Provision Vault passwords;Reorder group membership

scripts/ADDS/payload/Provision-VaultPassword.ps1

@@ -0,0 +1,33 @@
+[CmdletBinding()]
+Param(
+    [Parameter()]
+    [string]$VaultAPIAddress,
+    [Parameter()]
+    [string]$VaultToken,
+    [Parameter()]
+    [string]$VaultPwPolicy,
+    [Parameter(Mandatory)]
+    [string]$Container,
+    [Parameter(Mandatory)]
+    [string]$Username
+)
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
+    Headers = @{'X-Vault-Token'="$VaultToken"} 
+}
+$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/secret/data/$($Container)"
+    Method  = 'POST'
+    Headers = @{'X-Vault-Token'="$VaultToken"}
+    Body    = @{
+        data = @{
+            "password.$($Username)" = $NewPassword
+        }
+    } | ConvertTo-Json
+}
+Invoke-WebRequest @InvokeWebRequestSplat
+
+Return $NewPassword

scripts/ADDS/payload/scripts/02.Groups.yml

@@ -1,28 +1,28 @@
 SecurityGroups:
-  # Role groups
-- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
-- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
-
 # Resource groups
 - DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
-  MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
-  - CN=Firewall administrators,OU=Roles,OU=Groups
+  MemberOf: []
 - DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
-  MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
+  MemberOf: []
 - DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
+  MemberOf: []
+
+# Role groups
+- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
   MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
+  - CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
+  - CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
+- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
+  MemberOf:
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups

scripts/ADDS/payload/scripts/03.Users.yml

@@ -1,7 +1,7 @@
 Users:
 - DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts
-  Password: Complex42!
-  # Password: "{{ password.janedoe }}"
+  # Password: Complex42!
+  Password: "{{ password.janedoe }}"
   MemberOf: []
 - DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts
   Password: Complex42!
@@ -13,8 +13,8 @@ Users:
   Password: Complex42!
   MemberOf: []
   
-# ---
-# Variables:
-# - Name: password.janedoe
-#   Expression: |
-#     (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password
+---
+Variables:
+- Name: password.janedoe
+  Expression: |
+    & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']