Creates a AWS Directory Service directory with logging to an encrypted log group in CloudWatch.
The directory resource is configured to ignore changes to the password value.
data "aws_ssm_parameter" "directory_password" {
name = format("/app-%s-%s/directory-password", var.application, var.environment)
}
module "cloudwatch_kms_key" {
source = "dod-iac/cloudwatch-kms-key/aws"
name = format("alias/app-%s-cloudwatch-logs-%s", var.application, var.environment)
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
module "directory" {
source = "dod-iac/ds-directory/aws"
cloudwatch_kms_key_arn = module.cloudwatch_kms_key.aws_kms_key_arn
description = format("A MicrosoftAD Directory for use with %s application in the %s environment", var.application, var.environment)
edition = "Standard"
name = format("%s.%s", var.environment, var.application)
password = data.aws_ssm_parameter.directory_password.value
short_name = title(var.application)
type = "MicrosoftAD"
vpc_id = var.vpc_id
vpc_subnet_ids = var.vpc_subnet_ids
tags = {
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}
Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
Name | Version |
---|---|
terraform | >= 0.13 |
aws | ~> 3.0 |
Name | Version |
---|---|
aws | ~> 3.0 |
No Modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudwatch_kms_key_arn | A KMS key used to encrypt Domain Controller security logs stored in CloudWatch Logs. | string |
n/a | yes |
description | A textual description for the directory. Defaults to "short_name (name)". | string |
"" |
no |
edition | If type is Microsoft AD, the edition, either Standard or Enterprise. | string |
"Standard" |
no |
name | The fully qualified name for the directory, e.g., corp.example.com | string |
n/a | yes |
password | The password for the directory administrator or connector user. | string |
n/a | yes |
short_name | The short name of the directory, e.g, CORP. | string |
n/a | yes |
tags | Tags applied to the directory and CloudWatch log group. | map(string) |
{} |
no |
type | The directory type, either SimpleAD, ADConnector, or MicrosoftAD. | string |
n/a | yes |
vpc_id | The identifier of the VPC that the directory is in. | string |
n/a | yes |
vpc_subnet_ids | The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs). | list(string) |
n/a | yes |
Name | Description |
---|---|
directory_id | The directory identifier. |