{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates a managed Microsoft AD Directory Service into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0021)", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Network Configuration" }, "Parameters": [ "VPCCIDR", "VPCID", "PrivateSubnet1CIDR", "PrivateSubnet1ID", "PrivateSubnet2CIDR", "PrivateSubnet2ID", "PublicSubnet1CIDR", "PublicSubnet2CIDR" ] }, { "Label": { "default": "Microsoft Active Directory Configuration" }, "Parameters": [ "DomainDNSName", "DomainNetBIOSName", "DomainAdminPassword" ] }, { "Label": { "default": "AWS Quick Start Configuration" }, "Parameters": [ "QSS3BucketName", "QSS3KeyPrefix" ] } ], "ParameterLabels": { "DomainAdminPassword": { "default": "Domain Admin Password" }, "DomainDNSName": { "default": "Domain DNS Name" }, "DomainNetBIOSName": { "default": "Domain NetBIOS Name" }, "PrivateSubnet1CIDR": { "default": "Private Subnet 1 CIDR" }, "PrivateSubnet1ID": { "default": "Private Subnet 1 ID" }, "PrivateSubnet2CIDR": { "default": "Private Subnet 2 CIDR" }, "PrivateSubnet2ID": { "default": "Private Subnet 2 ID" }, "PublicSubnet1CIDR": { "default": "Public Subnet 1 CIDR" }, "PublicSubnet2CIDR": { "default": "Public Subnet 2 CIDR" }, "QSS3BucketName": { "default": "Quick Start S3 Bucket Name" }, "QSS3KeyPrefix": { "default": "Quick Start S3 Key Prefix" }, "VPCCIDR": { "default": "VPC CIDR" }, "VPCID": { "default": "VPC ID" } } } }, "Parameters": { "DomainAdminPassword": { "Description": "Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols", "Type": "String", "MinLength": "8", "MaxLength": "32", "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "NoEcho": "true" }, "DomainDNSName": { "Description": "Fully qualified domain name (FQDN) of the forest root domain e.g. example.com", "Type": "String", "Default": "example.com", "MinLength": "2", "MaxLength": "25", "AllowedPattern": "[a-zA-Z0-9\\-]+\\..+" }, "DomainNetBIOSName": { "Description": "NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE", "Type": "String", "Default": "example", "MinLength": "1", "MaxLength": "15", "AllowedPattern": "[a-zA-Z0-9\\-]+" }, "PrivateSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/19", "Description": "CIDR block for private subnet 1 located in Availability Zone 1.", "Type": "String" }, "PrivateSubnet1ID": { "Description": "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PrivateSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.32.0/19", "Description": "CIDR block for private subnet 2 located in Availability Zone 2.", "Type": "String" }, "PrivateSubnet2ID": { "Description": "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd)", "Type": "AWS::EC2::Subnet::Id" }, "PublicSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.128.0/20", "Description": "CIDR Block for the public DMZ subnet 1 located in Availability Zone 1", "Type": "String" }, "PublicSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.144.0/20", "Description": "CIDR Block for the public DMZ subnet 2 located in Availability Zone 2", "Type": "String" }, "QSS3BucketName": { "AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$", "ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Default": "aws-quickstart", "Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).", "Type": "String" }, "QSS3KeyPrefix": { "AllowedPattern": "^[0-9a-zA-Z-/]*$", "ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Default": "quickstart-microsoft-activedirectory/", "Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).", "Type": "String" }, "VPCCIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16", "Description": "CIDR Block for the VPC", "Type": "String" }, "VPCID": { "Description": "ID of the VPC (e.g., vpc-0343606e)", "Type": "AWS::EC2::VPC::Id" } }, "Rules": { "SubnetsInVPC": { "Assertions": [ { "Assert": { "Fn::EachMemberIn": [ { "Fn::ValueOfAll": [ "AWS::EC2::Subnet::Id", "VpcId" ] }, { "Fn::RefAll": "AWS::EC2::VPC::Id" } ] }, "AssertDescription": "All subnets must in the VPC" } ] } }, "Resources": { "DHCPOptions": { "Type": "AWS::EC2::DHCPOptions", "DependsOn": "MicrosoftAD", "Properties": { "DomainName": { "Ref": "DomainDNSName" }, "DomainNameServers": { "Fn::GetAtt": [ "MicrosoftAD", "DnsIpAddresses" ] }, "Tags": [ { "Key": "Domain", "Value": { "Ref": "DomainDNSName" } } ] } }, "VPCDHCPOptionsAssociation": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "VPCID" }, "DhcpOptionsId": { "Ref": "DHCPOptions" } } }, "MicrosoftAD": { "Type": "AWS::DirectoryService::MicrosoftAD", "Properties": { "Name": { "Ref": "DomainDNSName" }, "ShortName": { "Ref": "DomainNetBIOSName" }, "Password": { "Ref": "DomainAdminPassword" }, "VpcSettings": { "SubnetIds": [ { "Ref": "PrivateSubnet1ID" }, { "Ref": "PrivateSubnet2ID" } ], "VpcId": { "Ref": "VPCID" } } } }, "DomainMemberSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Domain Members", "VpcId": { "Ref": "VPCID" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "5985", "ToPort": "5985", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "udp", "FromPort": "49152", "ToPort": "65535", "CidrIp": { "Ref": "PrivateSubnet2CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet1CIDR" } }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": { "Ref": "PublicSubnet2CIDR" } } ] } } }, "Outputs": { "ADServer1PrivateIP": { "Value": { "Fn::Select": [ "0", { "Fn::GetAtt": [ "MicrosoftAD", "DnsIpAddresses" ] } ] }, "Description": "AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses)" }, "ADServer2PrivateIP": { "Value": { "Fn::Select": [ "1", { "Fn::GetAtt": [ "MicrosoftAD", "DnsIpAddresses" ] } ] }, "Description": "AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses)" }, "DomainAdmin": { "Value": { "Fn::Join": [ "", [ { "Ref": "DomainNetBIOSName" }, "\\admin" ] ] }, "Description": "Domain administrator account" }, "DomainMemberSGID": { "Value": { "Ref": "DomainMemberSG" }, "Description": "Domain Member Security Group ID" } } }