I'm using the

awsx

module for creating a Windows ec2 instance. Is there any way to specify that the instance should join a Microsft AD domain? The domain controller already exists as a managed Microsoft AD directory in AWS. I can get the instance to join "seamlessly" by creating it in the console: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html Or by logging in to the instance and configuring it: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html How can I achieve this with Pulumi?

I don't work for pulumi, and have never done what you're asking, but you're teetering on the edge of where the aws console does a bunch extra work flow for you that you'd have to code up manually in any IAC. The first link indicates amazon is triggering some sort of EC2 Systems Manager (SSM) flow to join the domain. Pulumi supports SSM (see: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ssm/), but I'm a bit out of my depth on that. The second is manual. I would bet you could use userdata for the windows instance to join on boot (userdata is automatically executed on instance launch), but that may require doing some secrets management. Do you have any experience with either SSM or using Userdata?

Thanks for the response! I've got things working 90% of the way through UserData with something like this:

Write-Host "Signaling CloudFormation that the instance is up and running"
cfn-signal.exe --success true --region ${config.region} --stack ${stackName} --resource Instances

Write-Host "Updating DNS addresses to match the Directory Service"
Set-DnsClientServerAddress -InterfaceIndex (Get-NetAdapter).ifIndex -ServerAddresses (${directoryDnsIpAddresses})

Write-Host "Joining the domain directory: ${directoryName}. This will force restart the instance."
$securePassword = ConvertTo-SecureString "${directoryPassword}" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("Admin", $securePassword)
Add-Computer -Domain ${directoryName} -Credential $credential -Verbose -PassThru -Restart -Force

I've spent a couple days on this and found that UserData was the only way I could make progress. Was just wondering if this is already supported via Pulumi, e.g. through some launchconfiguration args for domain joining that would flow through as needed.

This might be of help to you: https://github.com/pulumi/examples/pull/191

Interesting, I'm not sure how I could use it, though. Would I have to set up an SSH server on my windows hosts for "post-provisioning"?

For example, I am using that myself to deploy a Linux EC2 Instance and initialize it with Octopus’ Tentacle configuration.

Oh, what a coincidence. For this thread I'm provisioning Octopus server on Windows hosts.

Also, isn’t the whole point of UserData to run commands after provisioning?

I am not too familiar with UserData myself to be honest.

However, I have a separate project, using UserData, to do exactly what you're doing for linux tentacles

UserData is just a script you set in AWS launch configurations to run commands after an instance comes up

Ah I see. Yeah perhaps the difference with the link I provided would be that it wouldn’t run the remote script every time the instance is restarted (in my case I didn’t need that) unless the script is installed to do so vs. having a script that runs every time the instance comes up? I am assuming using UserData does the latter automatically?

UserData can run once on first startup, or every time

Got it.