Terraform create SQL Server instance with self-managed Active Directory

Question

I need your help on this: we have a simple Terraform code to create a SQL Server instance, but I've asked to add it to Active Directory.

I've tested in AWS console, and I was able to join db to AD, now I need to modify the Terraform code to create a SQL Server RDS instance and enable Microsoft SQL Server Windows authentication with self-managed Active Directory.

This is the code we have to create a SQL Server instance:

resource "aws_db_instance" "new_sql_server_instance" {
  identifier                 = var.cluster_name
  engine                     = var.engine
  engine_version             = var.engine_version
  instance_class             = var.instance_class
  username                   = var.master_username
  password                   = var.master_password
  port                       = var.port
  license_model              = "license-included"
  storage_encrypted          = true
  storage_type               = "gp2"
  allocated_storage          = 100
  final_snapshot_identifier  = "final-snapshot-sqlserver"
  db_subnet_group_name       = aws_db_subnet_group.db_subnet_group.name
  multi_az                   = true
  vpc_security_group_ids     = [aws_security_group.dba_security_group_ip.id, aws_security_group.app_security_group_ip.id]
  skip_final_snapshot        = true
  backup_retention_period    = 7
  backup_window              = "03:00-04:00"
  maintenance_window         = "sun:05:00-sun:06:00"
  apply_immediately          = true
  parameter_group_name       = aws_db_parameter_group.rds_instance_parameter_group.name 
}

I think that those are equivalent for first 2 ones (FQDN and Domain organizational Unit)

# Windows Authentication with Active Directory
  domain_fqdn                     = "xxxxx"
  domain_ou                       = "xxxxxxxxxxxxxx"

but I don't know how to put others 3 pending ones.

Any idea how to make it work?

Thanks!

Answer 1

finally managed to do it, this is the way I did it

resource "aws_db_instance" "new_sql_server_instance" {
  identifier              = var.cluster_name
  engine                  = lookup([for sg in var.database_parameters : sg if sg.name == var.engine][0], "name", "")
  engine_version          = lookup([for sg in var.database_parameters : sg if sg.name == var.engine][0], "version", "")
  instance_class          = var.instance_class
  username                = var.master_username
  password                = var.master_password
  port                    = lookup([for sg in var.database_parameters : sg if sg.name == var.engine][0], "port", "")
  license_model           = "license-included"
  storage_encrypted       = "true"
  storage_type            = "gp2"
  allocated_storage       = 100
  final_snapshot_identifier = "final-snapshot-sqlserver"
  db_subnet_group_name    = aws_db_subnet_group.db_subnet_group.name
  multi_az                = "true"
  vpc_security_group_ids  = [aws_security_group.dba_security_group_ip.id, aws_security_group.app_security_group_ip.id ]
  skip_final_snapshot     = "true"
  backup_retention_period = 7
  backup_window           = "03:00-04:00"
  maintenance_window      = "sun:05:00-sun:06:00"
  apply_immediately       = true
  parameter_group_name    = aws_db_parameter_group.rds_instance_parameter_group.name

  # Windows Authentication with Active Directory
  domain                  = "xxx.com"
  domain_iam_role_name     = aws_iam_role.sql_ad_role.name
  depends_on            = [aws_iam_role.sql_ad_role]

  # Enable Performance Insights
  performance_insights_enabled = true
  performance_insights_retention_period = contains(["PROD", "prod"], substr(var.cluster_name, 0, 4)) ? 62 : 7  # Options: 7 to 731 in multiples of 31 (default is 7 days) 62 is 2 months
  tags = {
    Environment          = var.environment
    CostString           = "CostString"
    AppID                = "AppID"
    adDomain             = "xxx.com"
    adGroup              = "adGroup"
    adOU                 = "OU=RDS,OU=AWS,OU=xxx,OU=xxx,OU=xxx,DC=xx,DC=xx,DC=xxxx,DC=com"
  }
    timeouts {
    create = "120m"  # Adjust the time as needed, e.g., 60 minutes
    update = "120m"
    delete = "120m"
  }
}
    
# Create Active Directory for self-managed AD
resource "aws_directory_service_directory" "self_managed_ad_directory" {
  name     = "xxxx.com"
  password = var.master_password
  type     = "MicrosoftAD"
  edition  = "Standard"

  vpc_settings {
    vpc_id     = data.aws_vpc.vpc_id.id
    subnet_ids = var.subnet_ids
  }
}

Answer 2

There should be a way to add those, it's only that some of the arguments are required for a certain combination. Since you have opted to use domain_fqdn and domain_ou, the following arguments are required:

• domain_auth_secret_arn
• domain_dns_ips

As the documentation says the following for both:

(Optional, but required if domain_fqdn is provided)