https://pulumi.com logo
#general
Title
# general
e

early-musician-41645

09/26/2019, 5:27 PM
I'm using the
awsx
module for creating a Windows ec2 instance. Is there any way to specify that the instance should join a Microsft AD domain? The domain controller already exists as a managed Microsoft AD directory in AWS. I can get the instance to join "seamlessly" by creating it in the console: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html Or by logging in to the instance and configuring it: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html How can I achieve this with Pulumi?
a

acceptable-army-69872

09/26/2019, 5:49 PM
I don't work for pulumi, and have never done what you're asking, but you're teetering on the edge of where the aws console does a bunch extra work flow for you that you'd have to code up manually in any IAC. The first link indicates amazon is triggering some sort of EC2 Systems Manager (SSM) flow to join the domain. Pulumi supports SSM (see: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ssm/), but I'm a bit out of my depth on that. The second is manual. I would bet you could use userdata for the windows instance to join on boot (userdata is automatically executed on instance launch), but that may require doing some secrets management. Do you have any experience with either SSM or using Userdata?
e

early-musician-41645

09/26/2019, 6:01 PM
Thanks for the response! I've got things working 90% of the way through UserData with something like this:
Copy code
Write-Host "Signaling CloudFormation that the instance is up and running"
cfn-signal.exe --success true --region ${config.region} --stack ${stackName} --resource Instances

Write-Host "Updating DNS addresses to match the Directory Service"
Set-DnsClientServerAddress -InterfaceIndex (Get-NetAdapter).ifIndex -ServerAddresses (${directoryDnsIpAddresses})

Write-Host "Joining the domain directory: ${directoryName}. This will force restart the instance."
$securePassword = ConvertTo-SecureString "${directoryPassword}" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("Admin", $securePassword)
Add-Computer -Domain ${directoryName} -Credential $credential -Verbose -PassThru -Restart -Force
I've spent a couple days on this and found that UserData was the only way I could make progress. Was just wondering if this is already supported via Pulumi, e.g. through some launchconfiguration args for domain joining that would flow through as needed.
I'm creating the directory in the pulumi project, too
c

clever-sunset-76585

09/26/2019, 6:05 PM
This might be of help to you: https://github.com/pulumi/examples/pull/191
The example shows how you could use Pulumi’s dynamic resource provider to connect to a newly-created VM via SSH (winrm) and remote execute a script. You could execute a script like that on your Windows instance to have it join the MS AD Domain.
e

early-musician-41645

09/26/2019, 6:07 PM
Interesting, I'm not sure how I could use it, though. Would I have to set up an SSH server on my windows hosts for "post-provisioning"?
Also, isn't the whole point of UserData to run commands after provisioning?
c

clever-sunset-76585

09/26/2019, 6:07 PM
For example, I am using that myself to deploy a Linux EC2 Instance and initialize it with Octopus’ Tentacle configuration.
e

early-musician-41645

09/26/2019, 6:09 PM
Oh, what a coincidence. For this thread I'm provisioning Octopus server on Windows hosts.
😄 1
c

clever-sunset-76585

09/26/2019, 6:09 PM
Also, isn’t the whole point of UserData to run commands after provisioning?
I am not too familiar with UserData myself to be honest.
e

early-musician-41645

09/26/2019, 6:09 PM
However, I have a separate project, using UserData, to do exactly what you're doing for linux tentacles
UserData is just a script you set in AWS launch configurations to run commands after an instance comes up
it can be bash, powershell, etc
c

clever-sunset-76585

09/26/2019, 6:14 PM
UserData is just a script you set in AWS launch configurations to run commands after an instance comes up
Ah I see. Yeah perhaps the difference with the link I provided would be that it wouldn’t run the remote script every time the instance is restarted (in my case I didn’t need that) unless the script is installed to do so vs. having a script that runs every time the instance comes up? I am assuming using UserData does the latter automatically?
e

early-musician-41645

09/26/2019, 6:18 PM
UserData can run once on first startup, or every time
c

clever-sunset-76585

09/26/2019, 6:19 PM
Got it.
9 Views