Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Specify the provider and access details
- provider "aws" {
- region = "${var.aws_region}"
- }
- # Our default security group to access
- # the instances over SSH and HTTP
- resource "aws_security_group" "windows" {
- name = "terraform_windows_private"
- description = "Used in the terraform"
- # WinRM access from anywhere
- ingress {
- from_port = 5985
- to_port = 5985
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
- }
- # WinRMS access from anywhere
- ingress {
- from_port = 5986
- to_port = 5986
- protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
- }
- # outbound internet access
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
- # vpc_id = "${aws_vpc.default.id}"
- }
- resource "aws_key_pair" "auth-windows" {
- key_name = "${var.ssh_key_name_for_windows}"
- public_key = "${file(var.ssh_public_key_pair_windows)}"
- }
- resource "aws_instance" "windows" {
- instance_type = "${var.instance_type}"
- availability_zone = "${var.aws_zone}"
- # Lookup the correct AMI based on the region
- # we specified
- ami = "${var.aws_tornado_ami}"
- key_name = "${aws_key_pair.auth-windows.id}"
- associate_public_ip_address = true
- tags {
- Name = "Tornado"
- }
- # Our Security group to allow WinRM access
- vpc_security_group_ids = ["${aws_security_group.windows.id}"]
- # subnet_id = "${aws_subnet.eu-west-1a-public.id}"
- user_data = <<EOF
- <powershell>
- echo "Generate certificate for WinRM"
- $cert = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName $env:computername
- $thumb = $cert.Thumbprint
- echo "create new user"
- net user ${var.new_boss_name} ${var.new_boss_pw} /add
- net localgroup administrators ${var.new_boss_name} /add
- net localgroup WinRMRemoteWMIUsers__ ${var.new_boss_name} /add
- echo "Enable WinRM"
- winrm quickconfig -q
- winrm set winrm/config '@{MaxTimeoutms="1800000"}'
- winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}'
- winrm set winrm/config/service/auth '@{Basic="true"}'
- winrm create winrm/config/listener?Address=*+Transport=HTTPS "@{CertificateThumbprint=`"$thumb`";Port=`"5986`"}"
- echo "Enable WinRM firewall rules"
- Remove-NetFirewallRule -DisplayName "WinRMS" -ErrorAction SilentlyContinue
- New-NetFirewallRule -DisplayName "WinRMS" -Direction Inbound -Protocol TCP -LocalPort 5986 | Out-Null
- echo "Restart WinRM service"
- Stop-Service winrm
- Set-Service winrm -StartupType Automatic
- Start-Service winrm
- </powershell>
- EOF
- provisioner "remote-exec" {
- connection {
- type = "winrm"
- user = "${var.new_boss_name}"
- port = 5986
- https = true
- insecure = true
- password = "${var.new_boss_pw}"
- password_private_key = "${file(var.ssh_key_pair_path_windows)}"
- timeout = "10m"
- }
- inline = [
- "echo Instance provisioner works! Alex"
- ]
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement