600"
}
},
"DomainController2WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"RDGW1WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "RDGateway1",
"Properties": {
"Handle": {
"Ref": "RDGW1WaitHandle"
},
"Timeout": "3000"
}
},
"RDGW1WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"RDGW2WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "RDGateway2",
"Properties": {
"Handle": {
"Ref": "RDGW2WaitHandle"
},
"Timeout": "3000"
}
},
"RDGW2WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"DomainController1SG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Controller",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "5355",
"ToPort": "5355",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "137",
"ToPort": "137",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "139",
"ToPort": "139",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5722",
"ToPort": "5722",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
},
"DomainController2SG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Controller",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "5355",
"ToPort": "5355",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "137",
"ToPort": "137",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "139",
"ToPort": "139",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5722",
"ToPort": "5722",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
},
"DomainMemberSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Members",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
},
"RDGWSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable RDP access from the Internet",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": "0.0.0.0/0"
}
]
}
}
},
"Outputs": {
"RDGW1ElasticIP": {
"Value": {
"Ref": "RDGW1EIP"
},
"Description": "Elastic IP address of the first Remote Desktop Gateway (RDGW1) in AZ1"
},
"RootCert1": {
"Value": "c:\\RDGW1.cer",
"Description": "Location of the root SSL certificate on the first Remote Desktop Gateway (RDGW1) in AZ1"
},
"RDGW2ElasticIP": {
"Value": {
"Ref": "RDGW2EIP"
},
"Description": "Elastic IP address of the second Remote Desktop Gateway (RDGW2) in AZ2"
},
"RootCert2": {
"Value": "c:\\RDGW2.cer",
"Description": "Location of the root SSL certificate on the first Remote Desktop Gateway (RDGW2) in AZ2"
},
"DomainAdmin": {
"Value": {
"Fn::Join": [
"",
[
{
"Ref": "DomainNetBIOSName"
},
"\\",
{
"Ref": "DomainAdminUser"
}
]
]
},
"Description": "Domain administrator account"
},
"VPCID": {
"Value": {
"Ref": "VPC"
},
"Description": "VPC ID"
},
"VPCCIDR": {
"Value": {
"Ref": "VPCCIDR"
},
"Description": "VPC CIDR"
},
"PublicSubnet1ID": {
"Value": {
"Ref": "PublicSubnet1"
},
"Description": "Public Subnet ID in AZ1"
},
"PublicSubnet2ID": {
"Value": {
"Ref": "PublicSubnet2"
},
"Description": "Public Subnet ID in AZ2"
},
"PrivateSubnet1ID": {
"Value": {
"Ref": "PrivateSubnet1"
},
"Description": "Private Subnet ID in AZ1"
},
"PrivateSubnet2ID": {
"Value": {
"Ref": "PrivateSubnet2"
},
"Description": "Private Subnet ID in AZ2"
},
"DomainMemberSGID": {
"Value": {
"Ref": "DomainMemberSG"
},
"Description": "Domain Member Security Group ID"
}
}
}