ActiveDirectory Automation with AWS
At Wehkamp we want to enable teams to use what they need to get their job done. With AWS we can automate a lot, but servers joining and leaving our AD is not something AWS can provide. We have a hybrid setup and cannot do without our AD yet.
So how do we automate this?
Joining the AD
When joining a server in AD we use the user-data for EC2 instances (ec2-windows-user-data) combined with the Systems Manager Parameter Store to store the AD credentials used in a safe place. For the users, we provide Launch Templates so they need not worry about putting the script in place.
In the userdata script we can do a lot of stuff we want to do when deploying a server. As it is a run-once script we put our AD join at the end.
With the following Powershell function, we can get the credentials we stored in the Parameter Store. For this you need an instance role on the instance to access the Parameter Store.
And to use that in the script:
With those 2 pieces of code we can prepare our domain-join. For some services we automated everything and the DNS name doesn’t matter (cattle), so for that it’s pretty easy:
For those servers that have different needs (pets), we decided that users can fill in a tag that will be the computer name, and we can get that name when launching the server:
After that it’s almost the same:
We also do some other domain related stuff and a lot of other stuff in the user data, but I think you can easily expand the script to whatever you need. Now, that was the easy part.
Leaving the AD
Leaving the domain was a bit of a challenge, so after a brainstorming session we decided to use a setup with Lambda and SQS.
When terminating an instance, the lambda function is triggered and it gets the two tags we need. We get the computer name from those tags and put that in a message in a Simple Queuing Service (SQS) queue in one of our accounts.
First, we need a queue to post our computer name to. Nothing fancy, a normal queue does the trick. If you need to access that queue from other AWS accounts, make sure you give those accounts the permission to post a message.
After that, we can create a lambda function in our account that triggers on a cloudwatch event when an EC2 instance is terminated:
When everything is in place, whenever an instance is terminated you should have a message in the SQS queue.
Now we have to do one more thing, that is to pick up that message from the queue and do some AD magic with it. We have a domain-joined EC2 instance for some management tasks and we use the task scheduler on that instance to check every 5 minutes on the SQS queue and process the messages. Be sure you have an IAM instance profile on that instance with the rights for SQS.
We use Powershell to get the job done and here’s an example how to do it:
That’s it, mission completed!
We now have deleted a computer account in our own AD, with the help of Lambda and SQS, after the termination of the EC2 instance.
Thank you for taking the time to read this story! If you enjoyed reading this story, clap for me by clicking the 👏🏻 below so other people will see this here on Medium.
I work at Wehkamp.nl one of the biggest e-commerce companies of 🇳🇱
We do have a Tech blog, check it out and subscribe if you want to read more stories like this one. Or look at our job offers if you are looking for a great job!
