Introduction
This process creates a simple Workspot pilot deployment for Workspot on Amazon Workspaces Core. The majority of the process is automated via PowerShell and Terraform scripts.
After completing the procedures in this document, administrators will be able to:
Create fully functional Workspot Cloud Desktops and Cloud Applications server from the Amazon Workspaces Core Cloud.
Manage all resources through Workspot Control.
End-users will be able to access their Workspot Desktops and Applications securely via the Workspot Client.
The difference between the pilot deployment described here and a production deployment is primarily as follows:
The AD Domain Controller created here is a standalone instance that doesn’t communicate with your production Domain Controller.
The virtual networks declared here are chosen arbitrarily rather than being chosen to work with your WAN/LAN routing.
Advanced configuration such as multi-factor authentication, posture checking, and so on are not configured.
Prerequisites
A Windows PC with Administrative access on which to run:
PowerShell
Amazon AWS Command-Line Interface
Terraform
An AWS account with permissions to create a Terraform service account with the permissions required by Terraform.
A Workspot account and access to Workspot Control with full Administrator permissions.
Create Your Workspot Account
In a browser, go to https://service.us.workspot.com/#signupaws.
Fill in the form. Critical fields:
The “Corporate Email” address will be used as the administrative account for your Workspot Deployment. Domains such as “gmail.com” are not allowed.
Set “Company Headquarters” to your actual corporate headquarters location, not your personal location.
Set the “Control Deployment Location” to “European Union” if your HQ is the EU, and “United States” otherwise.
Press “Sign Up.”
Wait for the email sent to the address you provided. This may take a few minutes.
Click the link. You will see a second form:
Fill in the form. Notable fields:
The “Company Identifier” field:
Is used by all your end-users when they use the Workspot Client for the first time.
Is part of the URLs you use to access Workspot Control, Watch and Trends.
Should be a version of your organization’s name.
Cannot contain punctuation or special characters except for a hyphen.
The password will be used along with the email address you provided in the previous form when you sign into Workspot Control.
Press Register.
You will be signed in automatically to the “Add Public Cloud” page of Workspot Control, with “Workspot on Amazon Workspaces Core” already selected.
Leave this browser tab open. We will return to it soon.
Create an IAM user in AWS
Amazon AWS must be configured to allow the scripting operations that will be performed by the AWS Windows Command-Line Interface (CLI) and Terraform.
We will ensure that the user account used for the AWS CLI operations and Terraform has programmatic access (Access Key and Secret) and the permissions below. (These are different from Control Service Account user/permissions.)
Permissions Summary
The permissions in the table below will be set during the procedure.
Category | Required Actions |
Create EC2 Infra (Terraform) | ec2:*, VPC, subnet, NAT, SG, DHCP actions |
Create IAM users/roles via CLI | iam:*, iam:PassRole |
Create AMI from S3 VHD | ec2:ImportImage, s3:GetObject, etc. |
Create a Key pair via AWS CLI, import via Terraform | ec2:CreateKeyPair, ec2:ImportKeyPair, etc. |
Create the Policy on the AWS IAM Console
Go to “IAM Console > Policies.”
Click “Create policy.”
Choose the “JSON” tab.
Paste the JSON code from
Terraform_iam_permissions_v2.jsonbelow into your new policy.
Click “Next,” review, and give your policy a name (Terraform_AWSCLI_permissions).
Click “Create policy.”
Create IAM User
Go to IAM Console.
Click “Create user”.
Provide an appropriate Username: e.g., terraform-deployer, automation-user, etc.
Leave the checkbox for “Provide user access to the AWS Management Console - optional” as unchecked. This will restrict the console access to the new user account.
Click Next.
Click “Set permissions > Attach policies directly.”
Search for the policy name you created (Terraform_AWSCLI_permissions).
Select it and click “Next > Add permissions.”
Optionally, you can add tags like: “Terraform”
Review user details and permissions and click “Create user.”
Download Access Credentials
Go to “IAM > Users > Search” and select the user account you created in the previous step.
Click on the “Security Credentials > Access Keys.” Click on “Create Access Key.”
On the next screen, select “CLI” and click “Next.”
Optionally, you can provide a tag for your identification, then click on Create Access Key.
Make sure you download and securely save the following credentials (created above):
Access Key ID
Secret Access Key
We will use these to set the AWS CLI and provide them during the Terraform Deployment.
