Provision Vault passwords;Reorder group membership

2021-03-10 10:02:55 +01:00 · 2021-03-10 10:02:55 +01:00 · 03f800c623
commit 03f800c623
parent b6c7475673
4 changed files with 95 additions and 24 deletions
--- a/scripts/ADDS/payload/Provision-VaultPassword.ps1
+++ b/scripts/ADDS/payload/Provision-VaultPassword.ps1
@ -0,0 +1,33 @@
+[CmdletBinding()]
+Param(
+    [Parameter()]
+    [string]$VaultAPIAddress,
+    [Parameter()]
+    [string]$VaultToken,
+    [Parameter()]
+    [string]$VaultPwPolicy,
+    [Parameter(Mandatory)]
+    [string]$Container,
+    [Parameter(Mandatory)]
+    [string]$Username
+)
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
+    Headers = @{'X-Vault-Token'="$VaultToken"} 
+}
+$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/secret/data/$($Container)"
+    Method  = 'POST'
+    Headers = @{'X-Vault-Token'="$VaultToken"}
+    Body    = @{
+        data = @{
+            "password.$($Username)" = $NewPassword
+        }
+    } | ConvertTo-Json
+}
+Invoke-WebRequest @InvokeWebRequestSplat
+
+Return $NewPassword
--- a/scripts/ADDS/payload/scripts/02.Groups.yml
+++ b/scripts/ADDS/payload/scripts/02.Groups.yml
@ -1,28 +1,28 @@
 SecurityGroups:
-  # Role groups
- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
-
 # Resource groups
 - DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
  Description: ''
  Scope: 'DomainLocal'
-  MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
-  - CN=Firewall administrators,OU=Roles,OU=Groups
+  MemberOf: []
 - DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
  Description: ''
  Scope: 'DomainLocal'
-  MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
+  MemberOf: []
 - DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
  Description: ''
  Scope: 'DomainLocal'
+  MemberOf: []
+
+# Role groups
+- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
  MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
+  - CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
+  - CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
+- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
+  MemberOf:
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
--- a/scripts/ADDS/payload/scripts/03.Users.yml
+++ b/scripts/ADDS/payload/scripts/03.Users.yml
@ -1,7 +1,7 @@
 Users:
 - DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts
-  Password: Complex42!
-  # Password: "{{ password.janedoe }}"
+  # Password: Complex42!
+  Password: "{{ password.janedoe }}"
  MemberOf: []
 - DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts
  Password: Complex42!
@ -13,8 +13,8 @@ Users:
  Password: Complex42!
  MemberOf: []
  
-# ---
-# Variables:
-# - Name: password.janedoe
-#   Expression: |
-#     (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password
+---
+Variables:
+- Name: password.janedoe
+  Expression: |
+    & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
--- a/scripts/Update-OvfConfiguration.yml
+++ b/scripts/Update-OvfConfiguration.yml
@ -97,7 +97,45 @@ PropertyCategories:
    - primary
    - standalone
    UserConfigurable: true
- Name: 4) DHCP default scope
+- Name: 4) Credential Management
+  ProductProperties:
+  - Key: vault.api
+    Type: string
+    Label: Vault API address
+    Description: The uri on which a HashiCorp Vault REST API can be reached
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.token
+    Type: string
+    Label: Vault API token
+    Description: An access token which has permissions to read/write to the Vault secrets engine
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.pwpolicy
+    Type: string
+    Label: Vault password policy
+    Description: A Vault password policy which determines complexity rules for generated passwords
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.secret
+    Type: string
+    Label: Vault secret name
+    Description: The name of the secret that all generated passwords will be stored in (as key/value pairs)
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+- Name: 5) DHCP default scope
  ProductProperties:
  - Key: dhcpconfig.startip
    Type: ip