https://github.com/sourcefuse/terraform-aws-arc-workspace
Repo for managing the Workspace Terraform Module.
https://github.com/sourcefuse/terraform-aws-arc-workspace
Last synced: 6 months ago
JSON representation
Repo for managing the Workspace Terraform Module.
- Host: GitHub
- URL: https://github.com/sourcefuse/terraform-aws-arc-workspace
- Owner: sourcefuse
- License: apache-2.0
- Created: 2023-09-13T14:21:27.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-07-15T17:20:38.000Z (over 1 year ago)
- Last Synced: 2025-08-01T05:55:59.171Z (6 months ago)
- Language: HCL
- Homepage:
- Size: 4.38 MB
- Stars: 2
- Watchers: 6
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# [terraform-aws-arc-workspace](https://github.com/sourcefuse/terraform-aws-arc-workspace)
 
[](https://sonarcloud.io/summary/new_code?id=sourcefuse_terraform-aws-arc-workspace)
[](https://github.com/sourcefuse/terraform-aws-arc-workspace/actions/workflows/snyk.yaml)
## Overview
SourceFuse AWS Reference Architecture (ARC) Terraform module for managing Workspaces.
## Usage
To see a Microsoft AD example, check out the [main.tf](https://github.com/sourcefuse/terraform-aws-arc-workspace/blob/main/examples/Microsoft-AD/main.tf) file in the example folder.
```hcl
module "microsoft-ad-workspace" {
source = "sourcefuse/arc-workspace/aws"
version = "1.0.9"
region = var.region
vpc_id = data.aws_vpc.vpc.id
subnet_ids = data.aws_subnets.private.ids
directory_type = var.directory_type
directory_name = var.directory_name
directory_size = var.directory_size
self_service_permissions = var.self_service_permissions
workspace_access_properties = var.workspace_access_properties
workspace_creation_properties = var.workspace_creation_properties
workspaces_service_access_arn = data.aws_iam_policy.workspaces_service_access.arn
workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
user_names = var.user_names
workspace_properties = var.workspace_properties
volume_encryption_key = var.volume_encryption_key
ip_rules = var.ip_rules // change it according to your requirement
tags = module.tags.tags
}
```
To see a AD Connector example, check out the [main.tf](https://github.com/sourcefuse/terraform-aws-arc-workspace/blob/main/examples/AD-Connector/main.tf) file in the example folder.
```hcl
module "ad-connector-workspace" {
source = "sourcefuse/arc-workspace/aws"
version = "1.0.9"
region = var.region
vpc_id = data.aws_vpc.vpc.id
subnet_ids = data.aws_subnets.private.ids
directory_type = var.directory_type
directory_name = var.directory_name
directory_size = var.directory_size
self_service_permissions = var.self_service_permissions
workspace_access_properties = var.workspace_access_properties
workspace_creation_properties = var.workspace_creation_properties
workspaces_service_access_arn = data.aws_iam_policy.workspaces_service_access.arn
workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
user_names = var.user_names
customer_dns_ips = var.customer_dns_ips
customer_username = var.customer_username
workspace_properties = var.workspace_properties
volume_encryption_key = var.volume_encryption_key
ip_rules = var.ip_rules // change it according to your requirement
tags = module.tags.tags
}
```
Both Examples look similar but the difference between them is ```customer_dns_ips``` and ```customer_username``` which is required for ADConnector but not required for AWS Managed Microsoft-AD
## IMPORTANT NOTE
For user_names attribute which is shown in example. There are two approaches you can follow
1. If you want to create custom user_names so you have to first run terraform apply and then create custom user names in workspace manually and specify here that username and re-run tf apply so that workspace with custom-username gets created with appropriate configuration.
2. By default you can specify Administrators , Admins here which are default in directory and that will create workspace
3. if you specify custom user_names which can be any number make sure if you specify, lets say 5 custom user_names then terraform will create 5 workspaces for each user.
4. custom user_names need to be created manually as mentioned in 1st point as there is no functionality in terraform to achieve this as of now.
5. if you leave user_names attribute empty then no workspace will get created , only directory will get created and iam-roles etc.