Set up the environment to run AWS
Download the latest AWS CLI Setup Installer from https://awscli.amazonaws.com/AWSCLIV2.msi.
Install the downloaded CLI executable.
Open
powershell.exein Admin mode (this procedure does not work in ISE).
Type the following command:
AWS --version
This should return aws-cli/2.27.25 or higher.
To configure the CLI with the account, type:
AWS configure
This will prompt for:
AWS Access Key ID: The Access Key ID saved in a previous step.
AWS Secret Access Key: The Secret Access Key saved in a previous step.
Default region name: The AWS code of your preferred region, such as us-east-1.
Default output format: JSON.
Once these values are provided, proceed to the next step.
Create Workspot Role
This step creates a Workspot Role on the AWS Console with the necessary permissions.
Workspot Role Permissions
The following permissions are for reference: they will be set by the script below.
Category | Permissions |
EC2 - Instance Lifecycle | ec2:RunInstances, ec2:StartInstances, ec2:StopInstances, ec2:RebootInstances, ec2:TerminateInstances |
EC2 - Instance Info | ec2:DescribeInstances, ec2:DescribeInstanceStatus, ec2:DescribeInstanceTypes, ec2:DescribeTags |
EC2 - Images/Snapshots | ec2:CreateImage, ec2:DescribeImages, ec2:DeregisterImage, ec2:DescribeSnapshots, ec2:DeleteSnapshot |
EC2 - Networking | ec2:DescribeVpcs, ec2:DescribeSubnets, ec2:DescribeSecurityGroups, ec2:DescribeNetworkInterfaces, ec2:GetSecurityGroupsForVpc |
EC2 - Tags | ec2:CreateTags, ec2:DeleteTags |
EC2 - Regions & Placement | ec2:DescribeRegions, ec2:DescribePlacementGroups, ec2:CreatePlacementGroup, ec2:DeletePlacementGroup |
EC2 - Volumes | ec2:DescribeVolumes |
EC2 - Elastic IP (EIP) | ec2:AllocateAddress, ec2:AssociateAddress, ec2:DisassociateAddress, ec2:ReleaseAddress, ec2:DescribeAddresses |
Workspaces - Instances | workspaces-instances:* |
KMS - Encryption | kms:Encrypt, kms:Decrypt, kms:GenerateDataKey* |
SSM - Parameters | ssm:GetParameter, ssm:GetParameters |
Create Workspot Role and Account via PowerShell
The PowerShell Script below will create the necessary role and permissions needed to configure the Workspot on Amazon WorkSpaces Core account on Workspot Control. This script also generates a Key-Pair on the console, which will be used during the Terraform Deployment.
Preparing the PowerShell Script
Download the
setup-workspot-role_keypair_slr.ps1script.
Open the script in a text editor such as Notepad++ and update the variables at the top of the file as needed.
Most of these values can be left at their defaults.
But make sure the
$Regionvariable matches what you specified earlier.
Running the PowerShell Script and Adding the Amazon Cloud in Workspot Control
This step uses both the PowerShell Script and Workspot Control. It is best to run both on the same device.
In your browser, return to the Workspot Control “Add Public Cloud” tab we left open.
If your session has timed out:
Sign into Control again using the email and password you set earlier.
Go to “Setup > Cloud > Add Public Cloud.”
.png?sv=2022-11-02&spr=https&st=2025-06-25T16%3A41%3A43Z&se=2025-06-25T17%3A04%3A43Z&sr=c&sp=r&sig=gZzGErxLidYfrtfkUrgbLBIfO5plJaexbqX65dsE%2BsU%3D)
Choose the name Control will use when referring to this Cloud and type it into the “Name” field.
Select “Workspot on Amazon WorkSpaces Core” as the “Configuration Type.”
Click “Get ARN” if the “Workspot Control ARN” field is empty.
Enter your AWS Account ID in the “Account Number” field.
Leave “Assumed Role ARN” blank for the moment. We will fill it in soon with information from the PowerShell script.
Enter the “Region” you have specified before in the “Region” field.
Select “Use AWS-Workspot license.”
DO NOT click “Save” yet.
