{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates 2 Windows 2016 Active Directory Domain Controllers into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator password will be the one retrieved from the instance. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0001)", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Network Configuration" }, "Parameters": [ "VPCCIDR", "VPCID", "NumberOfAZs", "PrivateSubnet1CIDR", "PrivateSubnet1ID", "PrivateSubnet2CIDR", "PrivateSubnet3CIDR", "PrivateSubnet2ID", "PublicSubnet1CIDR", "PublicSubnet2CIDR", "PublicSubnet3CIDR" ] }, { "Label": { "default": "Amazon EC2 Configuration" }, "Parameters": [ "ADServer1InstanceType", "ADServer1NetBIOSName", "ADServer1PrivateIP", "ADServer2InstanceType", "ADServer2NetBIOSName", "ADServer2PrivateIP", "KeyPairName", "LatestAmiId" ] }, { "Label": { "default": "Microsoft Active Directory Configuration" }, "Parameters": [ "DomainAdminPassword", "DomainAdminUser", "DomainDNSName", "RestoreModePassword", "DomainNetBIOSName" ] }, { "Label": { "default": "AWS Quick Start Configuration" }, "Parameters": [ "QSS3BucketName", "QSS3KeyPrefix" ] } ], "ParameterLabels": { "ADServer1InstanceType": { "default": "Domain Controller 1 Instance Type" }, "ADServer1NetBIOSName": { "default": "Domain Controller 1 NetBIOS Name" }, "ADServer1PrivateIP": { "default": "Domain Controller 1 Private IP Address" }, "ADServer2InstanceType": { "default": "Domain Controller 2 Instance Type" }, "ADServer2NetBIOSName": { "default": "Domain Controller 2 NetBIOS Name" }, "ADServer2PrivateIP": { "default": "Domain Controller 2 Private IP Address" }, "DomainAdminPassword": { "default": "Domain Admin Password" }, "DomainAdminUser": { "default": "Domain Admin User Name" }, "DomainDNSName": { "default": "Domain DNS Name" }, "DomainNetBIOSName": { "default": "Domain NetBIOS Name" }, "KeyPairName": { "default": "Key Pair Name" }, "PrivateSubnet1CIDR": { "default": "Private Subnet 1 CIDR" }, "PrivateSubnet1ID": { "default": "Private Subnet 1 ID" }, "PrivateSubnet2CIDR": { "default": "Private Subnet 2 CIDR" }, "PrivateSubnet2ID": { "default": "Private Subnet 2 ID" }, "PrivateSubnet3CIDR": { "default": "(Optional) Private Subnet 3 CIDR" }, "PublicSubnet1CIDR": { "default": "Public Subnet 1 CIDR" }, "PublicSubnet2CIDR": { "default": "Public Subnet 2 CIDR" }, "PublicSubnet3CIDR": { "default": "(Optional) Public Subnet 3 CIDR" }, "NumberOfAZs": { "default": "Number of AZs AD will Support" }, "LatestAmiId": { "default": "SSM Parameter to Grab Latest AMI ID" }, "QSS3BucketName": { "default": "Quick Start S3 Bucket Name" }, "QSS3KeyPrefix": { "default": "Quick Start S3 Key Prefix" }, "RestoreModePassword": { "default": "Restore Mode Password" }, "VPCCIDR": { "default": "VPC CIDR" }, "VPCID": { "default": "VPC ID" } } } }, "Parameters": { "ADServer1InstanceType": { "AllowedValues": [ "t2.large", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m5.large", "m5.xlarge", "m5.2xlarge", "m5.4xlarge" ], "Default": "m4.xlarge", "Description": "Amazon EC2 instance type for the first Active Directory instance", "Type": "String" }, "ADServer1NetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "DC1", "Description": "NetBIOS name of the first Active Directory server (up to 15 characters)", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "ADServer1PrivateIP": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", "Default": "10.0.0.10", "Description": "Fixed private IP for the first Active Directory server located in Availability Zone 1", "Type": "String" }, "ADServer2InstanceType": { "AllowedValues": [ "t2.large", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m5.large", "m5.xlarge", "m5.2xlarge", "m5.4xlarge" ], "Default": "m4.xlarge", "Description": "Amazon EC2 instance type for the second Active Directory instance", "Type": "String" }, "ADServer2NetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "DC2", "Description": "NetBIOS name of the second Active Directory server (up to 15 characters)", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "ADServer2PrivateIP": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", "Default": "10.0.32.10", "Description": "Fixed private IP for the second Active Directory server located in Availability Zone 2", "Type": "String" }, "DomainAdminPassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "DomainAdminUser": { "AllowedPattern": "[a-zA-Z0-9]*", "Default": "StackAdmin", "Description": "User name for the account that will be added as Domain Administrator. This is separate from the default \"Administrator\" account", "MaxLength": "25", "MinLength": "5", "Type": "String" }, "DomainDNSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+", "Default": "example.com", "Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com", "MaxLength": "255", "MinLength": "2", "Type": "String" }, "DomainNetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "example", "Description": "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "KeyPairName": { "Description": "Public/private