{"id":18839368,"url":"https://github.com/andreswebs/terraform-aws-ec2-userdata-ad-join","last_synced_at":"2025-04-14T06:51:45.547Z","repository":{"id":124076778,"uuid":"451926938","full_name":"andreswebs/terraform-aws-ec2-userdata-ad-join","owner":"andreswebs","description":"Generates a user-data script for dynamically joining and un-joining Windows EC2 instances to an Active Directory domain","archived":false,"fork":false,"pushed_at":"2024-04-17T11:14:25.000Z","size":21,"stargazers_count":3,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-27T20:40:27.996Z","etag":null,"topics":["aws","ec2","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/andreswebs/ec2-userdata-ad-join/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andreswebs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-01-25T15:13:47.000Z","updated_at":"2024-09-17T08:35:19.000Z","dependencies_parsed_at":"2024-01-15T21:46:52.019Z","dependency_job_id":null,"html_url":"https://github.com/andreswebs/terraform-aws-ec2-userdata-ad-join","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":"andreswebs/tf-module-cookiecutter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreswebs%2Fterraform-aws-ec2-userdata-ad-join","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreswebs%2Fterraform-aws-ec2-userdata-ad-join/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreswebs%2Fterraform-aws-ec2-userdata-ad-join/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andreswebs%2Fterraform-aws-ec2-userdata-ad-join/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andreswebs","download_url":"https://codeload.github.com/andreswebs/terraform-aws-ec2-userdata-ad-join/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248837274,"owners_count":21169373,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","ec2","terraform-module"],"created_at":"2024-11-08T02:42:53.460Z","updated_at":"2025-04-14T06:51:45.510Z","avatar_url":"https://github.com/andreswebs.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-ec2-userdata-ad-join\n\nGenerates a user-data script for dynamically joining and un-joining Windows EC2 instances to an Active Directory domain.\n\n## Configuration\n\nThe user-data script will fetch configuration values from SSM parameters. These parameters are assumed to already exist in the environment.\n\nDefault parameter names used by the module are:\n\n- `/ad-join/domain`\n- `/ad-join/username`\n- `/ad-join/password`\n- `/ad-join/dns-servers`\n\nThe parameter names are configured from Terraform variables. (See the input values below.)\n\nThe \"username\" and \"password\" parameters must contain credentials from an AD user with enough permissions to join machines to the domain.\n\n## IAM permissions\n\nThe user-data script assumes that the EC2 instance role has the proper permissions to access these parameters.\n\nThe following IAM policy is an example that can be adapted and added to the instance role to accomplish that.\nReplace `${AWS_REGION}` and `${AWS_ACCOUNT_ID}` with the correct values for the environment. \n\nThis example assumes that the parameter prefix for AD configurations is `/ad`:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"ssm:GetParameter\",\n        \"ssm:GetParameters\",\n        \"ssm:GetParametersByPath\",\n        \"ssm:GetParameterHistory\"\n      ],\n      \"Resource\": \"arn:aws:ssm:${AWS_REGION}:${AWS_ACCOUNT_ID}:parameter/ad/*\"\n    }\n  ]\n}\n```\n\n[//]: # (BEGIN_TF_DOCS)\n\n\n## Usage\n\nExample:\n\n```hcl\ndata \"aws_ami\" \"windows\" {\n  most_recent = true\n  filter {\n    name   = \"name\"\n    values = [\"Windows_Server-2019-English-Full-Base-*\"]\n  }\n  filter {\n    name   = \"virtualization-type\"\n    values = [\"hvm\"]\n  }\n  owners = [\"801119661308\"]\n}\n\nmodule \"ec2_role\" {\n  source       = \"andreswebs/ec2-role/aws\"\n  version      = \"1.0.0\"\n  role_name    = var.name\n  profile_name = var.name\n  policies = [\n    \"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore\",\n    \"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy\",\n    \"arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess\"\n  ]\n}\n\nmodule \"params_access\" {\n  source          = \"andreswebs/ssm-parameters-access-policy-document/aws\"\n  version         = \"1.0.0\"\n  parameter_names = [var.ad_ssm_prefix]\n}\n\nresource \"aws_iam_role_policy\" \"params_access\" {\n  name   = \"params-access\"\n  role   = module.ec2_role.role.name\n  policy = module.params_access.json\n}\n\n#############################\n## Use the module like this:\n#############################\nmodule \"user_data\" {\n  source        = \"github.com/andreswebs/terraform-aws-ec2-userdata-ad-join\"\n  ad_ssm_prefix = var.ad_ssm_prefix\n}\n\nresource \"aws_instance\" \"windows\" {\n  ami                  = data.aws_ami.windows.id\n  iam_instance_profile = module.ec2_role.instance_profile.name ## \u003c-- Make sure the instance has proper permissions\n  instance_type        = \"t3a.xlarge\"\n\n  user_data_base64 = module.user_data.b64 ## \u003c-- Use the module\n\n  tags = {\n    Name = \"example-windows-server\"\n  }\n\n  lifecycle {\n    ignore_changes = [ami, tags]\n  }\n\n}\n```\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_ad_ssm_parameter_name_dns_servers\"\u003e\u003c/a\u003e [ad\\_ssm\\_parameter\\_name\\_dns\\_servers](#input\\_ad\\_ssm\\_parameter\\_name\\_dns\\_servers) | Name suffix of the SSM parameter containing the AD domain controller IPs (DNS servers) | `string` | `\"/dns-servers\"` | no |\n| \u003ca name=\"input_ad_ssm_parameter_name_domain\"\u003e\u003c/a\u003e [ad\\_ssm\\_parameter\\_name\\_domain](#input\\_ad\\_ssm\\_parameter\\_name\\_domain) | Name suffix of the SSM parameter containing the AD domain name | `string` | `\"/domain\"` | no |\n| \u003ca name=\"input_ad_ssm_parameter_name_password\"\u003e\u003c/a\u003e [ad\\_ssm\\_parameter\\_name\\_password](#input\\_ad\\_ssm\\_parameter\\_name\\_password) | Name suffix of the SSM parameter containing the AD password | `string` | `\"/password\"` | no |\n| \u003ca name=\"input_ad_ssm_parameter_name_username\"\u003e\u003c/a\u003e [ad\\_ssm\\_parameter\\_name\\_username](#input\\_ad\\_ssm\\_parameter\\_name\\_username) | Name suffix of the SSM parameter containing the AD username | `string` | `\"/username\"` | no |\n| \u003ca name=\"input_ad_ssm_prefix\"\u003e\u003c/a\u003e [ad\\_ssm\\_prefix](#input\\_ad\\_ssm\\_prefix) | SSM parameter prefix for AD configurations | `string` | `\"/ad-join\"` | no |\n| \u003ca name=\"input_log_group\"\u003e\u003c/a\u003e [log\\_group](#input\\_log\\_group) | Name of the log group to log user-data output | `string` | `\"/windows\"` | no |\n| \u003ca name=\"input_log_retention_in_days\"\u003e\u003c/a\u003e [log\\_retention\\_in\\_days](#input\\_log\\_retention\\_in\\_days) | Log retention in days | `number` | `30` | no |\n\n## Modules\n\nNo modules.\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_b64\"\u003e\u003c/a\u003e [b64](#output\\_b64) | Base64-encoded user-data script |\n| \u003ca name=\"output_script\"\u003e\u003c/a\u003e [script](#output\\_script) | The user-data script |\n\n## Providers\n\nNo providers.\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.0.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3.50.0 |\n\n## Resources\n\nNo resources.\n\n[//]: # (END_TF_DOCS)\n\n## Authors\n\n**Andre Silva** - [@andreswebs](https://github.com/andreswebs)\n\n## License\n\nThis project is licensed under the [Unlicense](UNLICENSE.md).\n\n## References\n\n\u003chttps://aws.amazon.com/blogs/compute/managing-domain-membership-of-dynamic-fleet-of-ec2-instances/\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreswebs%2Fterraform-aws-ec2-userdata-ad-join","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandreswebs%2Fterraform-aws-ec2-userdata-ad-join","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandreswebs%2Fterraform-aws-ec2-userdata-ad-join/lists"}