94 lines
4.5 KiB
Markdown
94 lines
4.5 KiB
Markdown
# Active Directory Federation Services
|
|
|
|
This blueprint does the following:
|
|
|
|
Terraform:
|
|
|
|
- (Optional) Creates a project.
|
|
- (Optional) Creates a VPC.
|
|
- Sets up managed AD
|
|
- Creates a server where AD FS will be installed. This machine will also act as admin workstation for AD.
|
|
- Exposes AD FS using GLB.
|
|
|
|
Ansible:
|
|
|
|
- Installs the required Windows features and joins the computer to the AD domain.
|
|
- Provisions some tests users, groups and group memberships in AD. The data to provision is in the files directory of the ad-provisioning ansible role. There is script available in the scripts/ad-provisioning folder that you can use to generate an alternative users or memberships file.
|
|
- Installs AD FS
|
|
|
|
In addition to this, we also include a Powershell script that facilitates the configuration required for Anthos when authenticating users with AD FS as IdP.
|
|
|
|
The diagram below depicts the architecture of the blueprint:
|
|
|
|
![Architecture](architecture.png)
|
|
|
|
## Running the blueprint
|
|
|
|
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=blueprints%2Fcloud-operations%2Fadfs), then go through the following steps to create resources:
|
|
|
|
- `terraform init`
|
|
- `terraform apply -var project_id=my-project-id -var ad_dns_domain_name=my-domain.org -var adfs_dns_domain_name=adfs.my-domain.org`
|
|
|
|
Once the resources have been created, do the following:
|
|
|
|
1. Create an A record to point the AD FS DNS domain name to the public IP address returned after the terraform configuration was applied.
|
|
2. Run the ansible playbook
|
|
|
|
ansible-playbook playbook.yaml
|
|
|
|
# Testing the blueprint
|
|
|
|
1. In your browser open the following URL:
|
|
|
|
https://adfs.my-domain.org/adfs/ls/IdpInitiatedSignOn.aspx
|
|
|
|
2. Enter the username and password of one of the users provisioned. The username has to be in the format: username@my-domain.org
|
|
3. Verify that you have successfully signed in.
|
|
|
|
Once done testing, you can clean up resources by running `terraform destroy`.
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [ad_dns_domain_name](variables.tf#L15) | AD DNS domain name. | <code>string</code> | ✓ | |
|
|
| [adfs_dns_domain_name](variables.tf#L26) | ADFS DNS domain name. | <code>string</code> | ✓ | |
|
|
| [prefix](variables.tf#L64) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
|
| [project_id](variables.tf#L82) | Host project ID. | <code>string</code> | ✓ | |
|
|
| [ad_ip_cidr_block](variables.tf#L20) | Managed AD IP CIDR block. | <code>string</code> | | <code>"10.0.0.0/24"</code> |
|
|
| [disk_size](variables.tf#L31) | Disk size. | <code>number</code> | | <code>50</code> |
|
|
| [disk_type](variables.tf#L37) | Disk type. | <code>string</code> | | <code>"pd-ssd"</code> |
|
|
| [image](variables.tf#L43) | Image. | <code>string</code> | | <code>"projects/windows-cloud/global/images/family/windows-2022"</code> |
|
|
| [instance_type](variables.tf#L49) | Instance type. | <code>string</code> | | <code>"n1-standard-2"</code> |
|
|
| [network_config](variables.tf#L55) | Network configuration. | <code title="object({ network = string subnet = string })">object({…})</code> | | <code>null</code> |
|
|
| [project_create](variables.tf#L73) | Parameters for the creation of the new project. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
|
| [region](variables.tf#L87) | Region. | <code>string</code> | | <code>"europe-west1"</code> |
|
|
| [subnet_ip_cidr_block](variables.tf#L93) | Subnet IP CIDR block. | <code>string</code> | | <code>"10.0.1.0/28"</code> |
|
|
| [zone](variables.tf#L99) | Zone. | <code>string</code> | | <code>"europe-west1-c"</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [ip_address](outputs.tf#L15) | IP address. | |
|
|
|
|
<!-- END TFDOC -->
|
|
|
|
## Test
|
|
|
|
```hcl
|
|
module "test" {
|
|
source = "./fabric/blueprints/cloud-operations/adfs"
|
|
prefix = "test"
|
|
project_create = {
|
|
billing_account_id = "12345-12345-12345"
|
|
parent = "folders/123456789"
|
|
}
|
|
project_id = "project-1"
|
|
ad_dns_domain_name = "example.com"
|
|
adfs_dns_domain_name = "adfs.example.com"
|
|
}
|
|
# tftest modules=5 resources=20
|
|
```
|