| layout | page_title | description |
|---|---|---|
Provider: AD (Active Directory) |
The AD (Active Directory) provider provides resources to interact with an AD domain controller . |
The AD (Active Directory) provider provides resources to interact with an AD domain controller.
Requirements:
- Windows Server 2012R2 or greater.
- WinRM enabled.
Starting with version 0.4.0, this provider supports Kerberos Authentication for WinRM connections. The underlying library used for Kerberos authentication supports setting its configuration by parsing a configuration file as specified in this page. If a configuration file is not supplied then we will use the equivalent of the following config:
[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
YOURDOMAIN.COM = {
kdc = 192.168.1.122
admin_server = 192.168.1.122
default_domain = YOURDOMAIN.COM
}
[domain_realm]
yourdomain.com = YOURDOMAIN.COM
where YOURDOMAIN.COM is the value of the krb_realm setting, and 192.168.1.122 is the value of winrm_hostname.
Basic remains the default authentication method, although this may change in the future. The provider will use
Kerberos as its authentication when krb_realm is set.
Starting with version 0.4.3 it is possible to point the provider to a host other than a Domain Controller and perform all the management tasks through that host. Here is an example of The provider config:
provider "ad" {
winrm_hostname = "10.0.0.1"
winrm_username = var.username
winrm_password = var.password
krb_realm = "YOURDOMAIN.COM"
krb_conf = "${path.module}/krb5.conf"
krb_spn = "winserver1"
winrm_port = 5986
winrm_proto = "https"
winrm_pass_credentials = true
}
In this case krb5.conf would look like this:
[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
YOURDOMAIN.COM = {
kdc = 172.16.12.109
admin_server = 172.16.12.109
default_domain = YOURDOMAIN.COM
}
[domain_realm]
.kerberos.server = YOURDOMAIN.COM
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM
yourdomain = YOURDOMAIN.COM
A few things to note: - Double Hop Authentication is only enabled when using https - Authentication between management host and DC is done via Kerberos - The AD Powershell module as well as the Group Policy Powersehll Module is expected to be installed on the server before running the provider.
It is possible to execute commands locally if the OS on which terraform is running is Windows. In such case, your need to put the following settings in the provider configuration :
- Set winrm_username to null
- Set winrm_password to null
- Set winrm_hostname to null
Note: it will set to local only if all 3 parameters are set to null
provider "ad" {
winrm_hostname = ""
winrm_username = ""
winrm_password = ""
}variable "hostname" { default = "ad.yourdomain.com" }
variable "username" { default = "user" }
variable "password" { default = "password" }
// remote using Basic authentication
provider "ad" {
winrm_hostname = var.hostname
winrm_username = var.username
winrm_password = var.password
}
// remote using NTLM authentication
provider "ad" {
winrm_hostname = var.hostname
winrm_username = var.username
winrm_password = var.password
winrm_use_ntlm = true
}
// remote using NTLM authentication and HTTPS
provider "ad" {
winrm_hostname = var.hostname
winrm_username = var.username
winrm_password = var.password
winrm_use_ntlm = true
winrm_port = 5986
winrm_proto = "https"
winrm_insecure = true
}
// remote using Kerberos authentication
provider "ad" {
winrm_hostname = var.hostname
winrm_username = var.username
winrm_password = var.password
krb_realm = "YOURDOMAIN.COM"
}
// remote using Kerberos authentication with krb5.conf file
provider "ad" {
winrm_hostname = var.hostname
winrm_username = var.username
winrm_password = var.password
krb_conf = "/etc/krb5.conf"
}
// local (windows only)
provider "ad" {
winrm_hostname = ""
winrm_username = ""
winrm_password = ""
}winrm_hostname(String) The hostname of the server we will use to run powershell scripts over WinRM. (Environment variable: AD_HOSTNAME)winrm_password(String) The password used to authenticate to the server's WinRM service. (Environment variable: AD_PASSWORD)winrm_username(String) The username used to authenticate to the server's WinRM service. (Environment variable: AD_USER)
domain_controller(String) Use a specific domain controller. (default: none, environment variable: AD_DC)krb_conf(String) Path to kerberos configuration file. (default: none, environment variable: AD_KRB_CONF)krb_keytab(String) Path to a keytab file to be used instead of a passwordkrb_realm(String) The name of the kerberos realm (domain) we will use for authentication. (default: "", environment variable: AD_KRB_REALM)krb_spn(String) Alternative Service Principal Name. (default: none, environment variable: AD_KRB_SPN)winrm_insecure(Boolean) Trust unknown certificates. (default: false, environment variable: AD_WINRM_INSECURE)winrm_pass_credentials(Boolean) Pass credentials in WinRM session to create a System.Management.Automation.PSCredential. (default: false, environment variable: AD_WINRM_PASS_CREDENTIALS)winrm_port(Number) The port WinRM is listening for connections. (default: 5985, environment variable: AD_PORT)winrm_proto(String) The WinRM protocol we will use. (default: http, environment variable: AD_PROTO)winrm_use_ntlm(Boolean) Use NTLM authentication. (default: false, environment variable: AD_WINRM_USE_NTLM)