in src/deployments/cdk/src/common/ad-users-groups.ts [48:332]
constructor(scope: cdk.Construct, id: string, props: ADUsersAndGroupsProps) {
super(scope, id);
const {
latestRdgwAmiId,
vpcId,
vpcName,
keyPairName,
subnetIds,
madDeploymentConfig,
s3BucketName,
s3KeyPrefix,
stackId,
stackName,
adminPasswordArn,
accountNames,
userSecrets,
accountKey,
serviceLinkedRoleArn,
installerVersion,
} = props;
// Creating AD Users command
const adUsersCommand: string[] = madDeploymentConfig['ad-users'].map(
adUser =>
`C:\\cfn\\scripts\\AD-user-setup.ps1 -UserName ${adUser.user} -Password ((Get-SECSecretValue -SecretId ${
userSecrets.find(x => x.user === adUser.user)?.passwordSecretArn
}).SecretString) -DomainAdminUser ${
madDeploymentConfig['netbios-domain']
}\\admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString) -PasswordNeverExpires Yes -UserEmailAddress ${
adUser.email
}`,
);
// Below script to set admin password to never expire
adUsersCommand.push(
`C:\\cfn\\scripts\\AD-user-setup.ps1 -UserName admin -Password ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString) -DomainAdminUser ${madDeploymentConfig['netbios-domain']}\\admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString) -PasswordNeverExpires Yes`,
);
// Creating AD Groups command
const configGroups = madDeploymentConfig['ad-groups']
.concat(madDeploymentConfig['ad-per-account-groups'])
.concat(madDeploymentConfig['adc-group']);
// console.log("configGroups", configGroups);
const adGroups = prepareGroups(configGroups, accountNames);
// console.log("All groups", adGroups);
// Mapping Users to Groups command
const adUserGroups: { user: string; groups: string[] }[] = [];
madDeploymentConfig['ad-users'].map(a => {
const groups = prepareGroups(a.groups, accountNames);
adUserGroups.push({ user: a.user, groups });
});
// console.log("adUserGroups", adUserGroups);
const adUserGroupsCommand: string[] = [];
adUserGroups.map(userGroup =>
adUserGroupsCommand.push(
`C:\\cfn\\scripts\\AD-user-group-setup.ps1 -GroupNames \'${userGroup.groups.join(',')}\' -UserName ${
userGroup.user
} -DomainAdminUser ${
madDeploymentConfig['netbios-domain']
}\\admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString)`,
),
);
// creating security group for the instance
const securityGroup = new SecurityGroup(this, 'RdgwSecurityGroup', {
securityGroups: madDeploymentConfig['security-groups'],
accountKey,
vpcId,
vpcName,
installerVersion,
});
const stack = AcceleratorStack.of(this);
const prefix = trimSpecialCharacters(stack.acceleratorPrefix);
const launchConfig = new LaunchConfiguration(this, 'RDGWLaunchConfiguration', {
launchConfigurationName: `${prefix}-RDGWLaunchConfiguration`,
metadataOptions: madDeploymentConfig['rdgw-enforce-imdsv2']
? { httpEndpoint: 'enabled', httpTokens: 'required' }
: undefined,
associatePublicIpAddress: false,
imageId: latestRdgwAmiId,
securityGroups: [securityGroup.securityGroups[0].id],
iamInstanceProfile: createIamInstanceProfileName(madDeploymentConfig['rdgw-instance-role']),
instanceType: madDeploymentConfig['rdgw-instance-type'],
blockDeviceMappings: [
{
deviceName: '/dev/sda1',
ebs: {
volumeSize: 50,
volumeType: 'gp2',
encrypted: true,
},
},
],
keyName: keyPairName,
});
const autoScalingGroupSize = madDeploymentConfig['num-rdgw-hosts'];
const autoscalingGroup = new CfnAutoScalingGroup(this, 'RDGWAutoScalingGroupB', {
