SourceFuse AWS Reference Architecture (ARC) Terraform module for managing Workspaces.
To see a Microsoft AD example, check out the main.tf file in the example folder.
module "microsoft-ad-workspace" {
source = "sourcefuse/arc-workspace/aws"
version = "1.0.9"
region = var.region
vpc_id = data.aws_vpc.vpc.id
subnet_ids = data.aws_subnets.private.ids
directory_type = var.directory_type
directory_name = var.directory_name
directory_size = var.directory_size
self_service_permissions = var.self_service_permissions
workspace_access_properties = var.workspace_access_properties
workspace_creation_properties = var.workspace_creation_properties
workspaces_service_access_arn = data.aws_iam_policy.workspaces_service_access.arn
workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
user_names = var.user_names
workspace_properties = var.workspace_properties
volume_encryption_key = var.volume_encryption_key
ip_rules = var.ip_rules // change it according to your requirement
tags = module.tags.tags
}To see a AD Connector example, check out the main.tf file in the example folder.
module "ad-connector-workspace" {
source = "sourcefuse/arc-workspace/aws"
version = "1.0.9"
region = var.region
vpc_id = data.aws_vpc.vpc.id
subnet_ids = data.aws_subnets.private.ids
directory_type = var.directory_type
directory_name = var.directory_name
directory_size = var.directory_size
self_service_permissions = var.self_service_permissions
workspace_access_properties = var.workspace_access_properties
workspace_creation_properties = var.workspace_creation_properties
workspaces_service_access_arn = data.aws_iam_policy.workspaces_service_access.arn
workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
user_names = var.user_names
customer_dns_ips = var.customer_dns_ips
customer_username = var.customer_username
workspace_properties = var.workspace_properties
volume_encryption_key = var.volume_encryption_key
ip_rules = var.ip_rules // change it according to your requirement
tags = module.tags.tags
}Both Examples look similar but the difference between them is customer_dns_ips and customer_username which is required for ADConnector but not required for AWS Managed Microsoft-AD
For user_names attribute which is shown in example. There are two approaches you can follow
-
If you want to create custom user_names so you have to first run terraform apply and then create custom user names in workspace manually and specify here that username and re-run tf apply so that workspace with custom-username gets created with appropriate configuration.
-
By default you can specify Administrators , Admins here which are default in directory and that will create workspace
-
if you specify custom user_names which can be any number make sure if you specify, lets say 5 custom user_names then terraform will create 5 workspaces for each user.
-
custom user_names need to be created manually as mentioned in 1st point as there is no functionality in terraform to achieve this as of now.
-
if you leave user_names attribute empty then no workspace will get created , only directory will get created and iam-roles etc.
-
example to specify custom user_names
variable "user_names" {
description = "List of usernames to create workspaces for"
type = map(string)
default = {
"mayank.sharma" = null
"james.crowley" = null
"travis.saucier" = null
}
}
As we specified three custom user_names that means three workspaces for each user will get created
- Last thing but not the least and this is very important that if you are trying to deploy in us-east-1 then below AZs are supported. When you are creating a virtual private cloud (VPC) for use with Amazon WorkSpaces, your VPC's subnets must reside in different Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones. Here is the picture of supported Availability Zones For Workspaces.
| Name | Version |
|---|---|
| terraform | >= 1.5, < 2.0.0 |
| aws | >= 4.0, < 6.0 |
| random | ~> 3.0 |
| Name | Version |
|---|---|
| aws | 5.17.0 |
| random | 3.5.1 |
No modules.
