avatarGuillermo Musumeci

Summary

The provided content details the process of deploying AWS Directory Service using Terraform, outlining network requirements, different AWS Directory Service versions, and Terraform code examples for each service type.

Abstract

The article "How to Deploy AWS Directory Service using Terraform" is a technical guide aimed at system administrators and DevOps professionals who manage cloud environments. It explains the benefits of using AWS Directory Service for integrating Microsoft Active Directory with AWS services, and it provides a step-by-step approach to deploying this service using Terraform, an infrastructure as code tool. The author, with over a decade of experience in deploying Active Directory in various cloud environments, discusses the network prerequisites, such as a VPC with multiple subnets across different Availability Zones. The guide covers three AWS Directory Service options: SimpleAD, ADConnector, and MicrosoftAD, each with its own use cases and configurations. Terraform code snippets are included to illustrate how to set up each directory service type within AWS, ensuring that readers can automate the deployment process and manage directory services efficiently in the cloud.

Opinions

  • The author expresses a strong preference for using Terraform to deploy AWS Directory Service, highlighting its efficiency and ease of use for automating infrastructure provisioning.
  • The author is experienced with Active Directory, having used it since its public beta in 1999, and positions AWS Directory Service as a valuable tool for cloud environments.
  • The article suggests that AWS Directory Service offers flexibility and scalability for organizations of various sizes, with options ranging from SimpleAD for small to medium businesses to MicrosoftAD for larger enterprises.
  • The author emphasizes the importance of proper network configuration, particularly the use of multiple subnets across different Availability Zones, to ensure high availability and fault tolerance for the directory service.
  • By providing multiple Terraform code examples, the author conveys the opinion that infrastructure as code is a best practice for managing cloud resources, allowing for repeatable and consistent deployments.

How to Deploy AWS Directory Service using Terraform

AWS Directory Service provides multiple ways to use Microsoft AD (Active Directory) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources.

AWS Directory Service provides multiple directory choices for customers using existing Microsoft AD or LDAP (Lightweight Directory Access Protocol)–aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

In this story, we will deploy AWS Directory Service using Terraform.

Active Directory in Cloud Environments

This story is part of my Active Directory in Cloud Environments series.

I have been deploying Active Directory in AWS, Azure, GCP, and OCI cloud environments for +10 years. I have been using AD since Microsoft launched the public beta in 1999, so this is one of my favorite subjects to write about.

Network Requirements

To deploy AWS Directory Service, we will need a VPC with at least two subnets located in two separate AZ (Availability Zones).

We can start with a simple Terraform code to create the VPC and subnets or use the VPC Module to create our network.

Code to create a VPC and Subnet

resource "aws_vpc" "directory_service_vpc" {
  cidr_block = "10.10.0.0/16"
}
resource "aws_subnet" "directory_service_subnet_1" {
  vpc_id            = aws_vpc.directory_service_vpc.id
  availability_zone = "eu-west-1a"
  cidr_block        = "10.10.1.0/24"
}
resource "aws_subnet" "directory_service_subnet_2" {
  vpc_id            = aws_vpc.directory_service_vpc.id
  availability_zone = "eu-west-1b"
  cidr_block        = "10.10.2.0/24"
}

In this story, we will use the VPC Module to create a simple VPC with two public and two private subnets in the EU-West region.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  name   = "kopicloud-dev"
  cidr   = "10.10.0.0/16"
  azs             = ["eu-west-1a", "eu-west-1b"]
  private_subnets = ["10.10.1.0/24", "10.10.2.0/24"]
  public_subnets  = ["10.10.3.0/24", "10.10.4.0/24"]
  enable_nat_gateway     = true
  single_nat_gateway     = true
  one_nat_gateway_per_az = false
  enable_dns_hostnames = true
  enable_dns_support   = true
  tags = {
    Name        = "kopicloud-dev"
    Environment = "Development"
  }
}

AWS Directory Service Versions

AWS Directory Service is offered in 3 different flavors: SimpleAD, ADConnector, or MicrosoftAD.

  • SimpleAD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.
  • ADConnector is a directory gateway with which we can redirect directory requests to our on-premises Microsoft Active Directory without caching any information in the cloud.
  • MicrosoftAD is a Microsoft Active Directory (AD) running on AWS-managed infrastructure.

