Skip to content
This repository has been archived by the owner on Jun 22, 2021. It is now read-only.

Terraform module to create an Azure Windows VM and promotes that VM to be a Domain Controller.

License

Notifications You must be signed in to change notification settings

tietoevry-infra-as-code/terraform-azurerm-active-directory-forest

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This repository is no longer maintained actively. Please visit https://github.com/kumarvna?tab=repositories for the latest updates.

Azure Virtual Machine with Active Directory forest Terraform Module

This terraform module is designed to deploy azure Windows 2012R2/2016/2019 virtual machines with Public IP, Availability Set and Network Security Group support.

This module also creates an Active Directory Forest using a virtual machine extension. However, this module only recommended for dev/test/demo environments. For production use of this module, fortify the security by adding correct NSG rules and security architecture.

Active Directory must be supported by DNS to function properly, and Microsoft recommend that to install DNS when creates an Active Directory Domain. This modules also install DNS and integrate with active directory as there are some advantages of utilizing Active Directory integrated DNS as DNS zone. The primary benefits is AD replication will take care of DNS zone replication automatically and second one All DNS servers are writable. This reduces the necessity to configure and allot for separate DNS zone transfer traffic. Other benefits include secure updates and DHCP integration.

Active Directory must have DNS to function properly, but the implementation of Active Directory Services does not require the installation of Microsoft DNS. A BIND DNS or other third-party DNS will fully support a Windows domain. However third party DNS server is not yet supported by this module.

Module Usage

module "virtual-machine" {
  source  = "kumarvna/active-directory-forest/azurerm"
  version = "2.0.0"

  # Resource Group, location, VNet and Subnet details
  resource_group_name  = "rg-hub-demo-internal-shared-westeurope-001"
  location             = "westeurope"
  virtual_network_name = "vnet-default-hub-westeurope"
  subnet_name          = "snet-management-default-hub-westeurope"

  # This module support multiple Pre-Defined Linux and Windows Distributions.
  # Windows Images: windows2012r2dc, windows2016dc, windows2019dc
  virtual_machine_name               = "vm-testdc"
  windows_distribution_name          = "windows2019dc"
  virtual_machine_size               = "Standard_A2_v2"
  admin_username                     = "batman"
  admin_password                     = "P@$$w0rd1234!"
  private_ip_address_allocation_type = "Static"
  private_ip_address                 = ["10.1.2.4"]

  # Active Directory domain and netbios details
  # Intended for test/demo purposes
  # For production use of this module, fortify the security by adding correct nsg rules
  active_directory_domain       = "consoto.com"
  active_directory_netbios_name = "CONSOTO"

  # Network Seurity group port allow definitions for each Virtual Machine
  # NSG association to be added automatically for all network interfaces.
  # SSH port 22 and 3389 is exposed to the Internet recommended for only testing.
  # For production environments, we recommend using a VPN or private connection
  nsg_inbound_rules = [
    {
      name                   = "rdp"
      destination_port_range = "3389"
      source_address_prefix  = "*"
    },

    {
      name                   = "dns"
      destination_port_range = "53"
      source_address_prefix  = "*"
    },
  ]

  # Adding TAG's to your Azure resources (Required)
  # ProjectName and Env are already declared above, to use them here, create a varible.
  tags = {
    ProjectName  = "demo-internal"
    Env          = "dev"
    Owner        = "user@example.com"
    BusinessUnit = "CORP"
    ServiceClass = "Gold"
  }
}

Default Local Administrator and the Password

This module utilizes azureadmin as a local administrator on virtual machines. If you want to you use custom username, then specify the same by setting up the argument admin_username with valid user string.

By default, this module generates a strong password for all virtual machines. If you want to set the custom password, specify the argument admin_password with valid string.

Pre-Defined Windows Images Support

There are pre-defined Windows available to deploy by setting up the argument windows_distribution_name with this module.

OS type Available Pre-defined Images
Windows 2012 R2 windows2012r2dc
Windows 2016 windows2016dc
Windows 2019 windows2019dc

Custom DNS servers

This is an optional feature and only applicable if you are using your own DNS servers superseding default DNS services provided by Azure. Set the argument dns_servers = ["4.4.4.4"] to enable this option. For multiple DNS servers, set the argument dns_servers = ["4.4.4.4", "8.8.8.8"]

Advanced Usage of the Module

enable_ip_forwarding - enable or disable IP forwarding

The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it. While IP forwarding is an Azure setting, the virtual machine must also run an application able to forward the traffic, such as firewall, WAN optimization, and load balancing applications. IP forwarding is typically used with user-defined routes.

By default, this not enabled and set to disable. To enable the IP forwarding using this module, set the argument enable_ip_forwarding = true.

enable_accelerated_networking for Virtual Machines

Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. This high-performance path bypasses the host from the data path, which reduces latency, jitter, and CPU utilization for the most demanding network workloads on supported VM types.

Accelerated Networking is supported on most general-purpose and compute-optimized instance sizes with two or more virtual CPUs (vCPUs). These supported series are Dv2/DSv2 and F/Fs.

