I'm working on a project with a network that has four AWS accounts (dev, technical test, customer test, prod). My task is to automate the implementation of STIG requirements, which involves updating the Group Policy Objects (GPOs) or registries based on security guidelines. While I can manually access an EC2 instance, open gpmc.msc, and edit group policies, I need to find a way to automate this process. I plan to incorporate it into our infrastructure as code to propagate changes across all domains. However, I'm struggling with executing this via AWS Run Command or AWS Automation, mainly because the system account doesn't have sufficient permissions. What's the proper way to handle this situation? I can't be the only team looking to automate GPO updates with tools like Terraform.
1 Answer
We usually manage everything outside the VMs with Terraform, but for inside, we lean towards using Ansible. While Terraform could potentially handle this, it’s not really designed for GPO management, which doesn’t have an accessible API over the network. If you’re aiming for IaC and GitOps, consider keeping your GPO configurations in Git and triggering CI jobs using Ansible for updates. If you decide to utilize the AD provider in Terraform, be aware of its limitations—check the documentation for available options. Generally, GPOs aren't the easiest to automate due to their outdated design and sometimes janky implementation.
Got it. So right now, our Terraform setup involves pushing a PowerShell script from our Git repository to S3, then downloading it onto the server to import GPOs and add machines to the domain. This worked initially, but it seems the AWS account can no longer modify the GPOs. I might need to manually import the policy in each account and update my IaC with the new GPO exports to ensure everything is up to date. We used to use Ansible more often, but it seems like our decisions have shifted away from that, and now we're slowly eliminating it from our infrastructure code.