SimpleAD is Samba 4 — you can create users with ldapadd instead of ClickOps

2026-02-12

If you’ve tried to fully automate Amazon WorkSpaces provisioning with Terraform, you’ve hit the wall: SimpleAD has no AWS API for creating directory users.

What every guide tells you

Enable WorkDocs in the console, then use the WorkDocs API to create users
Launch a domain-joined EC2 instance with RSAT tools and create users manually
RDP into a Windows management machine and use the AD admin console

All of these break the Terraform workflow. Everything is automated except the one step that creates the user your WorkSpace actually needs.

The key insight

SimpleAD is Samba 4 Active Directory. It speaks LDAP. If you can reach it over the network, you can create user objects with standard ldapadd commands.

The problem: SimpleAD lives inside your VPC with no public endpoint.

Solving the network problem

Depending on your setup:

VPN/Direct Connect — docker run an Alpine container with openldap-clients right from your Terraform host. Zero infrastructure.
No VPC access — Lambda function deployed in the VPC with Python ldap3, invoked from Terraform via aws_lambda_invocation.
EKS/Fargate in the same VPC — ephemeral container with VPC network access. This is what I use.

My approach

kubectl run from a Terraform local-exec provisioner launches a temporary Alpine pod on an EKS cluster that already has VPC network access to the SimpleAD DNS IPs:

kubectl run ldap-create-user --rm -i --restart=Never \
  --image=alpine:3.19 -- sh -c '
  apk add --no-cache openldap-clients &&
  ldapadd -H ldap://$AD_DNS_IP -D "CN=Administrator,CN=Users,DC=corp,DC=example,DC=com" \
    -w "$AD_ADMIN_PASSWORD" <<LDIF
dn: CN=newuser,CN=Users,DC=corp,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: newuser
sAMAccountName: newuser
userAccountControl: 512
LDIF
'

Pod installs openldap-clients, runs ldapadd, and is immediately deleted. Total lifetime: under 30 seconds.

The password split

ldapadd cannot set AD passwords over unencrypted LDAP — AD requires LDAPS for password modifications. But the AWS Directory Service API has reset-user-password, which works from anywhere — no VPC access needed.

So we split it:

LDAP creates the user object (requires VPC access)
DS API sets the password (works from anywhere)

aws ds reset-user-password \
  --directory-id d-1234567890 \
  --user-name newuser \
  --new-password "$USER_PASSWORD"

What this gets you

Full terraform apply from zero to a running WorkSpace with a real user — no console clicks
The container is ephemeral — no standing EC2 instance, no RSAT licensing, no Windows AMI to maintain
Idempotent — ldapadd failures (user already exists) are caught and don’t fail the run

This is not a proof of concept. It’s running in production, provisioning encrypted WorkSpaces on terraform apply with no human in the loop.

#aws #terraform #workspaces #active-directory