search

hashicorp / terraform-provider-ad

Active Directory provider for HashiCorp Terraform (experimental)
https://registry.terraform.io/providers/hashicorp/ad/latest
Mozilla Public License 2.0
131 stars 68 forks source link

Manage gMSA (Group Managed Service Account) #54

Open jpatigny opened 3 years ago

jpatigny commented 3 years ago

Description

Add a resource to manage GMSA based on powershell cmdlets New-ADServiceAccount, Set-ADServiceAccount and Remove-ADServiceAccount

I'm aware that there are a lot of parameters available. Maybe it would worth to focus on the main ones (refer to examples taken mainly from Microsoft documentation page).

Potential Terraform Configuration

Example 1: Create an enabled managed service account

resource "ad_gmsa" "gmsa_example2" {
  Name        = "Service01"
  DnsHostname = "Service01.contoso.com"
  Enable      = true
}

Example 2: Create a managed service account and register its service principal name

resource "ad_gmsa" "gmsa_example2" {
  Name                  = "Service01"
  DnsHostname           = "Service01.contoso.com"
  ServicePrincipalNames = "MSSQLSVC/Machine3.corp.contoso.com"
}

Example 3: Create a managed service account for a single computer

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

Example 4: Create a managed service account for outbound authentication only

resource "ad_gmsa" "gmsa_example3" {
  Name                                 = "Service01"
  RestrictToOutboundAuthenticationOnly = true
}

Example 5: Create a managed service account for specific computers.

resource "ad_gmsa" "gmsa_example5" {
  name                                       = "Service01"
  dnshostname                                = "Service01.contoso.com"
  enable                                     = true
  PrincipalsAllowedToRetrieveManagedPassword = ["computer1", "computer2" ]
  KerberosEncryptionType                     = "AES256"
  ManagedPasswordIntervalInDay               = 30
}

References

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-adserviceaccount?view=win10-ps https://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-adserviceaccount?view=win10-ps

Community Note

briantist commented 3 years ago

+1 this is a major part of our current Windows deployment process. We also typically create a group that contains computers, and set the group to be the lone member of PrincipalsAllowedToRetrieveManagedPassword for example.

jpatigny commented 3 years ago

Working on this one

briantist commented 3 years ago

Note about this example

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

This is an MSA, but not a gMSA. The *-ADServiceAccount cmdlets are used for both. It might be a good time to decide whether there should be separate msa/gmsa resources, or a single resource that manages both. Some params to those cmdlets apply to both types, some only apply to one or the other.

For supporting MSAs, you'll also want to look at Install-ADServiceAccount so that the acct will be usable on the local machine, although I'm not sure how that'd be handled since it doesn't execute on the domain controller (but does need to access the DC). That command "works" with gMSAs too, as in it won't fail, but it's a no-op.

ruant commented 1 year ago

Working on this one

@jpatigny Did you manage to get anything together for this?

benjamin-rousseau-shift commented 9 months ago

This would be a neat feature, any news on this one ?