Open ablackrw opened 4 years ago
I think we'll also need to add the EnableLDAPS, DisableLDAPS and DescribeLDAPSSettings. I'm curious how the Enable/Disable works since both have the same fields/values.
Anything new about this?
Any update please?
is this still on going?
I found my way here for the same needs -- enabling LDAPS for Active Directory Connector.
Pending a feature improvement to the provider, has anyone solved via a workaround? I'm specifically thinking the use of the local provisioner to run a Python script and leverage boto3 to inject the certs and enable LDAPS mode. Or will this be more trouble than it is worth and should just stick to doing this out-of-band to our TF pipelines?
@cacack We currently use a null_resource with a local-exec provisioner and just call the API:
`resource "null_resource" "ad_connector_cert_register" { provisioner "local-exec" { command = "aws ds register-certificate --region ${local.region} --directory-id ${aws_directory_service_directory.ad_connector.id} --certificate-data file://FILE.cer" }
depends_on = [ aws_directory_service_directory.ad_connector ] }`
Community Note
Description
Per Microsoft security advisory ADV190023, Microsoft is deprecating the use of insecure LDAP connections to domain controllers. As such, it will be necessary to configure the CA certificates and LDAPS configuration of
aws_directory_service_directory
resources of typeADConnector
orMicrosoftAD
to avoid communications disruptions.New or Affected Resource(s)
Potential Terraform Configuration
This design assumes that LDAPS is to be enabled if one or more certificates are specified.
An alternate design would be similar to the following:
However, this design fails to encapsulate the requirement that at least one certificate be associated with a directory before ldaps can be enabled.
References