Manage Active Directory Objects with the New Windows AD Provider for HashiCorp Terraform
We are pleased to announce the technology preview of a Windows Active Directory (AD) provider for Terraform. Windows administrators can now automate configuration of Active Directory and ease the management of enterprise systems.
Windows AD is a valuable tool in enterprise system management that allows administrators to track network objects, exercise access control and comply with regulatory requirements. In addition to the pre-existing central management of users, groups, and permissions, AD allows administrators to define security policies, manage installed software, change registry settings, and control many aspects of a system running Windows, regardless of whether it’s a workstation or a server. Administrators at large organizations have to work closely to ensure coordinated management of an Active Directory across enterprise networks to avoid conflicts or misconfiguration. At the moment the tools available to practitioners for managing AD in an automated fashion are Powershell and .NET libraries.
This experimental provider enables administrators to use declarative administration of Active Directory objects such as users, groups, organizational units, computers, and Group Policy Objects (GPOs). As an alternative to the UI provided by Microsoft to work with Active Directory objects, this provider enables an administrator to describe group policies using the HashiCorp Configuration Language (HCL), manage this configuration in version control, and to detect drift from the declared configuration. System administrators can then automate repetitive tasks and collaboratively manage entities in their Active Directory tree.
» Usage
Although the provider is experimental, it is available through the Terraform Registry for convenience. This is the preferred installation method. The provider offers various configuration options detailed in the registry documentation. If you are not familiar with Terraform and its capabilities, our Learn guides are a great beginner resource which can be found at https://learn.hashicorp.com/terraform.
If you are running terraform in a restricted environment and you cannot use the registry, you may download the binary from the provider’s releases page and install it manually into your plugins folder.
In order to try out the provider, you will need:
- Terraform v0.12 or greater, installed.
- An Active Directory test environment available to use with WinRM enabled.
- A user with administrator privileges that is allowed to access the AD domain controller via WinRM.
- Windows Server 2012R2 or greater.
Information about how to configure the provider with your credentials, and about resources and data sources available in this provider can be found on the Terraform Registry.
The terraform configuration below demonstrates how the provider can be used to configure a Group Policy Object (GPO), modify the security settings for the GPO, create an Organizational Unit (OU) and link the GPO with the OU.
provider "ad" {
version = "0.1.0"
// Add WinRM configuration here
}
resource "ad_gpo" "g" {
Name = "ExampleGPO"
domain = "yourdomain.com"
description = "gpo for gplink tests"
status = "AllSettingsEnabled"
}
resource "ad_gpo_security" "gpo_sec" {
gpo_container = ad_gpo.g.id
password_policies {
minimum_password_length = 3
}
system_services {
service_name = "TapiSrv"
startup_mode = "2"
acl = "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"
}
}
resource "ad_ou" "o" {
name = "Example OU"
path = "dc=yourdomain,dc=com"
description = "OU for gplink tests"
}
resource "ad_gplink" "og" {
gpo_guid = ad_gpo.g.id
target_dn = ad_ou.o.dn
}
» Use Cases
- Manage Group Policies.
- Manage the Security Settings of a Group Policy.
- Manage users, groups, organizational units (OUs), and computer objects in the Active Directory.
» Current Limitations
- This provider is experimental - it is not yet mature enough to be used to manage production infrastructure.
- Only a subset of the items managed by Group Policy Objects is supported by the provider. Additional features will be added based on community feedback.
- Group membership is not yet managed by the provider.
» Conclusion
For more information on the new Windows AD Provider, see the Github repository and the Terraform Registry. We would love to hear your feedback and expand on this project!
Post bugs, and feature requests regarding the Windows AD provider by opening an issue at github.com/hashicorp/terraform-provider-ad!
Sign up for the latest HashiCorp news
More blog posts like this one
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
Speed up app delivery with automated cancellation of plan-only Terraform runs
Automatic cancellation of plan-only runs allows customers to easily cancel any unfinished runs for outdated commits to speed up application delivery.