On instances that support hyperthreading, accelerated networking is supported on VM instances with four or more vCPUs. Supported series are: D/Dsv3, D/Dsv4, E/Esv3, Ea/Easv4, Fsv2, Lsv2, Ms/Mms, and Ms/Mmsv2.

By default, this not enabled and set to disable. To enable the accelerated networking using this module, set the argument enable_accelerated_networking = true.

private_ip_address_allocation_type - Static IP Assignment

By default, the Azure DHCP servers assign the private IPv4 address for the primary IP configuration of the Azure network interface to the network interface within the virtual machine operating system. Unless necessary, you should never manually set the IP address of a network interface within the virtual machine's operating system.

By default this not enabled and set to disable. To enable the static private IP using this module, set the argument private_ip_address_allocation_type = "Static" and set the argument private_ip_address with valid static private IP.

dedicated_host_id - Adding Azure Dedicated Hosts

Azure Dedicated Host is a service that provides physical servers - able to host one or more virtual machines - dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our data centers, provided as a resource. You can provision dedicated hosts within a region, availability zone, and fault domain. Virtual machine scale sets are not currently supported on dedicated hosts.

By default, this not enabled and set to disable. To add a dedicated host to Virtual machine using this module, set the argument dedicated_host_id with valid dedicated host resource ID. It is possible to add Dedicated Host resource outside this module.

enable_vm_availability_set - Create highly available virtual machines

An Availability Set is a logical grouping capability for isolating VM resources from each other when they're deployed. Azure makes sure that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches. If a hardware or software failure happens, only a subset of your VMs are impacted and your overall solution stays operational. Availability Sets are essential for building reliable cloud solutions.

By default, this not enabled and set to disable. To enable the Availability Set using this module, set the argument enable_vm_availability_set = true.

source_image_id - Create a VM from a managed image

We can create multiple virtual machines from an Azure managed VM image. A managed VM image contains the information necessary to create a VM, including the OS and data disks. The virtual hard disks (VHDs) that make up the image, including both the OS disks and any data disks, are stored as managed disks. One managed image supports up to 20 simultaneous deployments.

When you use the managed VM image, custom image, or any other source image reference are not valid. By default, this not enabled and set to use predefined or custom images. To utilize Azure managed VM Image by this module, set the argument source_image_id with valid manage image resource id.

license_type - Bring your own License to your Windows server

Azure Hybrid Benefit for Windows Server allows you to use your on-premises Windows Server licenses and run Windows virtual machines on Azure at a reduced cost. You can use Azure Hybrid Benefit for Windows Server to deploy new virtual machines with Windows OS.

By default, this is set to None. To use the Azure Hybrid Benefit for windows server deployment by this module, set the argument license_type to valid values. Possible values are None, Windows_Client and Windows_Server.

os_disk_storage_account_type - Azure managed disks

Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but virtualized. With managed disks, all you have to do is specify the disk size, the disk type, and provision the disk. Once you provision the disk, Azure handles the rest. The available types of disks are ultra disks, premium solid-state drives (SSD), standard SSDs, and standard hard disk drives (HDD).

By default, this module uses the standard SSD with Locally redundant storage (StandardSSD_LRS). To use other type of disks, set the argument os_disk_storage_account_type with valid values. Possible values are Standard_LRS, StandardSSD_LRS and Premium_LRS.

Network Security Groups

By default, the network security groups connected to Network Interface and allow necessary traffic and block everything else (deny-all rule). Use nsg_inbound_rules in this Terraform module to create a Network Security Group (NSG) for network interface and allow it to add additional rules for inbound flows.

In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. In the protocol column, Any encompasses TCP, UDP, and ICMP. When creating a rule, you can specify TCP, UDP, ICMP or *. 0.0.0.0/0 in the Source and Destination columns represents all addresses.

You cannot remove the default rules, but you can override them by creating rules with higher priorities.

module "vnet-hub" {
  source  = "kumarvna/active-directory-forest/azurerm"
  version = "2.0.0"

  # .... omitted
  
  virtual_machine_name       = "vm-testdc"
  windows_distribution_name  = "windows2019dc"
  virtual_machine_size       = "Standard_A2_v2"
  
  nsg_inbound_rules = [
    {
      name                   = "rdp"
      destination_port_range = "3389"
      source_address_prefix  = "*"
    },

    {
      name                   = "dns"
      destination_port_range = "53"
      source_address_prefix  = "*"
    },
  ]

  # .... omitted
}

Recommended naming and tagging conventions

Well-defined naming and metadata tagging conventions help to quickly locate and manage resources. These conventions also help associate cloud usage costs with business teams via chargeback and show back accounting mechanisms.

Resource naming

An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these recommended naming conventions, a public IP resource for a production SharePoint workload is named like this: pip-sharepoint-prod-westus-001.

Metadata tags

When applying metadata tags to the cloud resources, you can include information about those assets that couldn't be included in the resource name. You can use that information to perform more sophisticated filtering and reporting on resources. This information can be used by IT or business teams to find resources or generate reports about resource usage and billing.

