Add LDAPS configuration support for aws_directory_service_directory

[ablackrw]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Per Microsoft security advisory ADV190023, Microsoft is deprecating the use of insecure LDAP connections to domain controllers. As such, it will be necessary to configure the CA certificates and LDAPS configuration of aws_directory_service_directory resources of type ADConnector or MicrosoftAD to avoid communications disruptions.

New or Affected Resource(s)

• aws_directory_service_directory

Potential Terraform Configuration

resource "aws_directory_service_directory" "example" {
  name = var.adc_domain
  password = var.adc_pass
  size = "Small"
  type = "ADConnector"
  certificates = {
    file("path/to/file"),
    file("path/to/file")
  }
}

This design assumes that LDAPS is to be enabled if one or more certificates are specified.

An alternate design would be similar to the following:

resource "aws_directory_service_directory" "example" {
  name = var.adc_domain
  password = var.adc_pass
  size = "Small"
  type = "ADConnector"
  ldaps = true
}

resource "aws_directory_service_certificate" "example" {
  directory = aws_directory_service_directory.example.arn
  file = file("path/to/file")
}

However, this design fails to encapsulate the requirement that at least one certificate be associated with a directory before ldaps can be enabled.

References

• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap_client_side.html
• https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_ldap_client_side.html

[LozanoMatheus]

I think we'll also need to add the EnableLDAPS, DisableLDAPS and DescribeLDAPSSettings. I'm curious how the Enable/Disable works since both have the same fields/values.

[OriBenHur-akeyless]

Anything new about this?

[wxGold]

Any update please?

[stefano-n26]

is this still on going?

[cacack]

I found my way here for the same needs -- enabling LDAPS for Active Directory Connector.

Pending a feature improvement to the provider, has anyone solved via a workaround? I'm specifically thinking the use of the local provisioner to run a Python script and leverage boto3 to inject the certs and enable LDAPS mode. Or will this be more trouble than it is worth and should just stick to doing this out-of-band to our TF pipelines?

[uo-thomas]

@cacack We currently use a null_resource with a local-exec provisioner and just call the API:

`resource "null_resource" "ad_connector_cert_register" {
provisioner "local-exec" {
command = "aws ds register-certificate --region ${local.region} --directory-id ${aws_directory_service_directory.ad_connector.id} --certificate-data file://FILE.cer"
}

depends_on = [
aws_directory_service_directory.ad_connector
]
}`