key pairs allow you to securely connect to your instance after it launches", "Type": "AWS::EC2::KeyPair::KeyName" }, "LatestAmiId": { "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base" }, "NumberOfAZs": { "AllowedValues": [ "2", "3" ], "Default": "2", "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", "Type": "String" }, "PrivateSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/19", "Description": "CIDR block for private subnet 1 located in Availability Zone 1.", "Type": "String" }, "PrivateSubnet1ID": { "Description": "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PrivateSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.32.0/19", "Description": "CIDR block for private subnet 2 located in Availability Zone 2.", "Type": "String" }, "PrivateSubnet2ID": { "Description": "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PrivateSubnet3CIDR": { "Default": "", "Description": "CIDR block for private subnet 3 located in Availability Zone 3.", "Type": "String" }, "PublicSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.128.0/20", "Description": "CIDR Block for the public DMZ subnet 1 located in Availability Zone 1", "Type": "String" }, "PublicSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.144.0/20", "Description": "CIDR Block for the public DMZ subnet 2 located in Availability Zone 2", "Type": "String" }, "PublicSubnet3CIDR": { "Default": "", "Description": "CIDR Block for the public DMZ subnet 3 located in Availability Zone 3", "Type": "String" }, "QSS3BucketName": { "AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$", "ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Default": "aws-quickstart", "Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Type": "String" }, "QSS3KeyPrefix": { "AllowedPattern": "^[0-9a-zA-Z-/]*$", "ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Default": "quickstart-microsoft-activedirectory/", "Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Type": "String" }, "RestoreModePassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for a separate Administrator account when the domain controller is in Restore Mode. Must be at least 8 characters containing letters, numbers and symbols", "MaxLength": "32", "MinLength": "8", "NoEcho": "True", "Type": "String" }, "VPCCIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16", "Description": "CIDR Block for the VPC", "Type": "String" }, "VPCID": { "Description": "ID of the VPC (e.g., vpc-0343606e)", "Type": "AWS::EC2::VPC::Id" } }, "Rules": { "SubnetsInVPC": { "Assertions": [ { "Assert": { "Fn::EachMemberIn": [ { "Fn::ValueOfAll": [ "AWS::EC2::Subnet::Id", "VpcId" ] }, { "Fn::RefAll": "AWS::EC2::VPC::Id" } ] }, "AssertDescription": "All subnets must in the VPC" } ] }, "CheckSupportedInstances": { "RuleCondition": { "Fn::Or": [ { "Fn::Contains": [ [ "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge" ], { "Ref": "ADServer1InstanceType" } ] }, { "Fn::Contains": [ [ "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge" ], { "Ref": "ADServer2InstanceType" } ] } ] }, "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "eu-west-3" ], { "Ref": "AWS::Region" } ] } ] }, "AssertDescription": "M4 instances are not available in the Paris region" } ] } }, "Conditions": { "IsThreeAz": { "Fn::Equals": [ { "Ref": "NumberOfAZs" }, "3" ] }, "GovCloudCondition": { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-gov-west-1" ] } }, "Resources": { "DHCPOptions": { "Type": "AWS::EC2::DHCPOptions", "DependsOn": [ "DomainController1WaitCondition", "DomainController2WaitCondition" ], "Properties": { "DomainName": { "Ref": "DomainDNSName" }, "DomainNameServers": [ { "Ref": "ADServer1PrivateIP" }, { "Ref": "ADServer2PrivateIP" } ], "Tags": [ { "Key": "Domain", "Value": { "Ref": "DomainDNSName" } } ] } }, "VPCDHCPOptionsAssociation": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "VPCID" }, "DhcpOptionsId": { "Ref": "DHCPOptions" } } }, "ADServerRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": { "Fn::Sub": [ "arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*", { "Partition": { "Fn::If": [ "GovCloudCondition", "aws-us-gov", "aws" ] } } ] }, "Effect": "Allow" } ] }, "PolicyName": "aws-quick-start-s3-policy" }, { "PolicyName": "AD-SSM-Parameters", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:GetParameter" ], "Resource": { "Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${ADPassword}" } }, { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" } ] } } ], "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" ], "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Effect": "Allow" } ], "Version": "2012-10-17" } } }, "ADServerProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "ADServerRole" } ], "Path": "/" } }, "ADPassword": { "Type": "AWS::SSM::Parameter", "Properties": { "Type": "String", "Value": { "Ref": "DomainAdminPassword" }, "Description": "The