{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates 2 Active Directory Domain Controllers into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator password will be the one retrieved from the instance. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0001)", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Network Configuration" }, "Parameters": [ "VPCCIDR", "VPCID", "PrivateSubnet1CIDR", "PrivateSubnet1ID", "PrivateSubnet2CIDR", "PrivateSubnet2ID", "PublicSubnet1CIDR", "PublicSubnet2CIDR" ] }, { "Label": { "default": "Amazon EC2 Configuration" }, "Parameters": [ "KeyPairName", "ADServer1InstanceType", "ADServer1NetBIOSName", "ADServer1PrivateIP", "ADServer2InstanceType", "ADServer2NetBIOSName", "ADServer2PrivateIP" ] }, { "Label": { "default": "Microsoft Active Directory Configuration" }, "Parameters": [ "DomainDNSName", "DomainNetBIOSName", "RestoreModePassword", "DomainAdminUser", "DomainAdminPassword" ] }, { "Label": { "default": "AWS Quick Start Configuration" }, "Parameters": [ "QSS3BucketName", "QSS3KeyPrefix" ] } ], "ParameterLabels": { "ADServer1InstanceType": { "default": "Domain Controller 1 Instance Type" }, "ADServer1NetBIOSName": { "default": "Domain Controller 1 NetBIOS Name" }, "ADServer1PrivateIP": { "default": "Domain Controller 1 Private IP Address" }, "ADServer2InstanceType": { "default": "Domain Controller 2 Instance Type" }, "ADServer2NetBIOSName": { "default": "Domain Controller 2 NetBIOS Name" }, "ADServer2PrivateIP": { "default": "Domain Controller 2 Private IP Address" }, "DomainAdminPassword": { "default": "Domain Admin Password" }, "DomainAdminUser": { "default": "Domain Admin User Name" }, "DomainDNSName": { "default": "Domain DNS Name" }, "DomainNetBIOSName": { "default": "Domain NetBIOS Name" }, "KeyPairName": { "default": "Key Pair Name" }, "PrivateSubnet1CIDR": { "default": "Private Subnet 1 CIDR" }, "PrivateSubnet1ID": { "default": "Private Subnet 1 ID" }, "PrivateSubnet2CIDR": { "default": "Private Subnet 2 CIDR" }, "PrivateSubnet2ID": { "default": "Private Subnet 2 ID" }, "PublicSubnet1CIDR": { "default": "Public Subnet 1 CIDR" }, "PublicSubnet2CIDR": { "default": "Public Subnet 2 CIDR" }, "QSS3BucketName": { "default": "Quick Start S3 Bucket Name" }, "QSS3KeyPrefix": { "default": "Quick Start S3 Key Prefix" }, "RestoreModePassword": { "default": "Restore Mode Password" }, "VPCCIDR": { "default": "VPC CIDR" }, "VPCID": { "default": "VPC ID" } } } }, "Parameters": { "ADServer1InstanceType": { "AllowedValues": [ "t2.large", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge" ], "Default": "m4.xlarge", "Description": "Amazon EC2 instance type for the first Active Directory instance", "Type": "String" }, "ADServer1NetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "DC1", "Description": "NetBIOS name of the first Active Directory server (up to 15 characters)", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "ADServer1PrivateIP": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", "Default": "10.0.0.10", "Description": "Fixed private IP for the first Active Directory server located in Availability Zone 1", "Type": "String" }, "ADServer2InstanceType": { "AllowedValues": [ "t2.large", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge" ], "Default": "m4.xlarge", "Description": "Amazon EC2 instance type for the second Active Directory instance", "Type": "String" }, "ADServer2NetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "DC2", "Description": "NetBIOS name of the second Active Directory server (up to 15 characters)", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "ADServer2PrivateIP": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", "Default": "10.0.32.10", "Description": "Fixed private IP for the second Active Directory server located in Availability Zone 2", "Type": "String" }, "DomainAdminPassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "DomainAdminUser": { "AllowedPattern": "[a-zA-Z0-9]*", "Default": "StackAdmin", "Description": "User name for the account that will be added