Closed liacha1986 closed 1 year ago
Hey, you will have to make sure that your Lambda function has permission to access this. If you're using AWS SAM, your Parameters block would have something like:
DCSecurityGroupIds:
Type: CommaDelimitedList
Description: Comma-delimited security group IDs to allow LDAP communication with domain controller and HTTP/HTTPS communication with the Exchange Server
Default: sg-6db2****
DCSubnetIds:
Type: CommaDelimitedList
Description: Comma-delimited subnet IDs of the domain controller
Default: subnet-0ab83************,subnet-0931************
And you'd refer to these parameters in your AWS::Serverless::Function block, in a VpcConfig:
VpcConfig:
SecurityGroupIds: !Ref DCSecurityGroupIds
SubnetIds: !Ref DCSubnetIds
I suggest getting this working first from Powershell on a machine on the same network as the Domain Controllers. The Cloud9 IDE, for instance, is a simple way to test Powershell lambda functions:
sam build --parallel && sam local invoke "AccessProvisionerFunction" --event samples/dev/event-provision-access.json
Just make sure your Cloud9 IDE can talk with your Domain Controller by being on the same VPC subnets and security groups.
Given this runtime runs in Linux (custom runtime running on Amazon Linux 2), the New-PSSession
cmdlet would use ssh
under the covers, and ssh
does not exist in the custom runtime environment.
So I agree with @avanvucht that you'd likely need to execute the Lambda Function from within the same VPC as your target system, you'd also need to include a Lambda layer or similar that includes the ssh
binary (and anything else to required to make ssh
work).
Thanks guys. I'm pretty new to this so any specific resources you can share will be appreciated. I'll try to google my way through and report back with any problems.
If you're asking about the ssh component. Try packaging the ssh binary with your function code, ensure its executable and reference it in /var/task
, that may be the simplest way to get started.
I have followed all the MS guides on setting up Powershell remoting on the server and can confirm from my test environment that I am able to SSH into my test box. I added the public key to my lambda function and referenced it with the command below:
$session = New-PSSession -HostName "mydc01.xyz.com" -UserName "Administrator" -KeyFilePath "$env:LAMBDA_TASK_ROOT/examplemodule/id_ed25519.pub"
I just get a generic message saying that "An error has occurred which Powershell cannot handle. A remote session might have ended".
The use case here is, I am trying to run some Get/Set-ADUser commands on my test domain users from the lambda function (tor reset AD passwords). Did a bunch of research and it seems powershell core doesn't have native support for the ActiveDirectory modules so I was trying to start a session and use the Invoke-Command cmdlet to run the command(s) I wanted.