Add LDAPS configuration support for aws_directory_service_directoryΒ #12636
Closed as not planned
Description
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Per Microsoft security advisory ADV190023, Microsoft is deprecating the use of insecure LDAP connections to domain controllers. As such, it will be necessary to configure the CA certificates and LDAPS configuration of aws_directory_service_directory resources of type ADConnector or MicrosoftAD to avoid communications disruptions.
New or Affected Resource(s)
- aws_directory_service_directory
Potential Terraform Configuration
resource "aws_directory_service_directory" "example" {
name = var.adc_domain
password = var.adc_pass
size = "Small"
type = "ADConnector"
certificates = {
file("path/to/file"),
file("path/to/file")
}
}This design assumes that LDAPS is to be enabled if one or more certificates are specified.
An alternate design would be similar to the following:
resource "aws_directory_service_directory" "example" {
name = var.adc_domain
password = var.adc_pass
size = "Small"
type = "ADConnector"
ldaps = true
}
resource "aws_directory_service_certificate" "example" {
directory = aws_directory_service_directory.example.arn
file = file("path/to/file")
}However, this design fails to encapsulate the requirement that at least one certificate be associated with a directory before ldaps can be enabled.