The following list provides the recommended common tags that capture important context and information about resources. Use this list as a starting point to establish your tagging conventions.

Tag Name Description Key Example Value Required?
Project Name Name of the Project for the infra is created. This is mandatory to create a resource names. ProjectName {Project name} Yes
Application Name Name of the application, service, or workload the resource is associated with. ApplicationName {app name} Yes
Approver Name Person responsible for approving costs related to this resource. Approver {email} Yes
Business Unit Top-level division of your company that owns the subscription or workload the resource belongs to. In smaller organizations, this may represent a single corporate or shared top-level organizational element. BusinessUnit FINANCE, MARKETING,{Product Name},CORP,SHARED Yes
Cost Center Accounting cost center associated with this resource. CostCenter {number} Yes
Disaster Recovery Business criticality of this application, workload, or service. DR Mission Critical, Critical, Essential Yes
Environment Deployment environment of this application, workload, or service. Env Prod, Dev, QA, Stage, Test Yes
Owner Name Owner of the application, workload, or service. Owner {email} Yes
Requester Name User that requested the creation of this application. Requestor {email} Yes
Service Class Service Level Agreement level of this application, workload, or service. ServiceClass Dev, Bronze, Silver, Gold Yes
Start Date of the project Date when this application, workload, or service was first deployed. StartDate {date} No
End Date of the Project Date when this application, workload, or service is planned to be retired. EndDate {date} No

This module allows you to manage the above metadata tags directly or as an variable using variables.tf. All Azure resources which support tagging can be tagged by specifying key-values in argument tags. Tag ResourceName is added automatically to all resources.

module "vnet-hub" {
  source  = "kumarvna/active-directory-forest/azurerm"
  version = "2.0.0"

  # Resource Group, location, VNet and Subnet details
  resource_group_name  = "rg-hub-demo-internal-shared-westeurope-001"

  # ... omitted

  tags = {
    ProjectName  = "demo-internal"
    Env          = "dev"
    Owner        = "user@example.com"
    BusinessUnit = "CORP"
    ServiceClass = "Gold"
  }
}

Requirements

Name Version
terraform >= 0.13
azurerm ~> 2.27.0

Providers

Name Version
azurerm ~> 2.27.0
random n/a

Inputs

Name Description Type Default
resource_group_name The name of the resource group in which resources are created string ""
location The location of the resource group in which resources are created string ""
virtual_network_name The name of the virtual network string ""
subnet_name The name of the subnet to use in VM scale set string ""
virtual_machine_name The name of the virtual machine string ""
os_flavor Specify the flavor of the operating system image to deploy Virtual Machine string "windows"
virtual_machine_size The Virtual Machine SKU for the Virtual Machine string "Standard_A2_v2"
instances_count The number of Virtual Machines required number 1
enable_ip_forwarding Should IP Forwarding be enabled? string false
enable_accelerated_networking Should Accelerated Networking be enabled? string false
private_ip_address_allocation_type The allocation method used for the Private IP Address. Possible values are Dynamic and Static. string false
private_ip_address The Static IP Address which should be used. This is valid only when private_ip_address_allocation is set to Static. string null
dns_servers List of dns servers to use for network interface string []
enable_vm_availability_set Manages an Availability Set for Virtual Machines. string false
enable_public_ip_address Reference to a Public IP Address to associate with the NIC string false
source_image_id The ID of an Image which each Virtual Machine should be based on string null
windows_distribution_list Pre-defined Azure Windows VM images list map(object) "windows2019dc"
windows_distribution_name Variable to pick an OS flavor for Windows based VM. Possible values are windows2012r2dc, windows2016dc, windows2019dc string "windows2019dc"
os_disk_storage_account_type The Type of Storage Account for Internal OS Disk. Possible values include Standard_LRS, StandardSSD_LRS and Premium_LRS. string "StandardSSD_LRS"
admin_username The username of the local administrator used for the Virtual Machine string "azureadmin"
admin_password The Password which should be used for the local-administrator on this Virtual Machine string null
nsg_inbound_rules List of network rules to apply to network interface object {}
dedicated_host_id The ID of a Dedicated Host where this machine should be run on string null
license_type Specifies the type of on-premise license which should be used for this Virtual Machine. Possible values are None, Windows_Client and Windows_Server. string "None"
active_directory_domain The name of the Active Directory domain, for example consoto.com string ""
active_directory_netbios_name The netbios name of the Active Directory domain, for example consoto string ""
Tags A map of tags to add to all resources map {}

Outputs

Name Description
windows_vm_password Password for the windows Virtual Machine
windows_vm_public_ips Public IP's map for the all windows Virtual Machines
windows_vm_private_ips Public IP's map for the all windows Virtual Machines
windows_virtual_machine_ids The resource id's of all Windows Virtual Machine
network_security_group_ids List of Network security groups and ids
vm_availability_set_id The resource ID of Virtual Machine availability set
active_directory_domain The name of the active directory domain
active_directory_netbios_name The name of the active directory netbios name

Resource Graph

Resource Graph

Authors

Originally created by Kumaraswamy Vithanala

Other resources