In PowerShell, run the script in PowerShell in Administrative mode (don’t run in ISE), as shown below:
.png?sv=2022-11-02&spr=https&st=2025-06-25T16%3A41%3A43Z&se=2025-06-25T17%3A04%3A43Z&sr=c&sp=r&sig=gZzGErxLidYfrtfkUrgbLBIfO5plJaexbqX65dsE%2BsU%3D)
Copy the line below the one that says “Please provide the following Role ARN to Workspot.”
Paste this line into the “Assumed Role ARN” field in Workspot Control.
Still in Workspot Control, copy the “Workspot Control ARN” field by clicking the “Copy” icon.
If the “Get ARN” button isn’t grayed out, the ARN has expired. Click “Get ARN” to generate a new one, then copy it.
DO NOT hit “Save” yet.
Back in PowerShell, paste the ARN at the “Enter the Control User ARN provided by Workspot” prompt.
Hit Enter in PowerShell.
Wait for the PowerShell script to complete.
This will set the permission to the account and generate a key pair that will be used in our Terraform deployments.
After the script completes, return to Workspot Control and click “Save.”
If you see the error message as below, click the Save button again. Repeat as necessary at roughly one-minute intervals until the Save operation succeeds.
Script Notes
This PowerShell script performs the following actions using the AWS CLI:
Retrieves the AWS account ID.
Creates a trust policy JSON document and uses it to create an IAM role.
Generates a permissions policy JSON document and uses it to create a custom IAM policy.
Attaches the policy to the IAM role.
Prompts the user to input the Workspot Control User ARN and updates the role trust policy accordingly.
Create an EC2 RSA key pair (PEM format) and save it to the user's Downloads folder.
Create a Windows Desktop Image
Amazon WorkSpaces Core will allow us to create Windows Server VMs directly, but not Windows Desktop VMs. This currently makes the creation of Desktop Windows templates more complex.
In the following sections, we will:
Select (or create) a Windows 11 Generation Disk Image in Hyper-V
First, we need to create a Windows 10 or Windows 11 Generation 2 Disk Image on Hyper-V.
Follow the procedure in this article.
The article was written for GCP but uses an identical procedure as Amazon WorkSpaces Core for creating the image.
Follow the procedure through its initial steps:
Enabling Hyper-V
Creating a VM on Hyper-V
Enabling Remote Connection and disabling NLA
Convert the disk into a VHD
Then stop. Do not follow the later steps starting with “
Uploading and importing the image on GCP.”
Continue with the procedures below.
Upload the VHD Image to an Amazon S3 bucket
The next step is to upload the image to Amazon, using an Amazon S3 bucket:
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the left navigation pane, choose Buckets.
In the Buckets list, choose the name of the bucket that you want to upload your VHD to.
Choose Upload.
In the Upload window, do one of the following:
Drag and drop files and folders to the Upload
Choose Add file, choose the VHD file to upload, and choose Open.
Choose “Upload” (at the bottom of the page), to upload the listed files and folders without configuring additional upload options.
Wait for the upload to complete and you see a success message on the “Upload: status” page.
Import VHD on AWS and Create an AMI
The next step is to import the VHD image and convert it into an AMI image. The Script S3_image_import.ps1 will perform all the steps for this process.
Download
S3_image_import.ps1In a text editor such as Notepad++, update the following variables in the
USER INPUTsection at the top of the file:
$BucketName = "your-s3-bucket-name"
$ObjectKey = "folder/subfolder/your-image.vhd" # (Do not give the Bucket name)
$DiskFormat = "vhd" # Use "vhdx" or "vmdk" as applicable
$Description = "Windows 11 Custom Image" # User selected string
$UEFIBoot = $true # Set to $true or $false as applicable (must be $true for Windows 11)Run the script in
powershell.exeThe Script will do the following
Create the IAM role.
Create the JSON policy files.
Create the AWS import command.
Wait for the script to complete. It will take longer with larger disk sizes.
Copy the
ImportTaskIDfrom the above output and paste it into the below command to track the import process.aws ec2 describe-import-image-tasks --import-task-ids [import-ami-taskID]
Once the AMI creation is complete, you will see the status as completed in both lines highlighted below:
Manual AMI Creation (Alternate Method)
For the manual AMI Creation Steps, please refer to the document - Creating Workspot Template for AWS EC2
Installing and configuring Terraform
To create the Workspot on AWS WorkSpaces Core deployment, including subnets, servers, an Active Directory Domain Controller, and a Workspot Enterprise Connector, you must first install Terraform on your local Windows device.