| Name | Type |
|---|---|
| aws_directory_service_directory.ADConnector | resource |
| aws_directory_service_directory.microsoftAD | resource |
| aws_iam_role.workspaces_default | resource |
| aws_iam_role_policy_attachment.workspaces_default_self_service_access | resource |
| aws_iam_role_policy_attachment.workspaces_default_service_access | resource |
| aws_security_group.workspace | resource |
| aws_ssm_parameter.ad_connector_password | resource |
| aws_ssm_parameter.ad_password | resource |
| aws_workspaces_directory.directory_ADConnector | resource |
| aws_workspaces_directory.directory_microsoftAD | resource |
| aws_workspaces_ip_group.nat | resource |
| aws_workspaces_workspace.workspace | resource |
| random_password.ad_connector_password | resource |
| random_password.ad_password | resource |
| aws_iam_policy_document.workspaces | data source |
| aws_workspaces_bundle.bundle | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bundle_id | The ID of the bundle to use for the workspaces. | string |
null |
no |
| customer_dns_ips | Connect settings for ADConnector. | list(string) |
[] |
no |
| customer_username | Connect settings for ADConnector. | string |
"" |
no |
| directory_name | must be a fully qualified domain name and cannot end with a trailing period | string |
"poc.woebothealth.com" |
no |
| directory_size | The size of the directory (Small or Large are accepted values). Large by default. | string |
"Small" |
no |
| directory_type | Type of the directory service (MicrosoftAD or ADConnector). | string |
"MicrosoftAD" |
no |
| egress_rules | List of egress rules | list(object({ |
[ |
no |
| iam_role_name | workspace iam-role-name | string |
"workspaces_DefaultRole" |
no |
| ingress_rules | List of ingress rules | list(object({ |
[ |
no |
| ip_group_description | Description of the IP access control group | string |
"nat-gateway-ip-list control group" |
no |
| ip_group_name | Name of the IP access control group | string |
"nat-gateway-ip-list" |
no |
| ip_rules | List of IP rules | list(object({ |
[] |
no |
| region | AWS region | string |
"us-west-2" |
no |
| security_group_description | Description of the security group | string |
"My security group description" |
no |
| security_group_name | Name of the security group | string |
"workspace-SG" |
no |
| self_service_permissions | Self-service permissions configuration. | object({ |
{ |
no |
| ssm_ad_connector_parameter_name | ssm parameter name for microsoft AD | string |
"/workspace/Connector/password" |
no |
| ssm_parameter_name | ssm parameter name for microsoft AD | string |
"/workspace/microsoft-ad/password" |
no |
| subnet_ids | private subnet_ids | list(string) |
n/a | yes |
| tags | tags to add to your resources | map(string) |
n/a | yes |
| user_names | List of usernames to create workspaces for | map(string) |
{} |
no |
| volume_encryption_key | encryption key | string |
"" |
no |
| vpc_id | default vpc | string |
n/a | yes |
| workspace_access_properties | Workspace access properties configuration. | object({ |
{ |
no |
| workspace_creation_properties | Workspace creation properties configuration. | object({ |
{ |
no |
| workspace_properties | Workspace properties configuration. | object({ |
{ |
no |
| workspaces_self_service_access_arn | workspaces self service access from aws | string |
n/a | yes |
| workspaces_service_access_arn | workspaces service access from aws | string |
n/a | yes |
| Name | Description |
|---|---|
| workspace_bundle_id | The ID of the AWS Workspaces bundle. |
| workspace_directory_id | The ID of the AWS Workspaces directory. |
| workspace_properties | The properties of the AWS Workspaces. |
| workspace_root_volume_encryption_enabled | Whether root volume encryption is enabled for the AWS Workspaces. |
| workspace_user_name | The username of the AWS Workspaces user. |
| workspace_user_volume_encryption_enabled | Whether user volume encryption is enabled for the AWS Workspaces. |
| workspace_volume_encryption_key | The encryption key used for AWS Workspaces volumes. |
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly
- Configure pre-commit hooks
pre-commit install
- Tests are available in
testdirectory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/arc-terraform-workspace go get github.com/gruntwork-io/terratest/modules/terraform - Now execute the test
cd test go test
This project is authored by:
- SourceFuse ARC Team