Update path files

README.md

@@ -36,6 +36,8 @@ The lab environment creates a secure network architecture with:
 
 In addition to the usual access credentials for AWS, the modules require an access key to StrongDM with the following privileges:
 
+![StrongDM Permissions](doc/strongdm-permissions.png?raw=true)
+
 ```bash
 sdm admin tokens add TerraformSecMgmt --permissions secretstore:list,secretstore:create,secretstore:update,secretstore:delete,organization:view_settings,relay:list,relay:create,policy:read,policy:write,datasource:list,datasource:create,datasource:update,datasource:delete,datasource:healthcheck,resourcelock:delete,resourcelock:list,accessrequest:requester,secretengine:create,secretengine:list,secretengine:delete,secretengine:update,managedsecret:list,managedsecret:update,managedsecret:create,managedsecret:read,managedsecret:delete --duration 648000 --type api
 ```

awsro/awsro.tf

@@ -14,20 +14,20 @@
 resource "aws_iam_role" "ec2_read_only_role" {
   name               = "EC2ReadOnlyRole"
   assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
-  tags = var.tagset
+  tags               = var.tagset
 }
 
 # Define the trust relationship policy allowing EC2 service and the gateway role to assume this role
 data "aws_iam_policy_document" "ec2_assume_role_policy" {
   statement {
-    actions   = ["sts:AssumeRole"]
-    effect    = "Allow"
-  principals {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
       type        = "Service"
       identifiers = ["ec2.amazonaws.com"]
     }
 
-  principals {
+    principals {
       type        = "AWS"
       identifiers = [var.role]
     }
@@ -38,5 +38,5 @@ data "aws_iam_policy_document" "ec2_assume_role_policy" {
 # This provides read-only access to most AWS services including EC2, S3, etc.
 resource "aws_iam_role_policy_attachment" "read_only_access_attachment" {
   role       = aws_iam_role.ec2_read_only_role.name
-  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"  # This is the managed policy for read-only access to most AWS services
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" # This is the managed policy for read-only access to most AWS services
 }

awsro/output.tf

@@ -1,3 +1,11 @@
+#--------------------------------------------------------------
+# AWS Read-Only Role Module Outputs
+#
+# This file defines the output values from the AWS read-only role module.
+# The outputs provide the ARN of the created IAM role, which can be
+# referenced by other modules for role assumption and resource access.
+#--------------------------------------------------------------
+
 output "ec2_read_only_role_arn" {
   description = "value of the ARN of the EC2 read-only role"
   # This output provides the ARN of the IAM role created in this module

dc/dc.tf

@@ -24,13 +24,13 @@ resource "aws_instance" "dc" {
   key_name               = aws_key_pair.windows.key_name
   vpc_security_group_ids = [var.sg]
   subnet_id              = var.subnet_id
-  
+
   # Deploy the PowerShell script that sets up the domain controller
-  user_data              = templatefile("../dc/install-dc.ps1.tpl", {
+  user_data = templatefile("${path.module}/install-dc.ps1.tpl", {
     name     = var.name
     password = random_password.admin_password.result
     rdpca    = var.rdpca
-    
+
     domain_users = var.domain_users
     }
   )
@@ -58,7 +58,7 @@ resource "tls_private_key" "windows" {
 resource "aws_key_pair" "windows" {
   key_name   = "${var.name}-windows-key"
   public_key = tls_private_key.windows.public_key_openssh
-  tags = local.thistagset
+  tags       = local.thistagset
 }
 
 

dc/install-dc.ps1.tpl

@@ -1,3 +1,23 @@
+#--------------------------------------------------------------
+# Domain Controller Installation PowerShell Template
+#--------------------------------------------------------------
+# This PowerShell template script installs and configures a Windows
+# Active Directory Domain Controller in the StrongDM AWS Lab-in-a-Box.
+# 
+# Key Functions:
+# - Installs Active Directory Domain Services (ADDS) role
+# - Installs DNS server role and configures DNS settings
+# - Creates new Active Directory forest and domain
+# - Configures domain controller networking and security
+# - Sets up RDP certificate authentication
+# - Creates domain users and organizational structure
+# - Configures StrongDM integration with Active Directory
+#
+# Template Variables:
+# - ${rdpca}: RDP certificate authority certificate
+# - ${name}: Domain name prefix for forest creation
+#--------------------------------------------------------------
+
 <powershell>
 Start-Transcript -Path "C:\SDMDomainSetup.log" -Append
 

dc/outputs.tf

@@ -8,53 +8,53 @@
 
 # Network information for accessing the domain controller
 output "dc_fqdn" {
-    value = aws_instance.dc.private_dns
-    description = "The private DNS name of the domain controller"
+  value       = aws_instance.dc.private_dns
+  description = "The private DNS name of the domain controller"
 }
 
 output "dc_ip" {
-    value = aws_instance.dc.private_ip
-    description = "The private IP address of the domain controller"
+  value       = aws_instance.dc.private_ip
+  description = "The private IP address of the domain controller"
 }
 
 # Administrator account credentials for direct RDP access
 output "dc_username" {
-    value = "administrator"
-    description = "The local administrator username for the domain controller"
+  value       = "administrator"
+  description = "The local administrator username for the domain controller"
 }
 
 output "dc_password" {
-    value = rsadecrypt(aws_instance.dc.password_data, tls_private_key.windows.private_key_pem)
-    description = "The decrypted password for the local administrator account"
-    sensitive = true
+  value       = rsadecrypt(aws_instance.dc.password_data, tls_private_key.windows.private_key_pem)
+  description = "The decrypted password for the local administrator account"
+  sensitive   = true
 }
 