autoScalingGroupName: `${prefix}-RDGWAutoScalingGroup`,
launchConfigurationName: launchConfig.ref,
vpcZoneIdentifier: subnetIds,
maxInstanceLifetime: madDeploymentConfig['rdgw-max-instance-age'] * 86400,
minSize: `${madDeploymentConfig['min-rdgw-hosts']}`,
maxSize: `${madDeploymentConfig['max-rdgw-hosts']}`,
cooldown: '300',
desiredCapacity: `${autoScalingGroupSize}`,
serviceLinkedRoleArn,
tags: [
{
key: 'Name',
value: `${stack.acceleratorPrefix}RDGW`,
propagateAtLaunch: true,
},
],
});
autoscalingGroup.cfnOptions.creationPolicy = {
resourceSignal: {
count: autoScalingGroupSize,
timeout: 'PT30M',
},
};
launchConfig.addOverride('Metadata.AWS::CloudFormation::Authentication', {
S3AccessCreds: {
type: 'S3',
roleName: madDeploymentConfig['rdgw-instance-role'],
buckets: [s3BucketName],
},
});
launchConfig.userData = cdk.Fn.base64(
`<script>\n cfn-init.exe -v -c config -s ${stackId} -r ${launchConfig.logicalId} --region ${cdk.Aws.REGION} \n # Signal the status from cfn-init\n cfn-signal -e $? --stack ${props.stackName} --resource ${autoscalingGroup.logicalId} --region ${cdk.Aws.REGION}\n </script>\n`,
);
launchConfig.addOverride('Metadata.AWS::CloudFormation::Init', {
configSets: {
config: ['setup', 'join', 'installRDS', 'createADConnectorUser', 'configurePasswordPolicy', 'finalize'],
},
setup: {
files: {
'c:\\cfn\\cfn-hup.conf': {
content: `[main]\n stack=${stackName}\n region=${cdk.Aws.REGION}\n`,
},
'c:\\cfn\\hooks.d\\cfn-auto-reloader.conf': {
content: `[cfn-auto-reloader-hook]\n triggers=post.update\n path=Resources.${launchConfig.logicalId}.Metadata.AWS::CloudFormation::Init\n action=cfn-init.exe -v -c config -s ${stackId} -r ${launchConfig.logicalId} --region ${cdk.Aws.REGION}\n`,
},
'C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AWSQuickStart\\AWSQuickStart.psm1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AWSQuickStart.psm1`,
authentication: 'S3AccessCreds',
},
'C:\\cfn\\scripts\\Join-Domain.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}Join-Domain.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\Initialize-RDGW.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}Initialize-RDGW.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\AD-user-setup.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AD-user-setup.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\AD-group-setup.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AD-group-setup.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\AD-user-group-setup.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AD-user-group-setup.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\AD-group-grant-permissions-setup.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AD-group-grant-permissions-setup.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\AD-connector-permissions-setup.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}AD-connector-permissions-setup.ps1`,
authentication: 'S3AccessCreds',
},
'c:\\cfn\\scripts\\Configure-password-policy.ps1': {
source: `https://${s3BucketName}.s3.${cdk.Aws.REGION}.amazonaws.com/${s3KeyPrefix}Configure-password-policy.ps1`,
authentication: 'S3AccessCreds',
},
},
services: {
windows: {
'cfn-hup': {
enabled: 'true',
ensureRunning: 'true',
files: ['c:\\cfn\\cfn-hup.conf', 'c:\\cfn\\hooks.d\\cfn-auto-reloader.conf'],
},
},
},
commands: {
'a-set-execution-policy': {
