Terraform Windows AD Provider for Automating Active Directory

Do you automate Windows Active Directory environments? With the release of the new HashiCorp Terraform Windows AD provider, IT admins have a new tool for automating Active Directory using Infrastructure as Code with Terraform.

Author
Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

What is HashiCorp Terraform?

Before looking at this new provider, let's briefly consider what Terraform is. Automation is king of the hill in most environments today. Organizations are moving too quickly to continue using the manual processes of the last decade.

Using automation across the board allows organizations to be agile and much better equipped to make use of public cloud environments. The power of cloud environments is best unlocked when they can be consumed in an automated fashion. HashiCorp's Terraform is a very powerful tool that allows building, changing, and versioning infrastructure.

Terraform is a tool that makes the Infrastructure as Code (IaC) methodology possible by allowing you to describe various types of your infrastructure environment as code and interact with it in that way. Terraform does this in a declarative manner. You describe how you want the infrastructure to "look" using the HashiCorp Configuration Language (HCL), and Terraform configures the infrastructure so that it matches your code.

Once infrastructure state and desired state can be captured inside of code, it can be effectively versioned and checked into popular versioning platforms such as Git and others. This allows changes to be tracked and audited easily. In addition, any skew in the environment can be captured and corrected easily.

The Terraform component that handles interacting with various types of infrastructure is the Terraform provider. The provider is essentially a Terraform plugin that provides a collection of related resources available for a particular type of infrastructure. It is responsible for understanding the API endpoints of the infrastructure it communicates with, and it uses these to interact with the infrastructure as code.

Terraform itself is a self-contained executable that is written in the Go programming language. You can download the tool and start automating your environment and various types of infrastructure in just a few minutes. Additionally, as we will see, it is designed to easily pull the provider plugins that are needed for your code.

New Windows AD Provider for HashiCorp Terraform

Recently, HashiCorp announced the Windows AD Provider, which is a new plugin for Terraform that allows Windows administrators to interact with Active Directory objects in a declarative way using normal Terraform capabilities. The new provider allows organizations to automate the following AD objects:

Users
Groups
OUs
Computers
Group policies

On the group policy front, Terraform's new AD provider gives admins an alternative to interact with Group Policy Objects, other than the GUI Group Policy Management tool. Admins can now describe GPOs using the HCL language, manage the configuration in version control, and quickly identify configuration drift. This makes performing very labor-intensive and repetitive tasks much easier using Terraform automation.

Since the new Terraform provider is currently in the experimental stage, there are a few limitations of the Windows AD provider to note. These include the following:

Since it is experimental, it is currently not supported for production AD infrastructure.
Right now, only a subset of GPO-managed items are supported. More will be added by the GA release.
You cannot modify AD group memberships with the experimental provider.

Using the new Terraform Windows AD Provider

If you have not used Terraform before, it is a simple download for your platform type.

Download Terraform for your platform

The great thing about Terraform is that it automatically downloads the providers that are called by your HCL code. For the Windows AD provider file, I am using the following snippet of code that is provided on the official Windows AD provider page at HashiCorp with a few tweaks for my lab environment.

The code will add a new GPO and OU and assign the GPO to the OU, among other tasks.

provider "ad" {
  version = "0.1.0"
  // Add WinRM configuration here
}

resource "ad_gpo" "g" {
    name            = "TFTestGPO"
    domain          = "cloud.local"
    description     = "gpo for gplink tests"
    status          = "AllSettingsEnabled"
}

resource "ad_gpo_security" "gpo_sec" {
  gpo_container = ad_gpo.g.id

  password_policies {
    minimum_password_length = 3
  }

  system_services {
    service_name = "TapiSrv"
    startup_mode = "2"
    acl          = "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)"
  }
}

resource "ad_ou" "o" {
    name        = "TF Test OU"
    path        = "dc=cloud,dc=local"
    description = "OU for gplink tests"
}

resource "ad_gplink" "og" {
    gpo_guid  = ad_gpo.g.id
    target_dn = ad_ou.o.dn
}

You can see which providers are utilized by executing the terraform providers command. As you can see below, Terraform AD Provider 0.1.0 is required for the Terraform providers file.

View the required providers with the terraform providers command

After you have viewed the required plugins for Terraform, you can easily download the required plugins automatically by using the terraform init command.

When you use the terraform init command, you will see the required plugin identified and downloaded from the Terraform registry.

Using the terraform init command to download required plugins

Once the required Windows AD plugin is downloaded for Terraform, you can use the plan parameter. This parameter basically performs a "dry run" of the build file.

Using the _terraform plan_ file performs a dry run of the Terraform build

The terraform plan command shows all the proposed changes that Terraform will make to the Active Directory infrastructure. As you can see below, a total of four changes will be made to Active Directory using the listed HCL code.

Terraform details the changes that will be made using terraform plan

After you review the changes, you will then run the terraform apply command. This command actually makes the changes in Active Directory. Before it makes the changes, it will have you confirm the actions.

Running the terraform apply command makes the changes in the environment

After I ran the terraform apply command, I could check and see that changes were indeed made to my environment. ***Note*** This is a lab environment and not production.

Terraform creates the OU in Active Directory

Practical examples

We like to consider the practical applications of any new tool or solution. One of the many use cases we can highlight with the new AD Provider is correcting configuration drift with AD. With Active Directory Group Policy objects, ensuring that GPOs are linked to the correct OUs can be important for proper policy application.

Have you been in a situation where GPO links were mistakenly unlinked from the proper OUs? The new Terraform provider can correct these types of issues. Additionally, in lab environments (as shown in the script), OUs can be created on the fly and GPOs linked programmatically.

With the Microsoft Group Policy Management Tool, there is no native way to implement change control and versioning with GPO policy changes. However, by using the new Terraform Windows AD Provider, all GPO changes implemented through it can be checked in and out of version control solutions, such as Git.

Subscribe to 4sysops newsletter!

Wrapping up

The new HashiCorp Terraform Windows AD Provider is a great new tool for automating Active Directory environments. While the new tool is still in the experimental stage, the features of the new provider, as detailed, offer a promising end result. Terraform is wildly popular in the automation and Infrastructure as Code space. The new Windows AD Provider will only serve to strengthen its appeal with infrastructure admins, including Windows admins looking for declarative Active Directory automation.