 # Domain administrator credentials for domain operations
 output "domain_admin" {
-    value = "domainadmin"
-    description = "The domain administrator username created during setup"
+  value       = "domainadmin"
+  description = "The domain administrator username created during setup"
 }
 
 output "domain_password" {
-    value = "${random_password.admin_password.result}!"
-    description = "The password for the domain administrator account"
-    sensitive = true
+  value       = "${random_password.admin_password.result}!"
+  description = "The password for the domain administrator account"
+  sensitive   = true
 }
 
 # Resource tags for consistent resource management
 output "thistagset" {
-    value = local.thistagset
-    description = "The tags applied to resources in this module"
-} 
+  value       = local.thistagset
+  description = "The tags applied to resources in this module"
+}
 
 # Key material for other resources that need to join the domain
 output "private_key_pem" {
-    value = tls_private_key.windows.private_key_pem
-    description = "The private key in PEM format for decrypting Windows passwords"
-    sensitive = true
+  value       = tls_private_key.windows.private_key_pem
+  description = "The private key in PEM format for decrypting Windows passwords"
+  sensitive   = true
 }
 
 output "key_name" {
-    value = aws_key_pair.windows.key_name
-    description = "The name of the key pair created for Windows instances"
+  value       = aws_key_pair.windows.key_name
+  description = "The name of the key pair created for Windows instances"
 }

dc/variables.tf

@@ -48,43 +48,43 @@ variable "target_user" {
 # Generate a secure random password for the domain administrator
 resource "random_password" "admin_password" {
   length      = 20
-  special     = false  # Avoid special chars for better compatibility
-  min_numeric = 1      # Ensure at least one number
-  min_upper   = 1      # Ensure at least one uppercase letter
-  min_lower   = 1      # Ensure at least one lowercase letter
+  special     = false # Avoid special chars for better compatibility
+  min_numeric = 1     # Ensure at least one number
+  min_upper   = 1     # Ensure at least one uppercase letter
+  min_lower   = 1     # Ensure at least one lowercase letter
 }
 
 variable "domain_users" {
   description = "Set of map of users to be created in the Directory"
-  type        = set(object({
+  type = set(object({
     SamAccountName = string
     GivenName      = string
     Surname        = string
     tags           = map(string)
-    }))
-  default     = null
+  }))
+  default = null
 }
 
 # Local variables for module operation
 locals {
   admin_password = random_password.admin_password.result
-  
+
   # Determine the operating system to use the appropriate script
   # This checks if we're running on Windows (has a C: drive) to select the right script
-  is_linux = length(regexall("c:", lower(abspath(path.root)))) > 0
+  is_linux    = length(regexall("c:", lower(abspath(path.root)))) > 0
   interpreter = local.is_linux ? "powershell" : "bash"
-  script      = format("%s/%s",path.module,local.is_linux ? "windowsrdpca.ps1" : "windowsrdpca.sh")
-  
+  script      = format("%s/%s", path.module, local.is_linux ? "windowsrdpca.ps1" : "windowsrdpca.sh")
+
   # Construct a consistent tag set for all resources in this module
-  thistagset = merge (var.tagset, {
+  thistagset = merge(var.tagset, {
     network = "Private"
     class   = "sdminfra"
     Name    = "sdm-${var.name}-domain-controller"
     }
-  )  
+  )
 }
 
 variable "rdpca" {
   description = "RDP CA to import into the domain controller"
-  type = string
+  type        = string
 }

dc/windowsrdpca.ps1

@@ -1,3 +1,21 @@
+#--------------------------------------------------------------
+# Windows RDP Certificate Authority PowerShell Script
+#--------------------------------------------------------------
+# This PowerShell script extracts the StrongDM RDP Certificate Authority
+# certificate for Windows environments and formats it as JSON.
+# 
+# Key Functions:
+# - Validates that SDM CLI is available and accessible
+# - Retrieves RDP CA certificate from StrongDM admin CLI
+# - Formats certificate data as JSON for Terraform consumption
+# - Provides error handling for missing dependencies
+#
+# Dependencies:
+# - sdm CLI tool must be installed and authenticated
+# - PowerShell execution policy must allow script execution
+# - Proper StrongDM admin permissions for certificate access
+#--------------------------------------------------------------
+
 try {
     $sdmCommand = Get-Command sdm -ErrorAction Stop
 } catch {

dc/windowsrdpca.sh

@@ -1,2 +1,19 @@
+#--------------------------------------------------------------
+# Windows RDP Certificate Authority Extraction Script
+#--------------------------------------------------------------
+# This shell script extracts the StrongDM RDP Certificate Authority
+# certificate and formats it as JSON for use in Terraform templates.
+# 
+# Key Functions:
+# - Retrieves RDP CA certificate from StrongDM admin CLI
+# - Formats certificate data as JSON string for Terraform consumption
+# - Enables secure RDP connections through StrongDM infrastructure
+#
+# Dependencies:
+# - sdm CLI tool must be installed and authenticated
+# - jq utility for JSON processing
+# - Proper StrongDM admin permissions for certificate access
+#--------------------------------------------------------------
+
 #!/bin/bash
 echo "{\"certificate\": $(sdm admin rdp view-ca | jq -Rsa) }"