as Domain Administrator. This is separate from the default \"Administrator\" account", "MaxLength": "25", "MinLength": "5", "Type": "String" }, "DomainDNSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+", "Default": "example.com", "Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com", "MaxLength": "25", "MinLength": "3", "Type": "String" }, "DomainNetBIOSName": { "AllowedPattern": "[a-zA-Z0-9\\-]+", "Default": "example", "Description": "NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE", "MaxLength": "15", "MinLength": "1", "Type": "String" }, "KeyPairName": { "Description": "Public/private key pairs allow you to securely connect to your instance after it launches", "Type": "AWS::EC2::KeyPair::KeyName" }, "PrivateSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/19", "Description": "CIDR block for private subnet 1 located in Availability Zone 1.", "Type": "String" }, "PrivateSubnet1ID": { "Description": "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PrivateSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.64.0/19", "Description": "CIDR block for private subnet 2 located in Availability Zone 2.", "Type": "String" }, "PrivateSubnet2ID": { "Description": "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PublicSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.32.0/20", "Description": "CIDR Block for the public DMZ subnet 1 located in Availability Zone 1", "Type": "String" }, "PublicSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.96.0/20", "Description": "CIDR Block for the public DMZ subnet 2 located in Availability Zone 2", "Type": "String" }, "QSS3BucketName": { "AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$", "ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Default": "aws-quickstart", "Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Type": "String" }, "QSS3KeyPrefix": { "AllowedPattern": "^[0-9a-zA-Z-/]*$", "ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Default": "quickstart-microsoft-activedirectory/", "Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Type": "String" }, "RestoreModePassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "Description": "Password for a separate Administrator account when the domain controller is in Restore Mode. Must be at least 8 characters containing letters, numbers and symbols", "MaxLength": "32", "MinLength": "8", "NoEcho": "True", "Type": "String" }, "VPCCIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16", "Description": "CIDR Block for the VPC", "Type": "String" }, "VPCID": { "Description": "ID of the VPC (e.g., vpc-0343606e)", "Type": "AWS::EC2::VPC::Id" } }, "Rules": { "SubnetsInVPC": { "Assertions": [ { "Assert": { "Fn::EachMemberIn": [ { "Fn::ValueOfAll": [ "AWS::EC2::Subnet::Id", "VpcId" ] }, { "Fn::RefAll": "AWS::EC2::VPC::Id" } ] }, "AssertDescription": "All subnets must in the VPC" } ] } }, "Mappings": { "AWSAMIRegionMap": { "AMI": { "WS2012R2": "Windows_Server-2012-R2_RTM-English-64Bit-Base-2019.07.12" }, "ap-northeast-1": { "WS2012R2": "ami-06823103be2218b98" }, "ap-northeast-2": { "WS2012R2": "ami-050e65d9f2ec90145" }, "ap-south-1": { "WS2012R2": "ami-045e1f06f29929467" }, "ap-southeast-1": { "WS2012R2": "ami-0c322369af7718803" }, "ap-southeast-2": { "WS2012R2": "ami-0813db0de4ddab990" }, "ca-central-1": { "WS2012R2": "ami-0850dfaa3ee6f6233" }, "eu-central-1": { "WS2012R2": "ami-024652d0a3df40e74" }, "eu-west-1": { "WS2012R2": "ami-0d2f69fcc5f00c97a" }, "eu-west-2": { "WS2012R2": "ami-0998a91bb1756752d" }, "sa-east-1": { "WS2012R2": "ami-044d56b6baa621d7d" }, "us-east-1": { "WS2012R2": "ami-094a644f1fb9e4ce3" }, "us-east-2": { "WS2012R2": "ami-0a1a54d8690206089" }, "us-west-1": { "WS2012R2": "ami-094dcbdb1aa24c8da" }, "us-west-2": { "WS2012R2": "ami-0f8967b5f815400c0" } } }, "Conditions": { "GovCloudCondition": { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-gov-west-1" ] } }, "Resources": { "DHCPOptions": { "Type": "AWS::EC2::DHCPOptions", "DependsOn": [ "DomainController1WaitCondition", "DomainController2WaitCondition" ], "Properties": { "DomainName": { "Ref": "DomainDNSName" }, "DomainNameServers": [ { "Ref": "ADServer1PrivateIP" }, { "Ref": "ADServer2PrivateIP" } ], "Tags": [ { "Key": "Domain", "Value": { "Ref": "DomainDNSName" } } ] } }, "VPCDHCPOptionsAssociation": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "VPCID" }, "DhcpOptionsId": { "Ref": "DHCPOptions" } } }, "ADServerRole": { "Type": "AWS::IAM::Role", "Properties": { "Policies": [ { "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": { "Fn::Sub": [ "arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*", { "Partition": { "Fn::If": [ "GovCloudCondition", "aws-us-gov", "aws" ] } } ] }, "Effect": "Allow" } ] }, "PolicyName": "aws-quick-start-s3-policy" } ], "Path": "/", "AssumeRolePolicyDocument": { "Statement": [ { "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Effect": "Allow" } ], "Version": "2012-10-17" } } }, "ADServerProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "ADServerRole" } ], "Path": "/" } }, "DomainController1": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ADServerRole" }, "buckets": [ { "Ref": "QSS3BucketName" } ] } }, "AWS::CloudFormation::Init": { "configSets": { "config": [ "setup", "rename", "installADDS", "configureSites", "installADCS", "finalize" ] }, "setup": { "files": { "c:\\cfn\\cfn-hup.conf": { "content": { "Fn::Join": [ "", [ "[main]\n", "stack=", { "Ref": "AWS::StackName" }, "\n", "region=", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": { "content": { "Fn::Join": [ "", [ "[cfn-auto-reloader-hook]\n", "triggers=post.update\n", "path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n", "action=cfn-init.exe -v -c config -s ", { "Ref": "AWS::StackId" }, " -r DomainController1", " --region ", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\scripts\\Set-StaticIP.ps1": { "content": { "Fn::Join": [ "", [ "$netip = Get-NetIPConfiguration;", "$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};", "Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;", "Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;", "\n" ] ] } }, "c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/ConvertTo-EnterpriseAdmin.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\New-CertificateAuthority.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/New-CertificateAuthority.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/xAdcsDeployment_0.1.0.0.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Unzip-Archive.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" } }, "services": { "windows": { "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" ] } } }, "commands": { "a-disable-win-fw": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False\"" ] ] }, "waitAfterCompletion": "0" }, "b-set-execution-policy": { "command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force", "waitAfterCompletion": "0" }, "c-unpack-dsc-resource": { "command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" } } }, "rename": { "commands": { "a-set-static-ip": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1" ] ] }, "waitAfterCompletion": "45" }, "b-execute-powershell-script-RenameComputer": { "command": { "Fn::Join": [ "", [ "powershell.exe Rename-Computer -NewName ", { "Ref": "ADServer1NetBIOSName" }, " -Restart" ] ] }, "waitAfterCompletion": "forever" } } }, "installADDS": { "commands": { "1-install-prereqs": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"Install-WindowsFeature AD-Domain-Services, rsat-adds -IncludeAllSubFeature\"" ] ] }, "waitAfterCompletion": "0" }, "2-install-adds": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command ", "\"Install-ADDSForest -DomainName ", { "Ref": "DomainDNSName" }, " ", "-SafeModeAdministratorPassword (ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force) ", "-DomainMode Win2012R2 ", "-DomainNetbiosName ", { "Ref": "DomainNetBIOSName" }, " ", "-ForestMode Win2012R2 ", "-Confirm:$false ", "-Force\"" ] ] }, "waitAfterCompletion": "forever" }, "3-restart-service": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command