A Terraform module for deploying a FreeIPA server.
module "ipa0" {
source = "github.com/cisagov/freeipa-server-tf-module?ref=v1.0.0"
crowdstrike_falcon_sensor_customer_id_key = "/thulsa/doom/falcon/customer_id"
crowdstrike_falcon_sensor_tags_key = "/thulsa/doom/falcon/tags"
domain = "example.com"
hostname = "ipa0.example.com"
ip = "10.10.10.4"
nessus_hostname_key = "/thulsa/doom/nessus/hostname"
nessus_key_key = "/thulsa/doom/nessus/key"
nessus_port_key = "/thulsa/doom/nessus/port"
netbios_name = "EXAMPLE"
realm = "EXAMPLE.COM"
security_group_ids = ["sg-51530134", "sg-51530245"]
subnet_id = aws_subnet.first_subnet.id
}
module "ipa1" {
source = "github.com/cisagov/freeipa-server-tf-module?ref=v1.0.0"
crowdstrike_falcon_sensor_customer_id_key = "/thulsa/doom/falcon/customer_id"
crowdstrike_falcon_sensor_tags_key = "/thulsa/doom/falcon/tags"
domain = "example.com"
hostname = "ipa1.example.com"
ip = "10.10.10.5"
nessus_hostname_key = "/thulsa/doom/nessus/hostname"
nessus_key_key = "/thulsa/doom/nessus/key"
nessus_port_key = "/thulsa/doom/nessus/port"
netbios_name = "EXAMPLE"
security_group_ids = ["sg-51530134", "sg-51530245"]
subnet_id = aws_subnet.second_subnet.id
}| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 4.9 |
| cloudinit | >= 2.0 |
| Name | Version |
|---|---|
| aws | >= 4.9 |
| cloudinit | >= 2.0 |
| Name | Source | Version |
|---|---|---|
| read_ssm_parameters | github.com/cisagov/ssm-read-role-tf-module | n/a |
| Name | Type |
|---|---|
| aws_iam_instance_profile.ipa | resource |
| aws_iam_role.ipa | resource |
| aws_iam_role_policy.assume_delegated_role_policy | resource |
| aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment | resource |
| aws_iam_role_policy_attachment.ssm_agent_policy_attachment | resource |
| aws_instance.ipa | resource |
| aws_ami.freeipa | data source |
| aws_arn.subnet | data source |
| aws_caller_identity.main | data source |
| aws_default_tags.default | data source |
| aws_iam_policy_document.assume_delegated_role_policy_doc | data source |
| aws_iam_policy_document.assume_role_doc | data source |
| aws_subnet.the_subnet | data source |
| aws_vpc.the_vpc | data source |
| cloudinit_config.configure_freeipa | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ami_owner_account_id | The ID of the AWS account that owns the FreeIPA server AMI, or "self" if the AMI is owned by the same account as the provisioner. | string |
"self" |
no |
| aws_instance_type | The AWS instance type to deploy (e.g. t3.medium). Two gigabytes of RAM is given as a minimum requirement for FreeIPA, but I have had intermittent problems when creating t3.small replicas. | string |
"t3.medium" |
no |
| crowdstrike_falcon_sensor_customer_id_key | The SSM Parameter Store key whose corresponding value contains the customer ID for CrowdStrike Falcon (e.g. /cdm/falcon/customer_id). | string |
n/a | yes |
| crowdstrike_falcon_sensor_install_path | The install path of the CrowdStrike Falcon sensor (e.g. /opt/CrowdStrike). | string |
"/opt/CrowdStrike" |
no |
| crowdstrike_falcon_sensor_tags_key | The SSM Parameter Store key whose corresponding value contains a comma-delimited list of tags that are to be applied to CrowdStrike Falcon (e.g. /cdm/falcon/tags). | string |
n/a | yes |
| domain | The domain for the IPA server (e.g. example.com). | string |
n/a | yes |
| hostname | The hostname of the IPA server (e.g. ipa.example.com). | string |
n/a | yes |
| ip | The IP address to assign the IPA server (e.g. 10.10.10.4). Note that the IP address must be contained inside the CIDR block corresponding to subnet-id, and AWS reserves the first four and very last IP addresses. We have to assign an IP in order to break the dependency of DNS record resources on the corresponding EC2 resources; otherwise, it is impossible to update the IPA servers one by one as is required when a new AMI is created. | string |
n/a | yes |
| nessus_agent_install_path | The install path of Nessus Agent (e.g. /opt/nessus_agent). | string |
"/opt/nessus_agent" |
no |
| nessus_groups | A list of strings, each of which is the name of a group in the CDM Tenable Nessus server that the Nessus Agent should join (e.g. ["group1", "group2"]). | list(string) |
[ "COOL_Fed_32" ] |
no |
| nessus_hostname_key | The SSM Parameter Store key whose corresponding value contains the hostname of the CDM Tenable Nessus server to which the Nessus Agent should link (e.g. /cdm/nessus/hostname). | string |
n/a | yes |
| nessus_key_key | The SSM Parameter Store key whose corresponding value contains the secret key that the Nessus Agent should use when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/key). | string |
n/a | yes |
| nessus_port_key | The SSM Parameter Store key whose corresponding value contains the port to which the Nessus Agent should connect when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/port). | string |
n/a | yes |
| netbios_name | The NetBIOS name to be used by the server (e.g. EXAMPLE). Note that NetBIOS names are restricted to at most 15 characters. These characters must consist only of uppercase letters, numbers, and dashes. | string |
n/a | yes |
| realm | The realm for the IPA server (e.g. EXAMPLE.COM). Only used if this IPA server IS NOT intended to be a replica. | string |
"EXAMPLE.COM" |
no |
| root_disk_size | The size of the IPA instance's root disk in GiB. | number |
8 |
no |
| security_group_ids | A list of IDs corresponding to security groups to which the server should belong (e.g. ["sg-51530134", "sg-51530245"]). Note that these security groups must exist in the same VPC as the server. | list(string) |
[] |
no |
| subnet_id | The ID of the AWS subnet into which to deploy the IPA server (e.g. subnet-0123456789abcdef0). | string |
n/a | yes |
| Name | Description |
|---|---|
| server | The IPA server EC2 instance. |
Running pre-commit requires running terraform init in every
directory that contains Terraform code. In this repository, these are
the main directory and every directory under examples/.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.