aws-linux: add RDP support and instructions

bpmct · bpmct · commit 4c96f089dc20 · 2022-09-05T19:05:05.000Z
diff --git a/examples/templates/aws-windows/README.md b/examples/templates/aws-windows/README.md
@@ -6,6 +6,22 @@ tags: [cloud, aws]
 
 # aws-windows
 
+## Connecting via RDP
+
+You can connect to your workspace over a RDP tunnel. First, ensure
+you have the [Coder](https://coder.com/docs/coder-oss/latest/install) CLI installed on your local machine.
+
+In a terminal session, open a tunnel with the RDP port:
+
+```sh
+coder tunnel <workspace-name> --tcp 3301:3389
+```
+
+With a RDP client on your local machine, connect to `127.0.0.1:3301`.
+
+Username: Administrator
+Password: `see value on workspace page`
+
 ## Getting started
 
 To get started, run `coder templates init`. When prompted, select this template.
@@ -15,7 +31,7 @@ Follow the on-screen instructions to proceed.
 
 This template assumes that coderd is run in an environment that is authenticated
 with AWS. For example, run `aws configure import` to import credentials on the
-system and user running coderd.  For other ways to authenticate [consult the
+system and user running coderd. For other ways to authenticate [consult the
 Terraform docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration).
 
 ## Required permissions / policy
@@ -25,48 +41,48 @@ instances provisioned by Coder:
 
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": [
-                "ec2:GetDefaultCreditSpecification",
-                "ec2:DescribeIamInstanceProfileAssociations",
-                "ec2:DescribeTags",
-                "ec2:CreateTags",
-                "ec2:RunInstances",
-                "ec2:DescribeInstanceCreditSpecifications",
-                "ec2:DescribeImages",
-                "ec2:ModifyDefaultCreditSpecification",
-                "ec2:DescribeVolumes"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "CoderResources",
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances",
-                "ec2:DescribeInstanceAttribute",
-                "ec2:UnmonitorInstances",
-                "ec2:TerminateInstances",
-                "ec2:StartInstances",
-                "ec2:StopInstances",
-                "ec2:DeleteTags",
-                "ec2:MonitorInstances",
-                "ec2:CreateTags",
-                "ec2:RunInstances",
-                "ec2:ModifyInstanceAttribute",
-                "ec2:ModifyInstanceCreditSpecification"
-            ],
-            "Resource": "arn:aws:ec2:*:*:instance/*",
-            "Condition": {
-                "StringEquals": {
-                    "aws:ResourceTag/Coder_Provisioned": "true"
-                }
-            }
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VisualEditor0",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:GetDefaultCreditSpecification",
+        "ec2:DescribeIamInstanceProfileAssociations",
+        "ec2:DescribeTags",
+        "ec2:CreateTags",
+        "ec2:RunInstances",
+        "ec2:DescribeInstanceCreditSpecifications",
+        "ec2:DescribeImages",
+        "ec2:ModifyDefaultCreditSpecification",
+        "ec2:DescribeVolumes"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CoderResources",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceAttribute",
+        "ec2:UnmonitorInstances",
+        "ec2:TerminateInstances",
+        "ec2:StartInstances",
+        "ec2:StopInstances",
+        "ec2:DeleteTags",
+        "ec2:MonitorInstances",
+        "ec2:CreateTags",
+        "ec2:RunInstances",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifyInstanceCreditSpecification"
+      ],
+      "Resource": "arn:aws:ec2:*:*:instance/*",
+      "Condition": {
+        "StringEquals": {
+          "aws:ResourceTag/Coder_Provisioned": "true"
         }
-    ]
+      }
+    }
+  ]
 }
 ```
diff --git a/examples/templates/aws-windows/main.tf b/examples/templates/aws-windows/main.tf
@@ -70,16 +70,38 @@ data "aws_ami" "windows" {
 }
 
 resource "coder_agent" "main" {
-  arch = "amd64"
-  auth = "aws-instance-identity"
-  os   = "windows"
+  arch           = "amd64"
+  auth           = "aws-instance-identity"
+  os             = "windows"
+  startup_script = <<EOF
+# Set admin password
+Get-LocalUser -Name "Administrator" | Set-LocalUser -Password (ConvertTo-SecureString -AsPlainText "${local.admin_password}" -Force)
+# To disable password entirely, see https://serverfault.com/a/968240
+
+# Enable RDP
+Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
+
+# Enable RDP through Windows Firewall
+Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
+
+# Disable Network Level Authentication (NLA)
+# Clients will connect via Coder's tunnel
+(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $env:COMPUTERNAME -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
+
+# Install Chocolatey package manager
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+EOF
 }
 
 locals {
+  # Password to log in via RDP
+  #
+  # Must meet Windows password complexity requirements:
+  # https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
+  admin_password = "coderRDP!"
 
   # User data is used to stop/start AWS instances. See:
   # https://github.com/hashicorp/terraform-provider-aws/issues/22
-
   user_data_start = <<EOT
 <powershell>
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -100,7 +122,6 @@ resource "aws_instance" "dev" {
   ami               = data.aws_ami.windows.id
   availability_zone = "${var.region}a"
   instance_type     = var.instance_type
-  count             = 1
 
   user_data = data.coder_workspace.me.transition == "start" ? local.user_data_start : local.user_data_end
   tags = {
@@ -114,15 +135,20 @@ resource "aws_instance" "dev" {
 resource "coder_metadata" "workspace_info" {
   resource_id = aws_instance.dev.id
   item {
-    key   = "region"
+    key       = "Administrator password"
+    value     = local.admin_password
+    sensitive = true
+  }
+  item {
+    key   = "Region"
     value = var.region
   }
   item {
-    key   = "instance type"
+    key   = "Instance type"
     value = aws_instance.dev.instance_type
   }
   item {
-    key   = "disk"
+    key   = "Disk"
     value = "${aws_instance.dev.root_block_device[0].volume_size} GiB"
   }
 }