Restart-Service NetLogon -EA 0" ] ] }, "waitAfterCompletion": "180" }, "4-create-adminuser": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command ", "\"New-ADUser ", "-Name ", { "Ref": "DomainAdminUser" }, " ", "-UserPrincipalName ", { "Ref": "DomainAdminUser" }, "@", { "Ref": "DomainDNSName" }, " ", "-AccountPassword (ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force) ", "-Enabled $true ", "-PasswordNeverExpires $true\"" ] ] }, "waitAfterCompletion": "0" }, "5-update-adminuser": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\ConvertTo-EnterpriseAdmin.ps1 -Members ", { "Ref": "DomainAdminUser" } ] ] }, "waitAfterCompletion": "0" } } }, "configureSites": { "commands": { "a-rename-default-site": { "command": { "Fn::Join": [ "", [ "powershell.exe ", "\"", "Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -filter {Name -eq 'Default-First-Site-Name'} | Rename-ADObject -NewName AZ1", "\"" ] ] }, "waitAfterCompletion": "0" }, "b-create-site-2": { "command": { "Fn::Join": [ "", [ "powershell.exe New-ADReplicationSite AZ2" ] ] }, "waitAfterCompletion": "0" }, "c-create-publicsubnet-1": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command New-ADReplicationSubnet -Name ", { "Ref": "PublicSubnet1CIDR" }, " -Site AZ1" ] ] }, "waitAfterCompletion": "0" }, "d-create-publicsubnet-2": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command New-ADReplicationSubnet -Name ", { "Ref": "PublicSubnet2CIDR" }, " -Site AZ2" ] ] }, "waitAfterCompletion": "0" }, "e-create-privatesubnet-1": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command New-ADReplicationSubnet -Name ", { "Ref": "PrivateSubnet1CIDR" }, " -Site AZ1" ] ] }, "waitAfterCompletion": "0" }, "f-create-privatesubnet-2": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command New-ADReplicationSubnet -Name ", { "Ref": "PrivateSubnet2CIDR" }, " -Site AZ2" ] ] }, "waitAfterCompletion": "0" }, "g-set-site-link": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "Get-ADReplicationSiteLink -Filter * | Set-ADReplicationSiteLink -SitesIncluded @{add='AZ2'} -ReplicationFrequencyInMinutes 15\"" ] ] }, "waitAfterCompletion": "0" } } }, "installADCS": { "commands": { "a-install-ca": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ", { "Ref": "DomainAdminUser" }, " -Password ", "'", { "Ref": "DomainAdminPassword" }, "'", " -DomainDNSName ", { "Ref": "DomainDNSName" } ] ] }, "waitAfterCompletion": "0" } } }, "finalize": { "commands": { "a-signal-success": { "command": { "Fn::Join": [ "", [ "cfn-signal.exe -e 0 \"", { "Ref": "DomainController1WaitHandle" }, "\"" ] ] } } } } } }, "Properties": { "ImageId": { "Fn::FindInMap": [ "AWSAMIRegionMap", { "Ref": "AWS::Region" }, "WS2012R2" ] }, "IamInstanceProfile": { "Ref": "ADServerProfile" }, "InstanceType": { "Ref": "ADServer1InstanceType" }, "SubnetId": { "Ref": "PrivateSubnet1ID" }, "Tags": [ { "Key": "Name", "Value": { "Ref": "ADServer1NetBIOSName" } } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "VolumeSize": "100", "VolumeType": "gp2" } } ], "SecurityGroupIds": [ { "Ref": "DomainController1SG" } ], "PrivateIpAddress": { "Ref": "ADServer1PrivateIP" }, "KeyName": { "Ref": "KeyPairName" }, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "\n" ] ] } } } }, "DomainController2": { "Type": "AWS::EC2::Instance", "DependsOn": "DomainController1WaitCondition", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ADServerRole" }, "buckets": [ { "Ref": "QSS3BucketName" } ] } }, "AWS::CloudFormation::Init": { "configSets": { "config": [ "setup", "rename", "join", "addDomainController", "installADCS", "finalize" ] }, "setup": { "files": { "c:\\cfn\\cfn-hup.conf": { "content": { "Fn::Join": [ "", [ "[main]\n", "stack=", { "Ref": "AWS::StackName" }, "\n", "region=", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": { "content": { "Fn::Join": [ "", [ "[cfn-auto-reloader-hook]\n", "triggers=post.update\n", "path=Resources.DomainController2.Metadata.AWS::CloudFormation::Init\n", "action=cfn-init.exe -v -c config -s ", { "Ref": "AWS::StackId" }, " -r DomainController2", " --region ", { "Ref": "AWS::Region" }, "\n" ] ] } }, "c:\\cfn\\scripts\\Set-StaticIP.ps1": { "content": { "Fn::Join": [ "", [ "$netip = Get-NetIPConfiguration;", "$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};", "Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;", "Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ", { "Ref": "ADServer1PrivateIP" }, "\n" ] ] } }, "c:\\cfn\\scripts\\New-CertificateAuthority.