terraform-aws-arc-workspace

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing Workspaces.

Usage

To see a Microsoft AD example, check out the main.tf file in the example folder.

module "microsoft-ad-workspace" {
  source                             = "sourcefuse/arc-workspace/aws"
  version                            = "1.0.9"
  region                             = var.region
  vpc_id                             = data.aws_vpc.vpc.id
  subnet_ids                         = data.aws_subnets.private.ids
  directory_type                     = var.directory_type
  directory_name                     = var.directory_name
  directory_size                     = var.directory_size
  self_service_permissions           = var.self_service_permissions
  workspace_access_properties        = var.workspace_access_properties
  workspace_creation_properties      = var.workspace_creation_properties
  workspaces_service_access_arn      = data.aws_iam_policy.workspaces_service_access.arn
  workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
  user_names                         = var.user_names
  workspace_properties               = var.workspace_properties
  volume_encryption_key              = var.volume_encryption_key
  ip_rules                           = var.ip_rules // change it according to your requirement
  tags                               = module.tags.tags
}

To see a AD Connector example, check out the main.tf file in the example folder.

module "ad-connector-workspace" {
  source                             = "sourcefuse/arc-workspace/aws"
  version                            = "1.0.9"
  region                             = var.region
  vpc_id                             = data.aws_vpc.vpc.id
  subnet_ids                         = data.aws_subnets.private.ids
  directory_type                     = var.directory_type
  directory_name                     = var.directory_name
  directory_size                     = var.directory_size
  self_service_permissions           = var.self_service_permissions
  workspace_access_properties        = var.workspace_access_properties
  workspace_creation_properties      = var.workspace_creation_properties
  workspaces_service_access_arn      = data.aws_iam_policy.workspaces_service_access.arn
  workspaces_self_service_access_arn = data.aws_iam_policy.workspaces_self_service_access.arn
  user_names                         = var.user_names
  customer_dns_ips                   = var.customer_dns_ips
  customer_username                  = var.customer_username
  workspace_properties               = var.workspace_properties
  volume_encryption_key              = var.volume_encryption_key
  ip_rules                           = var.ip_rules // change it according to your requirement
  tags                               = module.tags.tags
}

Both Examples look similar but the difference between them is customer_dns_ips and customer_username which is required for ADConnector but not required for AWS Managed Microsoft-AD

IMPORTANT NOTE

For user_names attribute which is shown in example. There are two approaches you can follow 1. If you want to create custom user_names so you have to first run terraform apply and then create custom user names in workspace manually and specify here that username and re-run tf apply so that workspace with custom-username gets created with appropriate configuration.

1. By default you can specify Administrators , Admins here which are default in directory and that will create workspace

2. if you specify custom user_names which can be any number make sure if you specify, lets say 5 custom user_names then terraform will create 5 workspaces for each user.

3. custom user_names need to be created manually as mentioned in 1^st point as there is no functionality in terraform to achieve this as of now.

4. if you leave user_names attribute empty then no workspace will get created , only directory will get created and iam-roles etc.

5. example to specify custom user_names

   variable "user_names" {
     description = "List of usernames to create workspaces for"
     type        = map(string)
     default     = {
        "mayank.sharma" = null
        "james.crowley" = null
        "travis.saucier" = null
     }
   }
   

   As we specified three custom user_names that means three workspaces for each user will get created

6. Last thing but not the least and this is very important that if you are trying to deploy in us-east-1 then below AZs are supported. When you are creating a virtual private cloud (VPC) for use with Amazon WorkSpaces, your VPC's subnets must reside in different Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones. Here is the picture of supported Availability Zones For Workspaces.

Requirements

Name	Version
terraform	~> 1.3
aws	~> 5.0
random	~> 3.0

Providers

Name	Version
aws	5.17.0
random	3.5.1

Modules

No modules.

Resources

Name	Type
aws_directory_service_directory.ADConnector	resource
aws_directory_service_directory.microsoftAD	resource
aws_iam_role.workspaces_default	resource
aws_iam_role_policy_attachment.workspaces_default_self_service_access	resource
aws_iam_role_policy_attachment.workspaces_default_service_access	resource
aws_security_group.workspace	resource
aws_ssm_parameter.ad_connector_password	resource
aws_ssm_parameter.ad_password	resource
aws_workspaces_directory.directory_ADConnector	resource
aws_workspaces_directory.directory_microsoftAD	resource
aws_workspaces_ip_group.nat	resource
aws_workspaces_workspace.workspace	resource
random_password.ad_connector_password	resource
random_password.ad_password	resource
aws_iam_policy_document.workspaces	data source
aws_workspaces_bundle.bundle	data source