6. example to specify custom user_names
```
variable "user_names" {
description = "List of usernames to create workspaces for"
type = map(string)
default = {
"mayank.sharma" = null
"james.crowley" = null
"travis.saucier" = null
}
}
```
As we specified three custom user_names that means three workspaces for each user will get created
7. Last thing but not the least and this is very important that if you are trying to deploy in us-east-1 then below AZs are supported. When you are creating a virtual private cloud (VPC) for use with Amazon WorkSpaces, your VPC's subnets must reside in different Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones. Here is the picture of supported Availability Zones For Workspaces.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.5, < 2.0.0 |
| [aws](#requirement\_aws) | >= 4.0, < 6.0 |
| [random](#requirement\_random) | ~> 3.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 5.17.0 |
| [random](#provider\_random) | 3.5.1 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_directory_service_directory.ADConnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/directory_service_directory) | resource |
| [aws_directory_service_directory.microsoftAD](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/directory_service_directory) | resource |
| [aws_iam_role.workspaces_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.workspaces_default_self_service_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.workspaces_default_service_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_security_group.workspace](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_ssm_parameter.ad_connector_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.ad_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_workspaces_directory.directory_ADConnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_directory) | resource |
| [aws_workspaces_directory.directory_microsoftAD](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_directory) | resource |
| [aws_workspaces_ip_group.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_ip_group) | resource |
| [aws_workspaces_workspace.workspace](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace) | resource |
| [random_password.ad_connector_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [random_password.ad_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_iam_policy_document.workspaces](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_workspaces_bundle.bundle](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/workspaces_bundle) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [bundle\_id](#input\_bundle\_id) | The ID of the bundle to use for the workspaces. | `string` | `null` | no |
| [customer\_dns\_ips](#input\_customer\_dns\_ips) | Connect settings for ADConnector. | `list(string)` | `[]` | no |
| [customer\_username](#input\_customer\_username) | Connect settings for ADConnector. | `string` | `""` | no |
| [directory\_name](#input\_directory\_name) | must be a fully qualified domain name and cannot end with a trailing period | `string` | `"poc.woebothealth.com"` | no |
| [directory\_size](#input\_directory\_size) | The size of the directory (Small or Large are accepted values). Large by default. | `string` | `"Small"` | no |
| [directory\_type](#input\_directory\_type) | Type of the directory service (MicrosoftAD or ADConnector). | `string` | `"MicrosoftAD"` | no |
| [egress\_rules](#input\_egress\_rules) | List of egress rules |
list(object({
from_port = number
to_port = number
protocol = any
cidr_blocks = optional(list(string), [])
})) | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"from_port": 0,
"protocol": -1,
"to_port": 0
}
]
| no |
| [iam\_role\_name](#input\_iam\_role\_name) | workspace iam-role-name | `string` | `"workspaces_DefaultRole"` | no |
| [ingress\_rules](#input\_ingress\_rules) | List of ingress rules | list(object({
from_port = number
to_port = number
protocol = string
cidr_blocks = optional(list(string), [])
})) | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"from_port": 443,
"protocol": "tcp",
"to_port": 443
}
]
| no |
| [ip\_group\_description](#input\_ip\_group\_description) | Description of the IP access control group | `string` | `"nat-gateway-ip-list control group"` | no |
| [ip\_group\_name](#input\_ip\_group\_name) | Name of the IP access control group | `string` | `"nat-gateway-ip-list"` | no |
| [ip\_rules](#input\_ip\_rules) | List of IP rules | list(object({
source = string
description = string
})) | `[]` | no |
| [region](#input\_region) | AWS region | `string` | `"us-west-2"` | no |
| [security\_group\_description](#input\_security\_group\_description) | Description of the security group | `string` | `"My security group description"` | no |
| [security\_group\_name](#input\_security\_group\_name) | Name of the security group | `string` | `"workspace-SG"` | no |