AWS Directory Service Simple AD

SimpleAD is a standalone managed directory powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes:

  • Small — Supports up to 500 users (approximately 2,000 objects, including users, groups, and computers).
  • Large — Supports up to 5,000 users (approximately 20,000 objects, including users, groups, and computers).
resource "aws_directory_service_directory" "simple_ad" {
  name     = "dev.kopicloud.local"
  password = "Sup3rS3cr3tP@ssw0rd"
  size     = "Small"

  vpc_settings {
    vpc_id     = module.vpc.vpc_id
    subnet_ids = module.vpc.private_subnets
  }

  tags = {
    Name        = "kopicloud-simple-ad"
    Environment = "Development"
  }
}

AWS Directory Service AD Connector

ADConnector is a directory gateway with which we can redirect directory requests to our on-premises Microsoft Active Directory without caching any information in the cloud.

We can use AD Connector if we only need to allow our on-premises users to log in to AWS applications and services with their Active Directory credentials.

We can also use AD Connector to join Amazon EC2 instances to our existing Active Directory domain.

Note: There are a few extra requirements to use the AD Connector:

  • The VPC must be connected to your existing network through a virtual private network (VPN) connection or AWS Direct Connect.
  • The VPC must have default hardware tenancy.
  • No network overlapping between the on-premise network and the AWS VPC is allowed.

The AD Connector comes in two sizes:

  • Small — designed for organizations up to 500 users.
  • Large — designed for organizations up to 5000 users.
resource "aws_directory_service_directory" "ad_connector" {
  name     = "dev.kopicloud.local"
  password = "Sup3rS3cr3tP@ssw0rd"
  size     = "Small"
  type     = "ADConnector"

  connect_settings {
    customer_dns_ips  = ["10.20.1.10", "10.20.1.20"]
    customer_username = "ADAdmin"
    vpc_id            = module.vpc.vpc_id    
    subnet_ids        = module.vpc.private_subnets
  }
  tags = {
    Name        = "kopicloud-ad-connector"
    Environment = "Development"
  }
}

AWS Directory Service Microsoft AD

MicrosoftAD is a Microsoft Active Directory (AD) running on AWS-managed infrastructure.

This service creates a highly available pair of Windows domain controllers connected to our virtual private cloud (VPC). Each of these domain controllers runs in different AZ (Availability Zones).

This is a fully managed service, and AWS provides host monitoring and recovery, data replication, snapshots, and software updates and it is available in two sizes:

  • Standard Edition — is optimized to be a primary directory for small and midsize businesses with up to 5,000 employees. It provides you enough storage capacity to support up to 30,000 directory objects, such as users, groups, and computers.
  • Enterprise Edition — is designed to support enterprise organizations with up to 500,000 directory objects.
resource "aws_directory_service_directory" "aws-managed-ad" {
  name        = "kopicloud.local"
  description = "KopiCloud Managed Directory Service"
  password    = "Sup3rS3cr3tP@ssw0rd"
  edition     = "Standard"
  type        = "MicrosoftAD"
  vpc_settings {
    vpc_id     = module.vpc.vpc_id
    subnet_ids = module.vpc.private_subnets
  }
  tags = {
    Name        = "kopicloud-managed-ad"
    Environment = "Development"
  }
}

And that’s all, folks. If you liked this story, please show your support by 👏 this story. Thank you for reading!

Aws Directory Service
Terraform
Active Directory
Simple Ad
Ad Connector
Recommended from ReadMedium
avatarNagarjun Nagesh
Terraform Modules: Autoscaling Private EC2 Instances with SSM Access

Creating and managing AWS infrastructure can be streamlined using Terraform AWS modules. These modules encapsulate best practices and…

5 min read
avataraneesh kumar
Ansible Tutorial: Master Automation in 10 Minutes

7 min read
avatarBiswanath Giri
Directory Structure and Modules Terraform on GCP —  Organize your Terraform configurations using a…

Example of organizing Terraform configurations for Google Cloud Platform (GCP) using a clear directory structure and modules for different…

2 min read
avatarKarthick Dk
How to Automate EC2 Backups to S3 with a Bash Script and AWS CLI

Learn how to automate EC2 backups to Amazon S3 using a simple bash script and AWS CLI. Follow this step-by-step guide to secure your cloud…

3 min read
avatarVinoth Subbiah
🔨 Day 17: Managing Terraform State

🚀 Learning Objective:

4 min read
avatarJenny 秋
The Idealist’s SaaS Architecture Decision: Tenant Isolation & JWT

When building SaaS, the basic foundation we have to consider is tenant isolation.

2 min read