AWSTemplateFormatVersion: "2010-09-09" Description: >- This template creates a AWS Managed Microsoft AD Directory into private subnets in separate Availability Zones inside a VPC. The default Domain Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1s5tkblm0) Metadata: cfn-lint: config: ignore_checks: - W9006 - E9101 QuickStartDocumentation: EntrypointName: "Parameters for deploying AWS Managed Microsoft AD into an existing VPC" Order: "6" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - DHCPOptionSet - PrivateSubnet1ID - PrivateSubnet2ID - Label: default: AWS Managed Microsoft Active Directory configuration Parameters: - DomainDNSName - DomainNetBIOSName - ADEdition - Label: default: Microsoft Windows Server management instance Parameters: - MgmtServer - MgmtServerInstanceType - MgmtAmi - MgmtDataDriveSizeGiB - MgmtServerNetBIOSName - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: ADEdition: default: AWS Managed Microsoft AD Edition DHCPOptionSet: default: Create a DHCP Options set DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS Name MgmtAmi: default: Management Server SSM Parameter Value for latest AMI ID MgmtDataDriveSizeGiB: default: Data Drive Size MgmtServer: default: Deploy Management Server MgmtServerInstanceType: default: Management Server Instance Type MgmtServerNetBIOSName: default: Management Server NetBIOS Name PrivateSubnet1ID: default: Subnet 1 ID PrivateSubnet2ID: default: Subnet 2 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: ADEdition: AllowedValues: - Standard - Enterprise Default: Enterprise Description: The AWS Managed Microsoft AD Edition you wish to deploy Type: String DHCPOptionSet: AllowedValues: - "Yes" - "No" Default: "Yes" Description: Do you want to create and apply a new DHCP Options Set Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: "255" MinLength: "2" Type: String DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: example Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: "15" MinLength: "1" Type: String MgmtAmi: Default: "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" Description: Management Server SSM Parameter Value to grab the latest AMI ID Type: String MgmtDataDriveSizeGiB: Default: "2" Description: Size of the Management Server Data Drive in GiB Type: Number MgmtServer: AllowedValues: - "true" - "false" Default: "true" Description: Do you want to deploy a Management Server Type: String MgmtServerInstanceType: AllowedValues: - t2.small - t3.small - t2.medium - t3.medium - t2.large - t3.large Default: t3.medium Description: Amazon EC2 instance type for the Management Server Type: String MgmtServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: MGMT1 Description: NetBIOS name of the Management Server server (up to 15 characters) MaxLength: "15" MinLength: "1" Type: String PrivateSubnet1ID: Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2ID: Description: ID of subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PublicSubnet1ID: Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-) It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-activedirectory/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll "AWS::EC2::VPC::Id" AssertDescription: All subnets must in the VPC Conditions: ShouldCreateDHCPOption: !Not [!Equals [!Ref DHCPOptionSet, "No"]] ShouldCreateMgmtServer: !Equals [!Ref MgmtServer, "true"] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, "aws-quickstart"] Resources: DHCPOptions: Condition: ShouldCreateDHCPOption Type: AWS::EC2::DHCPOptions Properties: DomainName: !Ref "DomainDNSName" DomainNameServers: !GetAtt "MicrosoftAD.DnsIpAddresses" Tags: - Key: Domain Value: !Ref "DomainDNSName" VPCDHCPOptionsAssociation: Condition: ShouldCreateDHCPOption Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref "VPCID" DhcpOptionsId: !Ref "DHCPOptions" ADAdminSecrets: Type: AWS::SecretsManager::Secret Properties: Name: !Sub "ADAdminSecret-${AWS::StackName}" GenerateSecretString: SecretStringTemplate: !Sub '{"Username": "${DomainNetBIOSName}\\Admin"}' GenerateStringKey: "Password" PasswordLength: 12 ExcludeCharacters: '"@/\' MicrosoftAD: Type: AWS::DirectoryService::MicrosoftAD Properties: Name: !Ref "DomainDNSName" Edition: !Ref "ADEdition" ShortName: !Ref "DomainNetBIOSName" Password: !Join [ "", [ "{{resolve:secretsmanager:", !Ref ADAdminSecrets, ":SecretString:Password}}", ], ] VpcSettings: SubnetIds: - !Ref "PrivateSubnet1ID" - !Ref "PrivateSubnet2ID" VpcId: !Ref "VPCID" DomainMemberSG: Type: AWS::EC2::SecurityGroup Metadata: cfn_nag: rules_to_suppress: - id: F1000 reason: "Standard Amazon practice" Properties: GroupDescription: Domain Members VpcId: !Ref "VPCID" Tags: - Key: Name Value: DomainMembersSecurityGroup DomainMembersIngressRDP: Type: AWS::EC2::SecurityGroupIngress Properties: Description: RDP GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref DomainMemberSG DomainMembersIngressWinRMHTTP: Type: AWS::EC2::SecurityGroupIngress Properties: Description: WinRM-HTTP GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 5985 ToPort: 5985 SourceSecurityGroupId: !Ref DomainMemberSG DomainMembersIngressWinRMHTTPS: Type: AWS::EC2::SecurityGroupIngress Properties: Description: WinRM-HTTPS GroupId: !Ref DomainMemberSG IpProtocol: tcp FromPort: 5986 ToPort: 5986 SourceSecurityGroupId: !Ref DomainMemberSG MgmtStack: Condition: ShouldCreateMgmtServer Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - "https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workshop/mgmt-1.template.yaml" - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: AdministratorSecret: !Ref "ADAdminSecrets" DirectoryID: !Ref "MicrosoftAD" DomainController1IP: !Select ["0", !GetAtt "MicrosoftAD.DnsIpAddresses"] DomainController2IP: !Select ["1", !GetAtt "MicrosoftAD.DnsIpAddresses"] DomainDNSName: !Ref "DomainDNSName" DomainMembersSG: !Ref "DomainMemberSG" DomainNetBIOSName: !Ref "DomainNetBIOSName" MgmtAmi: !Ref "MgmtAmi" MgmtDataDriveSizeGiB: !Ref "MgmtDataDriveSizeGiB" MgmtServerInstanceType: !Ref "MgmtServerInstanceType" MgmtServerNetBIOSName: !Ref "MgmtServerNetBIOSName" MgmtServerSubnet: !Ref "PublicSubnet1ID" QSS3BucketName: !Ref "QSS3BucketName" QSS3BucketRegion: !Ref "QSS3BucketRegion" QSS3KeyPrefix: !Ref "QSS3KeyPrefix" VPCCIDR: !Ref "VPCCIDR" VPCID: !Ref "VPCID" Outputs: ADSecretsArn: Description: Managed AD Admin Secrets Value: !Ref "ADAdminSecrets" Export: Name: DomainSecretsArn ADServer1PrivateIP: Description: AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses) Value: !Select ["0", !GetAtt "MicrosoftAD.DnsIpAddresses"] ADServer2PrivateIP: Description: AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses) Value: !Select ["1", !GetAtt "MicrosoftAD.DnsIpAddresses"] DirectoryID: Description: Directory Services ID Value: !Ref "MicrosoftAD" DomainAdmin: Description: Domain administrator account Value: !Sub ${DomainNetBIOSName}\admin DomainMemberSGID: Description: Domain Member Security Group ID Value: !Ref "DomainMemberSG" Export: Name: DomainMemberSG