Using aws ec2 with directoryservice
TypeScriptTo integrate AWS EC2 with Directory Service using Pulumi, you typically need to follow these steps:
- Create a Virtual Private Cloud (VPC): This is where your network resources live.
- Set up Directory Service: There are different Directory Service offerings; Simple AD might suffice for small setups.
- Launch EC2 instances: These instances will be joined to the directory created above.
- Configure necessary networking: Required to ensure the EC2 instances can communicate with the directory service.
We will use AWS classes
ec2.Vpc
to create a VPC,ec2.Instance
for launching EC2 instances, anddirectoryservice.Directory
for setting up a Simple AD.The following TypeScript program implements these resources using Pulumi:
import * as aws from "@pulumi/aws"; // Create a new VPC with a single subnet const vpc = new aws.ec2.Vpc("main", { cidrBlock: "10.0.0.0/16", }); const subnet = new aws.ec2.Subnet("main", { vpcId: vpc.id, cidrBlock: "10.0.1.0/24", availabilityZone: "us-west-2a", // Change to your desired availability zone }); // Create an AWS Directory Service Simple AD const directory = new aws.directoryservice.Directory("main", { name: "corp.example.com", password: "SuperSecretPassw0rd", size: "Small", vpcSettings: { vpcId: vpc.id, subnetIds: [subnet.id], }, }); // Create a security group for the EC2 instances const securityGroup = new aws.ec2.SecurityGroup("allow-ldap", { vpcId: vpc.id, description: "Allow all inbound traffic", ingress: [ { protocol: "tcp", fromPort: 0, toPort: 65535, cidrBlocks: ["0.0.0.0/0"] }, ], }); // Launch an EC2 instance and join it to the directory const instance = new aws.ec2.Instance("worker", { instanceType: "t2.micro", // Change to your desired instance type securityGroups: [securityGroup.name], // Associate security group ami: "ami-0c55b159cbfafe1f0", // Change to your desired AMI subnetId: subnet.id, userData: `#!/bin/bash # Script to join the EC2 instance to the directory domain_join() { hostnamectl set-hostname myec2instance.corp.example.com apt update -y && apt install -y realmd krb5-user samba-common-bin adcli sssd echo "SuperSecretPassw0rd" | realm join -U Administrator corp.example.com } domain_join`, }); // When the program runs, the VPC, subnet, directory and instance will be created, // and the instance will run the user data script to join itself to the directory. // Export the DNS addresses of the Simple AD directory and the EC2 instance public IP export const directoryDnsAddresses = directory.dnsIpAddresses; export const instancePublicIp = instance.publicIp;
Here's an explanation of this program:
- First, we set up a new VPC and subnet to provide the network environment for our resources.
- Next, we create a Directory Service using
aws.directoryservice.Directory
. We specify the domain's name and an administration password, the directory size, and the VPC configurations including the subnet IDs where the directory can be accessed. - Then, we prepare a security group to allow traffic. In a production environment, these rules should be more restrictive.
- We launch an EC2 instance that will connect to the domain created by Simple AD. Note that the instance's user data includes a script to perform the domain-joining operation.
- Finally, we export the DNS addresses of the Simple AD and the public IP of the instance for external access.
Make sure to replace placeholders such as the AMI ID with the one suitable for your region and desired OS, the
availabilityZone
to one that you want to use, and the strong password for your directory service.Please keep in mind that this code should be used as a starting point and requires review and modification to fit into your desired AWS environment and comply with your organization's security policies. Access policies, in particular the Security Group ingress rules, are set broadly in this example and should be configured with minimum required access for your scenario.