Inputs

Name	Description	Type	Default	Required
bundle_id	The ID of the bundle to use for the workspaces.	string	null	no
customer_dns_ips	Connect settings for ADConnector.	list(string)	[]	no
customer_username	Connect settings for ADConnector.	string	""	no
directory_name	must be a fully qualified domain name and cannot end with a trailing period	string	"poc.woebothealth.com"	no
directory_size	The size of the directory (Small or Large are accepted values). Large by default.	string	"Small"	no
directory_type	Type of the directory service (MicrosoftAD or ADConnector).	string	"MicrosoftAD"	no
egress_rules	List of egress rules	list(object({ from_port = number to_port = number protocol = any cidr_blocks = optional(list(string), []) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "from_port": 0, "protocol": -1, "to_port": 0 } ]	no
iam_role_name	workspace iam-role-name	string	"workspaces_DefaultRole"	no
ingress_rules	List of ingress rules	list(object({ from_port = number to_port = number protocol = string cidr_blocks = optional(list(string), []) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "from_port": 443, "protocol": "tcp", "to_port": 443 } ]	no
ip_group_description	Description of the IP access control group	string	"nat-gateway-ip-list control group"	no
ip_group_name	Name of the IP access control group	string	"nat-gateway-ip-list"	no
ip_rules	List of IP rules	list(object({ source = string description = string }))	[]	no
region	AWS region	string	"us-west-2"	no
security_group_description	Description of the security group	string	"My security group description"	no
security_group_name	Name of the security group	string	"workspace-SG"	no
self_service_permissions	Self-service permissions configuration.	object({ change_compute_type = bool increase_volume_size = bool rebuild_workspace = bool restart_workspace = bool switch_running_mode = bool })	{ "change_compute_type": false, "increase_volume_size": false, "rebuild_workspace": false, "restart_workspace": true, "switch_running_mode": false }	no
ssm_ad_connector_parameter_name	ssm parameter name for microsoft AD	string	"/workspace/Connector/password"	no
ssm_parameter_name	ssm parameter name for microsoft AD	string	"/workspace/microsoft-ad/password"	no
subnet_ids	private subnet_ids	list(string)	n/a	yes
tags	tags to add to your resources	map(string)	n/a	yes
user_names	List of usernames to create workspaces for	map(string)	{}	no
volume_encryption_key	encryption key	string	""	no
vpc_id	default vpc	string	n/a	yes
workspace_access_properties	Workspace access properties configuration.	object({ device_type_android = string device_type_chromeos = string device_type_ios = string device_type_linux = string device_type_osx = string device_type_web = string device_type_windows = string device_type_zeroclient = string })	{ "device_type_android": "ALLOW", "device_type_chromeos": "ALLOW", "device_type_ios": "ALLOW", "device_type_linux": "ALLOW", "device_type_osx": "ALLOW", "device_type_web": "DENY", "device_type_windows": "ALLOW", "device_type_zeroclient": "ALLOW" }	no
workspace_creation_properties	Workspace creation properties configuration.	object({ custom_security_group_id = string default_ou = string enable_internet_access = bool enable_maintenance_mode = bool user_enabled_as_local_administrator = bool })	{ "custom_security_group_id": "", "default_ou": "", "enable_internet_access": false, "enable_maintenance_mode": true, "user_enabled_as_local_administrator": true }	no
workspace_properties	Workspace properties configuration.	object({ compute_type_name = string user_volume_size_gib = number root_volume_size_gib = number running_mode = string running_mode_auto_stop_timeout_in_minutes = number })	{ "compute_type_name": "VALUE", "root_volume_size_gib": 80, "running_mode": "ALWAYS_ON", "running_mode_auto_stop_timeout_in_minutes": 60, "user_volume_size_gib": 10 }	no
workspaces_self_service_access_arn	workspaces self service access from aws	string	n/a	yes
workspaces_service_access_arn	workspaces service access from aws	string	n/a	yes

Outputs

Name	Description
workspace_bundle_id	The ID of the AWS Workspaces bundle.
workspace_directory_id	The ID of the AWS Workspaces directory.
workspace_properties	The properties of the AWS Workspaces.
workspace_root_volume_encryption_enabled	Whether root volume encryption is enabled for the AWS Workspaces.
workspace_user_name	The username of the AWS Workspaces user.
workspace_user_volume_encryption_enabled	Whether user volume encryption is enabled for the AWS Workspaces.
workspace_volume_encryption_key	The encryption key used for AWS Workspaces volumes.

Git commits

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"

By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Development

Prerequisites

• terraform
• terraform-docs
• pre-commit
• golang
• golint

Configurations

• Configure pre-commit hooks

  pre-commit install
  

Tests

• Tests are available in test directory
• Configure the dependencies

  cd test/
  go mod init github.com/sourcefuse/arc-terraform-workspace
  go get github.com/gruntwork-io/terratest/modules/terraform
  

• Now execute the test
  

  cd test
  go test
  

Authors

This project is authored by: - SourceFuse ARC Team