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/New-CertificateAuthority.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/xAdcsDeployment_0.1.0.0.zip", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" }, "c:\\cfn\\scripts\\Unzip-Archive.ps1": { "source": { "Fn::Sub": [ "https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1", { "QSS3Region": { "Fn::If": [ "GovCloudCondition", "s3-us-gov-west-1", "s3" ] } } ] }, "authentication": "S3AccessCreds" } }, "services": { "windows": { "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf" ] } } }, "commands": { "a-disable-win-fw": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False\"" ] ] }, "waitAfterCompletion": "0" }, "b-set-execution-policy": { "command": "powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force", "waitAfterCompletion": "0" }, "c-unpack-dsc-resource": { "command": "powershell.exe -command c:\\cfn\\scripts\\Unzip-Archive.ps1 -Source c:\\cfn\\modules\\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\\Program Files\\WindowsPowerShell\\Modules'", "waitAfterCompletion": "0" } } }, "rename": { "commands": { "a-set-static-ip": { "command": { "Fn::Join": [ "", [ "powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1" ] ] }, "waitAfterCompletion": "45" }, "b-execute-powershell-script-RenameComputer": { "command": { "Fn::Join": [ "", [ "powershell.exe Rename-Computer -NewName ", { "Ref": "ADServer2NetBIOSName" }, " -Restart" ] ] }, "waitAfterCompletion": "forever" } } }, "join": { "commands": { "a-join-domain": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "Add-Computer -DomainName ", { "Ref": "DomainDNSName" }, " -Credential ", "(New-Object System.Management.Automation.PSCredential('", { "Ref": "DomainNetBIOSName" }, "\\", { "Ref": "DomainAdminUser" }, "',", "(ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force))) ", "-Restart\"" ] ] }, "waitAfterCompletion": "forever" } } }, "addDomainController": { "commands": { "1-install-prereqs": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"Install-WindowsFeature AD-Domain-Services, rsat-adds -IncludeAllSubFeature\"" ] ] }, "waitAfterCompletion": "0" }, "2-add-dc": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "Install-ADDSDomainController -InstallDns -DomainName ", { "Ref": "DomainDNSName" }, " -Credential ", "(New-Object System.Management.Automation.PSCredential('", { "Ref": "DomainNetBIOSName" }, "\\", { "Ref": "DomainAdminUser" }, "',", "(ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force))) ", "-SafeModeAdministratorPassword ", "(ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force) ", "-Confirm:$false -Force\"" ] ] }, "waitAfterCompletion": "forever" } } }, "installADCS": { "commands": { "a-install-ca": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command c:\\cfn\\scripts\\New-CertificateAuthority.ps1 -Username ", { "Ref": "DomainAdminUser" }, " -Password ", "'", { "Ref": "DomainAdminPassword" }, "'", " -DomainDNSName ", { "Ref": "DomainDNSName" } ] ] }, "waitAfterCompletion": "0" } } }, "finalize": { "commands": { "a-update-dns-servers-dc2": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command \"", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ", { "Ref": "ADServer1PrivateIP" }, ",", { "Ref": "ADServer2PrivateIP" }, "\"" ] ] }, "waitAfterCompletion": "0" }, "b-update-dns-servers-dc1": { "command": { "Fn::Join": [ "", [ "powershell.exe -Command ", "\"Invoke-Command -Scriptblock{ ", "Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses ", { "Ref": "ADServer2PrivateIP" }, ",", { "Ref": "ADServer1PrivateIP" }, " } -ComputerName ", { "Ref": "ADServer1NetBIOSName" }, " -Credential ", "(New-Object System.Management.Automation.PSCredential('", { "Ref": "DomainNetBIOSName" }, "\\", { "Ref": "DomainAdminUser" }, "',", "(ConvertTo-SecureString ", "'", { "Ref": "DomainAdminPassword" }, "'", " -AsPlainText -Force))) ", "\"" ] ] }, "waitAfterCompletion": "0" }, "c-signal-success": { "command": { "Fn::Join": [ "", [ "cfn-signal.exe -e 0 \"", { "Ref": "DomainController2WaitHandle" }, "\"" ] ] } } } } } }, "Properties": { "ImageId": { "Fn::FindInMap": [ "AWSAMIRegionMap", { "Ref": "AWS::Region" }, "WS2012R2" ] }, "IamInstanceProfile": { "Ref": "ADServerProfile" }, "InstanceType": { "Ref": "ADServer2InstanceType" }, "SubnetId": { "Ref": "PrivateSubnet2ID" }, "Tags": [ { "Key": "Name", "Value": { "Ref": "ADServer2NetBIOSName" } } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "VolumeSize": "100", "VolumeType": "gp2" } } ], "SecurityGroupIds": [ { "Ref": "DomainController2SG" } ], "PrivateIpAddress": { "Ref": "ADServer2PrivateIP" }, "KeyName": { "Ref": "KeyPairName" }, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "\n" ] ] } } } }, "DomainController1WaitCondition": { "Type": "AWS::CloudFormation::WaitCondition", "DependsOn": "DomainController1", "Properties": { "Handle": { "Ref": "DomainController1WaitHandle" }, "Timeout": "3600" } }, "DomainController1WaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" }, "DomainController2WaitCondition": { "Type": "AWS::CloudFormation::WaitCondition", "DependsOn": "DomainController2", "Properties": { "Handle": { "Ref": "DomainController2WaitHandle" }, "Timeout": "3600" } }, "DomainController2WaitHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" }, "DomainController1SG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Controller", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "5355", "ToPort": "5355", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "137", "ToPort": "137", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "139", "ToPort": "139", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5722", "ToPort": "5722", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } }, "DomainController2SG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Controller", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "5355", "ToPort": "5355", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "137", "ToPort": "137", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "139", "ToPort": "139", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5722", "ToPort": "5722", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "123", "ToPort": "123", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "135", "ToPort": "135", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "9389", "ToPort": "9389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "138", "ToPort": "138", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "445", "ToPort": "445", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "464", "ToPort": "464", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "389", "ToPort": "389", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "636", "ToPort": "636", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3268", "ToPort": "3268", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3269", "ToPort": "3269", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "udp", "FromPort": "88", "ToPort": "88", "SourceSecurityGroupId": { "Ref": "DomainMemberSG" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "icmp", "FromPort": "-1", "ToPort": "-1", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } }, "DomainMemberSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Members", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } } }, "Outputs": { "DomainAdmin": { "Value": { "Fn::Join": [ "", [ { "Ref": "DomainNetBIOSName" }, "\\", { "Ref": "DomainAdminUser" } ] ] }, "Description": "Domain administrator account" }, "DomainMemberSGID": { "Value": { "Ref": "DomainMemberSG" }, "Description": "Domain Member Security Group ID" } } }