| [self\_service\_permissions](#input\_self\_service\_permissions) | Self-service permissions configuration. | object({
change_compute_type = bool
increase_volume_size = bool
rebuild_workspace = bool
restart_workspace = bool
switch_running_mode = bool
}) | {
"change_compute_type": false,
"increase_volume_size": false,
"rebuild_workspace": false,
"restart_workspace": true,
"switch_running_mode": false
} | no |
| [ssm\_ad\_connector\_parameter\_name](#input\_ssm\_ad\_connector\_parameter\_name) | ssm parameter name for microsoft AD | `string` | `"/workspace/Connector/password"` | no |
| [ssm\_parameter\_name](#input\_ssm\_parameter\_name) | ssm parameter name for microsoft AD | `string` | `"/workspace/microsoft-ad/password"` | no |
| [subnet\_ids](#input\_subnet\_ids) | private subnet\_ids | `list(string)` | n/a | yes |
| [tags](#input\_tags) | tags to add to your resources | `map(string)` | n/a | yes |
| [user\_names](#input\_user\_names) | List of usernames to create workspaces for | `map(string)` | `{}` | no |
| [volume\_encryption\_key](#input\_volume\_encryption\_key) | encryption key | `string` | `""` | no |
| [vpc\_id](#input\_vpc\_id) | default vpc | `string` | n/a | yes |
| [workspace\_access\_properties](#input\_workspace\_access\_properties) | Workspace access properties configuration. | object({
device_type_android = string
device_type_chromeos = string
device_type_ios = string
device_type_linux = string
device_type_osx = string
device_type_web = string
device_type_windows = string
device_type_zeroclient = string
}) | {
"device_type_android": "ALLOW",
"device_type_chromeos": "ALLOW",
"device_type_ios": "ALLOW",
"device_type_linux": "ALLOW",
"device_type_osx": "ALLOW",
"device_type_web": "DENY",
"device_type_windows": "ALLOW",
"device_type_zeroclient": "ALLOW"
} | no |
| [workspace\_creation\_properties](#input\_workspace\_creation\_properties) | Workspace creation properties configuration. | object({
custom_security_group_id = string
default_ou = string
enable_internet_access = bool
enable_maintenance_mode = bool
user_enabled_as_local_administrator = bool
}) | {
"custom_security_group_id": "",
"default_ou": "",
"enable_internet_access": false,
"enable_maintenance_mode": true,
"user_enabled_as_local_administrator": true
} | no |
| [workspace\_properties](#input\_workspace\_properties) | Workspace properties configuration. | object({
compute_type_name = string
user_volume_size_gib = number
root_volume_size_gib = number
running_mode = string
running_mode_auto_stop_timeout_in_minutes = number
}) | {
"compute_type_name": "VALUE",
"root_volume_size_gib": 80,
"running_mode": "ALWAYS_ON",
"running_mode_auto_stop_timeout_in_minutes": 60,
"user_volume_size_gib": 10
} | no |
| [workspaces\_self\_service\_access\_arn](#input\_workspaces\_self\_service\_access\_arn) | workspaces self service access from aws | `string` | n/a | yes |
| [workspaces\_service\_access\_arn](#input\_workspaces\_service\_access\_arn) | workspaces service access from aws | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| [workspace\_bundle\_id](#output\_workspace\_bundle\_id) | The ID of the AWS Workspaces bundle. |
| [workspace\_directory\_id](#output\_workspace\_directory\_id) | The ID of the AWS Workspaces directory. |
| [workspace\_properties](#output\_workspace\_properties) | The properties of the AWS Workspaces. |
| [workspace\_root\_volume\_encryption\_enabled](#output\_workspace\_root\_volume\_encryption\_enabled) | Whether root volume encryption is enabled for the AWS Workspaces. |
| [workspace\_user\_name](#output\_workspace\_user\_name) | The username of the AWS Workspaces user. |
| [workspace\_user\_volume\_encryption\_enabled](#output\_workspace\_user\_volume\_encryption\_enabled) | Whether user volume encryption is enabled for the AWS Workspaces. |
| [workspace\_volume\_encryption\_key](#output\_workspace\_volume\_encryption\_key) | The encryption key used for AWS Workspaces volumes. |
### Git commits
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
```sh
git commit -m "your commit message #major"
```
By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly
## Development
### Prerequisites
- [terraform](https://learn.hashicorp.com/terraform/getting-started/install#installing-terraform)
- [terraform-docs](https://github.com/segmentio/terraform-docs)
- [pre-commit](https://pre-commit.com/#install)
- [golang](https://golang.org/doc/install#install)
- [golint](https://github.com/golang/lint#installation)
### Configurations
- Configure pre-commit hooks
```sh
pre-commit install
```
### Tests
- Tests are available in `test` directory
- Configure the dependencies
```sh
cd test/
go mod init github.com/sourcefuse/arc-terraform-workspace
go get github.com/gruntwork-io/terratest/modules/terraform
```
- Now execute the test
```sh
cd test
go test
```
## Authors
This project is authored by:
- SourceFuse ARC Team