SSM Parameter for Active Directory password." } }, "DomainController1": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ADServerRole" }, "buckets": [ { "Ref": "QSS3BucketName" } ] } }, "AWS::CloudFormation::Init": { "configSets": { "config": [ "setup", "rename", "installADDS", "configureSites", "installADCS", "finalize" ] }, "setup": { "files": { "c:\\cfn\\cfn-hup.conf": { "content": { "Fn::Join": [ "", [ "[main]\n", "stack=", { "Ref": "AWS::StackName" }, "\n", "region=", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": { "content": { "Fn::Join": [ "", [ "[cfn-auto-reloader-hook]\n", "triggers=post.update\n", "path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n", "action=cfn-init.exe -v -c config -s ", { "Ref": "AWS::StackId" }, " -r DomainController1", " --region ", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\scripts\\Set-StaticIP.ps1": { "content": { "Fn::Join": [ "", [ "$netip = Get-NetIPConfiguration;", "$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};", "Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;", "Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;", "\n" ] ] } }, "C:\\cfn\\scripts\\Add-DNSEntry.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Add-DNSEntry.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "C:\\cfn\\modules\\AWSQuickStart.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Create-AdminUser.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Create-AdminUser.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/ConvertTo-EnterpriseAdmin.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Configure-Sites.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Configure-Sites.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Disable-WindowsFirewall.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Disable-WindowsFirewall.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Install-ADDSForest.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Install-ADDSForest.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Install-Prereqs.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Install-Prereqs.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\New-CertificateAuthority.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/New-CertificateAuthority.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Rename-Computer.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Rename-Computer.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/xAdcsDeployment_0.1.0.0.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Unzip-Archive.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Update-DNSServers.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Update-DNSServers.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" } }, "services": { "windows": { "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" ] } } }, "commands": { "a-disable-win-fw": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Disable-WindowsFirewall.ps1" ] ] }, "waitAfterCompletion": "0" }, "b-set-execution-policy": { "command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force", "waitAfterCompletion": "0" }, "c-unpack-dsc-resource": { "command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" }, "d-unpack-quickstart-module": { "command": "powershell.exe -Command C:\\cfn\\scripts\\Unzip-Archive.ps1 -Source C:\\cfn\\modules\\AWSQuickStart.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" }, "e-init-quickstart-module": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "New-AWSQuickStartWaitHandle -Handle '", { "Ref": "DomainController1WaitHandle" }, "'\"" ] ] }, "waitAfterCompletion": "0" } } }, "rename": { "commands": { "a-set-static-ip": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1" ] ] }, "waitAfterCompletion": "45" }, "b-execute-powershell-script-RenameComputer": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Rename-Computer.ps1 -NewName ", { "Ref": "ADServer1NetBIOSName" }, " -Restart" ] ] }, "waitAfterCompletion": "forever" } } }, "installADDS": { "commands": { "1-install-prereqs": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-Prereqs.ps1 " ] ] }, "waitAfterCompletion": "30" }, "2-install-adds": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-ADDSForest.ps1 -DomainNetBIOSName ", { "Ref": "DomainNetBIOSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "forever" }, "3-restart-service": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command Restart-Service NetLogon -EA 0" ] ] }, "waitAfterCompletion": "180" }, "4-create-adminuser": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Create-AdminUser.ps1 -Server ", { "Ref": "ADServer1NetBIOSName" }, ".", { "Ref": "DomainDNSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "30" }, "5-update-adminuser": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1 -Members ", { "Ref": "DomainAdminUser" } ] ] }, "waitAfterCompletion": "0" } } }, "configureSites": { "commands": { "a-rename-default-site": { "command": { "Fn::If": [ "IsThreeAz", { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Configure-Sites.ps1 -PublicSubnet1CIDR ", { "Ref": "PublicSubnet1CIDR" }, " -PublicSubnet2CIDR ", { "Ref": "PublicSubnet2CIDR" }, " -PrivateSubnet1CIDR ", { "Ref": "PrivateSubnet1CIDR" }, " -PrivateSubnet2CIDR ", { "Ref": "PrivateSubnet2CIDR" }, " -PublicSubnet3CIDR ", { "Ref": "PublicSubnet3CIDR" }, " -PrivateSubnet3CIDR ", { "Ref": "PrivateSubnet3CIDR" }, " -Region ", { "Ref": "AWS::Region" } ] ] }, { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Configure-Sites.ps1 -PublicSubnet1CIDR ", { "Ref": "PublicSubnet1CIDR" }, " -PublicSubnet2CIDR ", { "Ref": "PublicSubnet2CIDR" }, " -PrivateSubnet1CIDR ", { "Ref": "PrivateSubnet1CIDR" }, " -PrivateSubnet2CIDR ", { "Ref": "PrivateSubnet2CIDR" }, " -Region ", { "Ref": "AWS::Region" } ] ] } ] }, "waitAfterCompletion": "0" } } }, "installADCS": { "commands": { "a-install-ca": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "0" } } }, "finalize": { "commands": { "a-signal-success": { "command": "powershell.exe -Command \"Write-AWSQuickStartStatus\"", "waitAfterCompletion": "0" } } } } }, "Properties": { "ImageId": { "Ref": "LatestAmiId" }, "IamInstanceProfile": { "Ref": "ADServerProfile" }, "InstanceType": { "Ref": "ADServer1InstanceType" }, "SubnetId": { "Ref": "PrivateSubnet1ID" }, "Tags": [ { "Key": "Name", "Value": { "Ref": "ADServer1NetBIOSName" } } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "VolumeSize": "100", "VolumeType": "gp2" } } ], "SecurityGroupIds": [ { "Ref": "DomainController1SG" } ], "PrivateIpAddress": { "Ref": "ADServer1PrivateIP" }, "KeyName": { "Ref": "KeyPairName" }, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "\n" ] ] } } } }, "DomainController2": { "Type": "AWS::EC2::Instance", "DependsOn": "DomainController1WaitCondition", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ADServerRole" }, "buckets": [ { "Ref": "QSS3BucketName" } ] } }, "AWS::CloudFormation::Init": { "configSets": { "config": [ "setup", "rename", "addDomainController", "installADCS", "finalize" ] }, "setup": { "files": { "c:\\cfn\\cfn-hup.conf": { "content": { "Fn::Join": [ "", [ "[main]\n", "stack=", { "Ref": "AWS::StackName" }, "\n", "region=", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": { "content": { "Fn::Join": [ "", [ "[cfn-auto-reloader-hook]\n", "triggers=post.update\n", "path=Resources.DomainController2.Metadata.AWS::CloudFormation::Init\n", "action=cfn-init.exe -v -c config -s ", { "Ref": "AWS::StackId" }, " -r DomainController2", " --region ", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\scripts\\Set-StaticIP.ps1": { "content": { "Fn::Join": [ "", [ "$netip = Get-NetIPConfiguration;", "$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};", "Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;", "Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ", { "Ref": "ADServer1PrivateIP" }, "\n" ] ] } }, "C:\\cfn\\scripts\\Add-DNSEntry.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Add-DNSEntry.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "C:\\cfn\\modules\\AWSQuickStart.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Disable-WindowsFirewall.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Disable-WindowsFirewall.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Install-Prereqs.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Install-Prereqs.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Install-ADDSDC.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Install-ADDSDC.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\New-CertificateAuthority.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/New-CertificateAuthority.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Rename-Computer.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Rename-Computer.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/xAdcsDeployment_0.1.0.0.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Unzip-Archive.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Update-DNSServers.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/Update-DNSServers.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" } }, "services": { "windows": { "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" ] } } }, "commands": { "a-disable-win-fw": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Disable-WindowsFirewall.ps1" ] ] }, "waitAfterCompletion": "0" }, "b-set-execution-policy": { "command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force", "waitAfterCompletion": "0" }, "c-unpack-dsc-resource": { "command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" }, "d-unpack-quickstart-module": { "command": "powershell.exe -Command C:\\cfn\\scripts\\Unzip-Archive.ps1 -Source C:\\cfn\\modules\\AWSQuickStart.