AD (Active Directory) Provider

The AD (Active Directory) provider provides resources to interact with an AD domain controller.

Requirements:

Note about Kerberos Authentication

Starting with version 0.4.0, this provider supports Kerberos Authentication for WinRM connections. The underlying library used for Kerberos authentication supports setting its configuration by parsing a configuration file as specified in this page. If a configuration file is not supplied then we will use the equivalent of the following config:

[libdefaults]
   default_realm = YOURDOMAIN.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false

[realms]
    YOURDOMAIN.COM = {
        kdc     =   192.168.1.122
        admin_server = 192.168.1.122
        default_domain = YOURDOMAIN.COM
    }

[domain_realm]
    yourdomain.com = YOURDOMAIN.COM

where YOURDOMAIN.COM is the value of the krb_realm setting, and 192.168.1.122 is the value of winrm_hostname. Basic remains the default authentication method, although this may change in the future. The provider will use Kerberos as its authentication when krb_realm is set.

Double hop Authentication

Starting with version 0.4.3 it is possible to point the provider to a host other than a Domain Controller and perform all the management tasks through that host. Here is an example of The provider config:

provider "ad" {
  winrm_hostname         = "10.0.0.1"
  winrm_username         = var.username
  winrm_password         = var.password
  krb_realm              = "YOURDOMAIN.COM"
  krb_conf               = "${path.module}/krb5.conf"
  krb_spn                = "winserver1"
  winrm_port             = 5986
  winrm_proto            = "https"
  winrm_pass_credentials = true
}

In this case krb5.conf would look like this:

[libdefaults]
   default_realm = YOURDOMAIN.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false


[realms]
    YOURDOMAIN.COM = {
        kdc     =   172.16.12.109
        admin_server = 172.16.12.109
        default_domain = YOURDOMAIN.COM
    }

[domain_realm]
    .kerberos.server = YOURDOMAIN.COM
    .yourdomain.com = YOURDOMAIN.COM
    yourdomain.com = YOURDOMAIN.COM
    yourdomain = YOURDOMAIN.COM

A few things to note: - Double Hop Authentication is only enabled when using https - Authentication between management host and DC is done via Kerberos - The AD Powershell module as well as the Group Policy Powersehll Module is expected to be installed on the server before running the provider.

Note about Local execution (Windows only)

It is possible to execute commands locally if the OS on which terraform is running is Windows. In such case, your need to put the following settings in the provider configuration :

Note: it will set to local only if all 3 parameters are set to null

Example

provider "ad" {
  winrm_hostname = ""
  winrm_username = ""
  winrm_password = ""
}

## Example Usage

variable "hostname" { default = "ad.yourdomain.com" }
variable "username" { default = "user" }
variable "password" { default = "password" }

// remote using Basic authentication
provider "ad" {
  winrm_hostname = var.hostname
  winrm_username = var.username
  winrm_password = var.password
}

// remote using NTLM authentication
provider "ad" {
  winrm_hostname = var.hostname
  winrm_username = var.username
  winrm_password = var.password
  winrm_use_ntlm = true
}

// remote using NTLM authentication and HTTPS
provider "ad" {
  winrm_hostname = var.hostname
  winrm_username = var.username
  winrm_password = var.password
  winrm_use_ntlm = true
  winrm_port     = 5986
  winrm_proto    = "https"
  winrm_insecure = true
}

// remote using Kerberos authentication
provider "ad" {
  winrm_hostname = var.hostname
  winrm_username = var.username
  winrm_password = var.password
  krb_realm      = "YOURDOMAIN.COM"
}

// remote using Kerberos authentication with krb5.conf file
provider "ad" {
  winrm_hostname = var.hostname
  winrm_username = var.username
  winrm_password = var.password
  krb_conf       = "/etc/krb5.conf"
}

// local (windows only)
provider "ad" {
  winrm_hostname = ""
  winrm_username = ""
  winrm_password = ""
}

Schema

Required

Optional