command: 'powershell.exe -Command "Set-ExecutionPolicy RemoteSigned -Force"',
waitAfterCompletion: '0',
},
'b-init-quickstart-module': {
command: `powershell.exe -Command "New-AWSQuickStartResourceSignal -Stack ${props.stackName} -Resource ${autoscalingGroup.logicalId} -Region ${cdk.Aws.REGION}"`,
waitAfterCompletion: '0',
},
},
},
join: {
commands: {
'a-join-domain': {
command: `powershell.exe -Command "C:\\cfn\\scripts\\Join-Domain.ps1 -DomainName ${madDeploymentConfig['dns-domain']} -UserName ${madDeploymentConfig['netbios-domain']}\\admin -Password ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString)"`,
waitAfterCompletion: 'forever',
},
},
},
installRDS: {
commands: {
'a-install-rds': {
command: 'powershell.exe -Command "Install-WindowsFeature RDS-Gateway,RSAT-RDS-Gateway,RSAT-AD-Tools"',
waitAfterCompletion: '0',
},
'b-configure-rdgw': {
command: `powershell.exe -ExecutionPolicy RemoteSigned C:\\cfn\\scripts\\Initialize-RDGW.ps1 -ServerFQDN $($env:COMPUTERNAME + '.${madDeploymentConfig['dns-domain']}') -DomainNetBiosName ${madDeploymentConfig['netbios-domain']} -GroupName 'domain admins'`,
waitAfterCompletion: '0',
},
},
},
createADConnectorUser: {
commands: {
'a-create-ad-users': {
command: `powershell.exe -ExecutionPolicy RemoteSigned ${adUsersCommand.join('; ')}`,
waitAfterCompletion: '0',
},
'b-create-ad-groups': {
command: `powershell.exe -ExecutionPolicy RemoteSigned C:\\cfn\\scripts\\AD-group-setup.ps1 -GroupNames \'${adGroups.join(
',',
)}\' -DomainAdminUser ${
madDeploymentConfig['netbios-domain']
}\\admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString)`,
waitAfterCompletion: '0',
},
'c-configure-ad-users-groups': {
command: `powershell.exe -ExecutionPolicy RemoteSigned ${adUserGroupsCommand.join('; ')}`,
waitAfterCompletion: '0',
},
'd-configure-ad-group-permissions': {
command: `powershell.exe -ExecutionPolicy RemoteSigned C:\\cfn\\scripts\\AD-connector-permissions-setup.ps1 -GroupName ${madDeploymentConfig['adc-group']} -DomainAdminUser ${madDeploymentConfig['netbios-domain']}\\admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString)`,
waitAfterCompletion: '0',
},
},
},
configurePasswordPolicy: {
commands: {
'a-set-password-policy': {
command: `powershell.exe -ExecutionPolicy RemoteSigned C:\\cfn\\scripts\\Configure-password-policy.ps1 -DomainAdminUser admin -DomainAdminPassword ((Get-SECSecretValue -SecretId ${adminPasswordArn}).SecretString) -ComplexityEnabled:$${pascalCase(
String(madDeploymentConfig['password-policies'].complexity),
)} -LockoutDuration 00:${
madDeploymentConfig['password-policies']['lockout-duration']
}:00 -LockoutObservationWindow 00:${
madDeploymentConfig['password-policies']['lockout-attempts-reset']
}:00 -LockoutThreshold ${madDeploymentConfig['password-policies']['failed-attempts']} -MaxPasswordAge:${
madDeploymentConfig['password-policies']['max-age']
}.00:00:00 -MinPasswordAge:${
madDeploymentConfig['password-policies']['min-age']
}.00:00:00 -MinPasswordLength:${
madDeploymentConfig['password-policies']['min-len']
} -PasswordHistoryCount:${madDeploymentConfig['password-policies'].history} -ReversibleEncryptionEnabled:$${
madDeploymentConfig['password-policies'].reversible
}`,
waitAfterCompletion: '0',
},
},
},
finalize: {
commands: {
'1-signal-success': {
command: 'powershell.exe -Command "Write-AWSQuickStartStatus"',
waitAfterCompletion: '0',
},
},
},
});
}