Download the Terraform file from https://developer.hashicorp.com/terraform/install.
Do this on the same system and user as the AWS CLI above.
Extract the file into
c:\TerraformThe next step is to set up environmental variables.
Under System properties (View Advanced System Settings) – Advanced- Environmental Variables
Under User Variables for
UserNameClick on Path and edit, then select New and key in the path where you have the terraform.exe copied (c:\Terraform)
Once it is applied, open a PowerShell window.
Type
terraform versionIt should display the version of Terraform if the environmental variable is set correctly.
Download
AWS_Terraform.zip
Extract the files in
AWS_Terraform.zipto the folder where you want the project files to be located.Go to the folder with the files you just extracted.
Populate the variables in the
Terraform.tfvarsfile. Open it in Notepad++.
Edit the values as suggested in the comments, then save and close the file.
Deploying the Workspot for Amazon WorkSpaces Core Landing Zone
Open a PowerShell window if you haven’t done this already.
Go to directory to where you extracted
AWS_Terraform.zip.
To initialize Terraform, enter
terraform init.
Once the initialization is completed, type
terraform plan
You will see all the resources that would be deployed. Review and proceed with the next step
Type
terraform apply
Answer
yesto the question “Enter a value” if you are ready to make the changes.This will apply to all the changes.
The Terraform script deploys the following resources
A VPC and subnets for DMZ, management, and virtual machines.
Internet and NAT gateways for controlled internet access.
Custom route tables for traffic management.
DHCP options for DNS and domain configuration.
Security groups for resource-level access control.
Windows Server VMs:
Utility Server
Workspot Enterprise Connector Server
Active Directory Domain Controller
Workspot Cloud Application Server
The Windows Template you uploaded earlier.
Steps to log in to Windows Server VMs
The Windows Server VMs created above need to to have a key pair applied before we can sign in. In this document, we have initially created a Key Pair using a PowerShell script. This has generated a private key (.pem file) and saved it in the PowerShell session directory. We have then provided the key name in the Terraform variable file to use for our Server deployments.
For each Windows Server VM created by Terraform, follow the steps below to decipher the password:
On the AWS Console, navigate to “EC2 > Instances.” Select the instance you want to log into.
On the Instance details page, click on the "Connect" button at the top.
In the connection options, choose the "RDP Client" tab.
Click on "Get Password". (If this option is greyed out, wait a few minutes after instance launch and try again.)
You will see a prompt to upload your private key file (the .pem file you downloaded using the PowerShell script).
Click "Browse" and select your private key file to upload the private key contents.
Next, click on Decrypt password.
This will provide the username and password you can login with.
Completing the Configuration
Configure the AD Domain Controllerr. Do this first.
Install Workspot Enterprise Connector on the VM created for the purpose by Terraform. See Workspot Enterprise Connector.
Create a Workspot Managed Gateway via Workspot Control. See Managed Gateways (Gateway Clusters).
Create a Desktop Pool. See Control: Desktop Pools.
Download and use the Workspot Client. See Workspot Client Downloads and User Self-Registration and Resource Entitlements.
(Optional) Create an Application Server Pool. See Workspot Application Server Pools (Cloud App Pools)
(Optional) Create Web Applications. See The Workspot Browser and Web Applications.
Next Steps
You have created complete, working Workspot for Amazon WorkSpaces Core deployment, one that is isolated from your production environment through its use of subnets that are not connected to your corporate network and an isolated Active Directory Domain Controller.
Your next steps are:
To test this deployment thoroughly.
To plan your production deployment that dovetails with your corporate networking, authentication, and other requirements.
Deleting the Infrastructure:
Using the Terraform command, we can also remove the resources we have built earlier if we are done with the deployment.
Note: The Terraform Destroy command will only delete what was created by Terraform. Resources created outside Terraform, like IAM accounts, AMIs, Key-pair, Gateway, Template, Pool VDIs, or any other will need to be deleted manually first, before running the Terraform destroy command.
To destroy the previously created resources, follow the instructions:
Open the command prompt and change the directory to where you have the project-related terraform files are placed.
To initialize Terraform, enter
terraform initOnce Terraform is initialized, enter
terraform destroy. This will list the infrastructure details that will be destroyed.Type Yes to give the final confirm to delete the resources.
Any components built in the AWS Account using anything except Terraform must be deleted manually.