Error creating workspace deployed via. `aws_workspaces_directory`: There was an issue joining the WorkSpace to your domain

Hi there,

I’m trying to setup AWS Workspaces VDI via. Terraform. I’ve created a module largely based off the example code – it creates a standalone SimpleAD in my existing VPC on two subnets. It then sets up the directory connection. This all seems to go well and I can go into the AWS console and see things appears to be setup correctly.

In the AWS console, I then attempt to create a workspace using the console. After taking 10 - 20 minutes I get an error under the workspace:

Status:          ERROR
Failure Message: There was an issue joining the WorkSpace to your domain. 
                 Verify that your service account is allowed to complete domain join 
                 operations. If you continue to see an issue, contact AWS Support.

I’ve tried Linux vs. Windows, encrypted vs. not, etc. All to no avail…

So my question is where do I start? It all looks completely cryptic with zero logs showing me where to look. I’ve trawled the docs and from what I can tell I have everything setup correctly.

I’ve tried changing the config to omit the default_ou and custom_security_group_id and that doesn’t work either.

I’d appreciate any pointers or redirect to a more appropriate forum.

Thank you,

resource "aws_workspaces_directory" "this" {
  directory_id =
  subnet_ids   = var.directory_subnet_ids

  tags = {

  self_service_permissions {
    change_compute_type  = true
    increase_volume_size = true
    rebuild_workspace    = true
    restart_workspace    = true
    switch_running_mode  = true

  workspace_creation_properties {
    custom_security_group_id            = var.workspaces_security_group_id
    default_ou                          = "OU=ABCXYX,DC=workspaces,DC=abcxyz,DC=io"
    enable_internet_access              = true
    enable_maintenance_mode             = true
    user_enabled_as_local_administrator = true

  depends_on = [

resource "aws_directory_service_directory" "this" {
  name     = ""
  password = var.workspaces_directory_service_password
  size     = "Small"

  vpc_settings {
    vpc_id     = var.subnet_vpc_id
    subnet_ids = var.directory_subnet_ids

data "aws_iam_policy_document" "workspaces" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [""]

resource "aws_iam_role" "workspaces_default" {
  name               = "workspaces_DefaultRole"
  assume_role_policy = data.aws_iam_policy_document.workspaces.json

resource "aws_iam_role_policy_attachment" "workspaces_default_service_access" {
  role       =
  policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesServiceAccess"

resource "aws_iam_role_policy_attachment" "workspaces_default_self_service_access" {
  role       =
  policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess"

Hi @nigelellis, Did you fix this problem? I’m too facing the same issue.

Looks like the problem is with the default_ou, I manually removed the default_ou from the AWS console and it worked.

Yes, that was indeed the issue - figured it out yesterday. Looks like you need to manually create the target OU in the AD before you can use it.