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" }, "e-init-quickstart-module": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "New-AWSQuickStartWaitHandle -Handle '", { "Ref": "DomainController2WaitHandle" }, "'\"" ] ] }, "waitAfterCompletion": "0" } } }, "rename": { "commands": { "a-set-static-ip": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1" ] ] }, "waitAfterCompletion": "45" }, "b-execute-powershell-script-RenameComputer": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Rename-Computer.ps1 -NewName ", { "Ref": "ADServer2NetBIOSName" }, " -Restart" ] ] }, "waitAfterCompletion": "forever" } } }, "addDomainController": { "commands": { "1-install-prereqs": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-Prereqs.ps1" ] ] }, "waitAfterCompletion": "0" }, "2-add-dc": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Install-ADDSDC.ps1 -DomainNetBIOSName ", { "Ref": "DomainNetBIOSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "forever" } } }, "installADCS": { "commands": { "a-install-ca": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "0" } } }, "finalize": { "commands": { "a-update-dns-servers-dc2": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Update-DNSServers.ps1 -ADServer1PrivateIP ", { "Ref": "ADServer1PrivateIP" }, " -ADServer2PrivateIP ", { "Ref": "ADServer2PrivateIP" } ] ] }, "waitAfterCompletion": "0" }, "b-update-dns-servers-dc1": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\Add-DNSEntry.ps1 -ADServer1NetBIOSName ", { "Ref": "ADServer1NetBIOSName" }, " -DomainAdminUser ", { "Ref": "DomainAdminUser" }, " -DomainDNSName ", { "Ref": "DomainDNSName" }, " -DomainNetBIOSName ", { "Ref": "DomainNetBIOSName" }, " -ADServer1PrivateIP ", { "Ref": "ADServer1PrivateIP" }, " -ADServer2PrivateIP ", { "Ref": "ADServer2PrivateIP" }, " -SSMParamName ", { "Ref": "ADPassword" } ] ] }, "waitAfterCompletion": "0" }, "c-signal-success": { "command": "powershell.exe -Command \"Write-AWSQuickStartStatus\"", "waitAfterCompletion": "0" } } } } }, "Properties": { "ImageId": { "Ref": "LatestAmiId" }, "IamInstanceProfile": { "Ref": "ADServerProfile" }, "InstanceType": { "Ref": "ADServer2InstanceType" }, "SubnetId": { "Ref": "PrivateSubnet2ID" }, "Tags": [ { "Key": "Name", "Value": { "Ref": "ADServer2NetBIOSName" } } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "VolumeSize": "100", "VolumeType": "gp2" } } ], "SecurityGroupIds": [ { "Ref": "DomainController2SG" } ], "PrivateIpAddress": { "Ref": "ADServer2PrivateIP" }, "KeyName": { "Ref": "KeyPairName" }, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "\n" ] ] } } } }, "DomainController1WaitCondition": { "Type": "AWS::CloudFormation::WaitCondition", "DependsOn": "DomainController1", "Properties": { "Handle": { "Ref": "DomainController1WaitHandle" }, "Timeout": "3600" } }, "DomainController1WaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" }, "DomainController2WaitCondition": { "Type": "AWS::CloudFormation::WaitCondition", "DependsOn": "DomainController2", "Properties": { "Handle": { "Ref": "DomainController2WaitHandle" }, "Timeout": "3600" } }, "DomainController2WaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" }, "DomainController1SG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Controller", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "5355", "ToPort": "5355", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "137", "ToPort": "137", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "139", "ToPort": "139", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5722", "ToPort": "5722", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } }, "DomainController2SG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Controller", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "5355", "ToPort": "5355", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "137", "ToPort": "137", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "139", "ToPort": "139", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5722", "ToPort": "5722", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } }, "DomainMemberSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Members", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } } }, "Outputs": { "DomainAdmin": { "Value": { "Fn::Join": [ "", [ { "Ref": "DomainNetBIOSName" }, "\\", { "Ref": "DomainAdminUser" } ] ] }, "Description": "Domain administrator account" }, "DomainMemberSGID": { "Value": { "Ref": "DomainMemberSG" }, "Description": "Domain Member Security Group ID" }, "ADPasswordParamName": { "Value": { "Ref": "ADPassword" } } } }