Trying to create a lab with one domain controller and I'm trying to join that VM to a new ad forest but I'm having trouble adding the SafeModeAdministratorPassword without adding the password as plaintext
The password is generated by random_password provider:
resource "random_password" "rndm-pass-vm" {
length = 12
special = true
}
resource "azurerm_key_vault_secret" "kv-sec-vm-pass" {
name = "kv-sec-vm-pass"
value = random_password.rndm-pass-vm.result
key_vault_id = azurerm_key_vault.kvne01.id
depends_on = [azurerm_key_vault.kvne01]
}
resource "azurerm_virtual_machine_extension" "dc01-ad" {
name = "dc01-ad-ps1"
virtual_machine_id = azurerm_windows_virtual_machine.rgne1-vm01.id
depends_on = [azurerm_managed_disk.dc01-ntds]
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"commandToExecute": "powershell.exe -Command \"${local.powershell}\""
}
SETTINGS
}
locals {
cmd01 = "Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools"
cmd02 = "Install-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools"
cmd03 = "Import-Module ADDSDeployment, DnsServer"
cmd04 = "Install-ADDSForest -DomainName ${var.domain_name} -DomainNetbiosName ${var.domain_netbios_name} -DomainMode ${var.domain_mode} -ForestMode ${var.domain_mode} -DatabasePath ${var.database_path} -SysvolPath ${var.sysvol_path} -LogPath ${var.log_path} -NoRebootOnCompletion:$false -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString ${var.safe_mode_administrator_password} -AsPlainText -Force)"
powershell = "${local.cmd01}; ${local.cmd02}; ${local.cmd03}; ${local.cmd04}"
}
If your resources declaration it's OK, you need to create a file named variables.tf
and insert the following code:
variable "safe_mode_administrator_password" {
type = string
description = "The password for the Safe Mode Administrator account."
sensitive = true
}
The declaration of the variable as sensitive it's a recommendation to protect the secret: https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-variables
And you can check running:
terraform plan
That will show you the next screen:
And you can continue to execute the terraform apply
command.
Update:
To generate the password and use it inside de command, you can declare on the locals block:
resource "random_password" "rndm-pass-vm" {
length = 12
special = true
}
locals {
generated_password = random_password.rndm-pass-vm.result
cmd01 = "Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools"
cmd02 = "Install-WindowsFeature DNS -IncludeAllSubFeature -IncludeManagementTools"
cmd03 = "Import-Module ADDSDeployment, DnsServer"
cmd04 = "Install-ADDSForest -DomainName 'test.domain' -DomainNetbiosName 'test' -NoRebootOnCompletion:$false -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString ${local.generated_password} -AsPlainText -Force)"
powershell = "${local.cmd01}; ${local.cmd02}; ${local.cmd03}; ${local.cmd04}"
}
And update the command to use it:
... -SafeModeAdministratorPassword (ConvertTo-SecureString ${local.generated_password} -AsPlainText -Force)" ...