From 03f800c6237b9c8f85068d3e89712ed2c99b5204 Mon Sep 17 00:00:00 2001 From: djpbessems Date: Wed, 10 Mar 2021 10:02:55 +0100 Subject: [PATCH] Provision Vault passwords;Reorder group membership --- .../ADDS/payload/Provision-VaultPassword.ps1 | 33 +++++++++++++++ scripts/ADDS/payload/scripts/02.Groups.yml | 32 +++++++-------- scripts/ADDS/payload/scripts/03.Users.yml | 14 +++---- scripts/Update-OvfConfiguration.yml | 40 ++++++++++++++++++- 4 files changed, 95 insertions(+), 24 deletions(-) create mode 100644 scripts/ADDS/payload/Provision-VaultPassword.ps1 diff --git a/scripts/ADDS/payload/Provision-VaultPassword.ps1 b/scripts/ADDS/payload/Provision-VaultPassword.ps1 new file mode 100644 index 0000000..5f4f4c0 --- /dev/null +++ b/scripts/ADDS/payload/Provision-VaultPassword.ps1 @@ -0,0 +1,33 @@ +[CmdletBinding()] +Param( + [Parameter()] + [string]$VaultAPIAddress, + [Parameter()] + [string]$VaultToken, + [Parameter()] + [string]$VaultPwPolicy, + [Parameter(Mandatory)] + [string]$Container, + [Parameter(Mandatory)] + [string]$Username +) + +$InvokeWebRequestSplat = @{ + Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate" + Headers = @{'X-Vault-Token'="$VaultToken"} +} +$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password + +$InvokeWebRequestSplat = @{ + Uri = "$($VaultAPIAddress)/secret/data/$($Container)" + Method = 'POST' + Headers = @{'X-Vault-Token'="$VaultToken"} + Body = @{ + data = @{ + "password.$($Username)" = $NewPassword + } + } | ConvertTo-Json +} +Invoke-WebRequest @InvokeWebRequestSplat + +Return $NewPassword \ No newline at end of file diff --git a/scripts/ADDS/payload/scripts/02.Groups.yml b/scripts/ADDS/payload/scripts/02.Groups.yml index b12ae65..66af161 100644 --- a/scripts/ADDS/payload/scripts/02.Groups.yml +++ b/scripts/ADDS/payload/scripts/02.Groups.yml @@ -1,28 +1,28 @@ SecurityGroups: - # Role groups -- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups - Description: '' - Scope: 'Global' - MemberOf: [] -- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups - Description: '' - Scope: 'Global' - MemberOf: [] - # Resource groups - DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups Description: '' Scope: 'DomainLocal' - MemberOf: - - CN=Hypervisor administrators,OU=Roles,OU=Groups - - CN=Firewall administrators,OU=Roles,OU=Groups + MemberOf: [] - DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups Description: '' Scope: 'DomainLocal' - MemberOf: - - CN=Hypervisor administrators,OU=Roles,OU=Groups + MemberOf: [] - DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups Description: '' Scope: 'DomainLocal' + MemberOf: [] + +# Role groups +- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups + Description: '' + Scope: 'Global' MemberOf: - - CN=Hypervisor administrators,OU=Roles,OU=Groups + - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups + - CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups + - CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups +- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups + Description: '' + Scope: 'Global' + MemberOf: + - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups diff --git a/scripts/ADDS/payload/scripts/03.Users.yml b/scripts/ADDS/payload/scripts/03.Users.yml index 5b1227b..d276bbb 100644 --- a/scripts/ADDS/payload/scripts/03.Users.yml +++ b/scripts/ADDS/payload/scripts/03.Users.yml @@ -1,7 +1,7 @@ Users: - DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts - Password: Complex42! - # Password: "{{ password.janedoe }}" + # Password: Complex42! + Password: "{{ password.janedoe }}" MemberOf: [] - DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts Password: Complex42! @@ -13,8 +13,8 @@ Users: Password: Complex42! MemberOf: [] -# --- -# Variables: -# - Name: password.janedoe -# Expression: | -# (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password \ No newline at end of file +--- +Variables: +- Name: password.janedoe + Expression: | + & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] diff --git a/scripts/Update-OvfConfiguration.yml b/scripts/Update-OvfConfiguration.yml index b0752b4..7ab202f 100644 --- a/scripts/Update-OvfConfiguration.yml +++ b/scripts/Update-OvfConfiguration.yml @@ -97,7 +97,45 @@ PropertyCategories: - primary - standalone UserConfigurable: true -- Name: 4) DHCP default scope +- Name: 4) Credential Management + ProductProperties: + - Key: vault.api + Type: string + Label: Vault API address + Description: The uri on which a HashiCorp Vault REST API can be reached + DefaultValue: '' + Configurations: + - primary + - standalone + UserConfigurable: true + - Key: vault.token + Type: string + Label: Vault API token + Description: An access token which has permissions to read/write to the Vault secrets engine + DefaultValue: '' + Configurations: + - primary + - standalone + UserConfigurable: true + - Key: vault.pwpolicy + Type: string + Label: Vault password policy + Description: A Vault password policy which determines complexity rules for generated passwords + DefaultValue: '' + Configurations: + - primary + - standalone + UserConfigurable: true + - Key: vault.secret + Type: string + Label: Vault secret name + Description: The name of the secret that all generated passwords will be stored in (as key/value pairs) + DefaultValue: '' + Configurations: + - primary + - standalone + UserConfigurable: true +- Name: 5) DHCP default scope ProductProperties: - Key: dhcpconfig.startip Type: ip