Artikel: AD-Automatisierung mit Terraform

Listing 1: Terraform mit AD verknüpfen

variable "user" { default = "<user>" }
variable "password" { default = "<password>"
}
provider "ad" {
winrm_hostname = "<DC1.JOOS.INT>"
winrm_username = var.user
winrm_password = var.password
winrm_use_ntlm = true
}


Listing 2: Terraform mit Kerberos nutzen

provider "ad" {
winrm_hostname = "<DC1.JOOS.INT>"
winrm_username = var.user
winrm_password = var.password
winrm_port = 5986
winrm_proto = "https"
winrm_pass_credentials = true
krb_realm = "<JOOS.INT>"
krb_conf = "krb5.conf"
krb_spn = "<DC1.JOOS.INT>"
winrm_insecure = true
}


Listing 3: Kerberos-Konfigurationsdatei

[libdefaults]
default_realm = <JOOS.INT>
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
<JOOS.INT> = {
kdc = <DC1.JOOS.INT>
admin_server = <DC1.JOOS.INT>
default_domain = <JOOS.INT>
master_kdc = <DC1.JOOS.INT>
}
[domain_realm]
.kerberos.server = <JOOS.INT>
<.joos.int> = <JOOS.INT>
<joos.int> = <JOOS.INT>


Listing 4: Beispiel für ein Main-TF-File

resource "ad_gpo" "g" {
name = "TFTestGPO"
domain = "joos.lab"
description = "gpo for gplink tests"
status = "AllSettingsEnabled"
}
resource "ad_gpo_security" "gpo_sec" {
gpo_container = ad_gpo.g.id
password_policies {
minimum_password_length = 11
}
system_services {
service_name = "TapiSrv"
startup_mode = "2"
acl =
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"
}
}
resource "ad_ou" "o" {
name = "TF Test OU"
path = "dc=joos,dc=lab"
description = "OU for gplink tests"
}
resource "ad_gplink" "og" {
gpo_guid = ad_gpo.g.id
target_dn = ad_ou.o.dn
}


Listing 5: Beispiel-Skipt für Benutzerrechte

resource "ad_group" "finance_team" {
name = "Finance_Team"
group_scope = "Global"
group_type = "Security"
ou_dn =
"OU=Groups,DC=example,DC=com"
}
resource "ad_group_member" "finance_team_
members" {
group_dn = ad_group.finance
_team.distinguished_name
members = [ad_user.new_ em
ployee.distinguished_name,
"CN=Jane Smith,OU=Employees,
DC=example,DC=com"
]
}


Listing 6: GPO anlegen und verknüpfen

resource "ad_gpo" "screen_lock_policy" {
name = "ScreenLockPolicy"
description = "Enforce automatic screen
lock after 10 minutes of inactivity."
settings = <SETTINGS
[Desktop Settings]
ScreenSaverTimeout = 600
ScreenSaverIsSecure = 1
SETTINGS
}
resource "ad_gpo_link"
"screen_lock_policy_link" {
gpo_dn = ad_gpo.screen_lock_policy.distinguished_name
ou_dn = "OU=Employees,DC=example,DC=com"
enforced = true
}


Listing 7: Terraform und PowerShell

resource "ad_user" "new_user" {
name = "jdoe"
display_name = "John Doe"
given_name = "John"
surname = "Doe"
ou_dn =
"OU=Employees,DC=example,DC=com"
password = "SecurePassword123!"
enabled = true
}
provisioner "local-exec" {
command = "powershell.exe -File
./assign_permissions.ps1 -User jdoe
-FolderPath 'C:\\Shared'"
}
Das zugehörige PowerShell-Skript "assign_
permissions.ps1" könnte wie folgt aussehen:
param (
[string]$User,
[string]$FolderPath
)
$Acl = Get-Acl $FolderPath
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("$User", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$Acl.AddAccessRule($Ar)
Set-Acl $FolderPath $Acl
Write-Host "Permissions assigned to $User for
$FolderPath"