terraform-provider-ad icon indicating copy to clipboard operation
terraform-provider-ad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Manage gMSA (Group Managed Service Account)

Open jpatigny opened this issue 4 years ago • 5 comments

Description

Add a resource to manage GMSA based on powershell cmdlets New-ADServiceAccount, Set-ADServiceAccount and Remove-ADServiceAccount

I'm aware that there are a lot of parameters available. Maybe it would worth to focus on the main ones (refer to examples taken mainly from Microsoft documentation page).

Potential Terraform Configuration

Example 1: Create an enabled managed service account

resource "ad_gmsa" "gmsa_example2" {
  Name        = "Service01"
  DnsHostname = "Service01.contoso.com"
  Enable      = true
}

Example 2: Create a managed service account and register its service principal name

resource "ad_gmsa" "gmsa_example2" {
  Name                  = "Service01"
  DnsHostname           = "Service01.contoso.com"
  ServicePrincipalNames = "MSSQLSVC/Machine3.corp.contoso.com"
}

Example 3: Create a managed service account for a single computer

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

Example 4: Create a managed service account for outbound authentication only

resource "ad_gmsa" "gmsa_example3" {
  Name                                 = "Service01"
  RestrictToOutboundAuthenticationOnly = true
}

Example 5: Create a managed service account for specific computers.

resource "ad_gmsa" "gmsa_example5" {
  name                                       = "Service01"
  dnshostname                                = "Service01.contoso.com"
  enable                                     = true
  PrincipalsAllowedToRetrieveManagedPassword = ["computer1", "computer2" ]
  KerberosEncryptionType                     = "AES256"
  ManagedPasswordIntervalInDay               = 30
}

References

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps https://docs.microsoft.com/en-us/powershell/module/addsadministration/set-adserviceaccount?view=win10-ps https://docs.microsoft.com/en-us/powershell/module/addsadministration/remove-adserviceaccount?view=win10-ps

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

jpatigny avatar Nov 07 '20 12:11 jpatigny

+1 this is a major part of our current Windows deployment process. We also typically create a group that contains computers, and set the group to be the lone member of PrincipalsAllowedToRetrieveManagedPassword for example.

briantist avatar Nov 18 '20 20:11 briantist

Working on this one

jpatigny avatar Jan 26 '21 08:01 jpatigny

Note about this example

resource "ad_gmsa" "gmsa_example3" {
  Name                     = "Service01"
  RestrictToSingleComputer = true
}

This is an MSA, but not a gMSA. The *-ADServiceAccount cmdlets are used for both. It might be a good time to decide whether there should be separate msa/gmsa resources, or a single resource that manages both. Some params to those cmdlets apply to both types, some only apply to one or the other.

For supporting MSAs, you'll also want to look at Install-ADServiceAccount so that the acct will be usable on the local machine, although I'm not sure how that'd be handled since it doesn't execute on the domain controller (but does need to access the DC). That command "works" with gMSAs too, as in it won't fail, but it's a no-op.

briantist avatar Jan 26 '21 17:01 briantist

Working on this one

@jpatigny Did you manage to get anything together for this?

ruant avatar Nov 09 '22 08:11 ruant

This would be a neat feature, any news on this one ?

benjamin-rousseau-shift avatar Sep 29 '23 07:09 benjamin-rousseau-shift