Provision Vault passwords;Reorder group membership

scripts/ADDS/payload/Provision-VaultPassword.ps1

@@ -0,0 +1,33 @@
+[CmdletBinding()]
+Param(
+    [Parameter()]
+    [string]$VaultAPIAddress,
+    [Parameter()]
+    [string]$VaultToken,
+    [Parameter()]
+    [string]$VaultPwPolicy,
+    [Parameter(Mandatory)]
+    [string]$Container,
+    [Parameter(Mandatory)]
+    [string]$Username
+)
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
+    Headers = @{'X-Vault-Token'="$VaultToken"} 
+}
+$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
+
+$InvokeWebRequestSplat = @{
+    Uri     = "$($VaultAPIAddress)/secret/data/$($Container)"
+    Method  = 'POST'
+    Headers = @{'X-Vault-Token'="$VaultToken"}
+    Body    = @{
+        data = @{
+            "password.$($Username)" = $NewPassword
+        }
+    } | ConvertTo-Json
+}
+Invoke-WebRequest @InvokeWebRequestSplat
+
+Return $NewPassword

scripts/ADDS/payload/scripts/02.Groups.yml

@@ -1,28 +1,28 @@
 SecurityGroups:
-  # Role groups
-- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
-- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
-  Description: ''
-  Scope: 'Global'
-  MemberOf: []
-
 # Resource groups
 - DistinguishedName: CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
-  MemberOf:
+  MemberOf: []
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
-  - CN=Firewall administrators,OU=Roles,OU=Groups
 - DistinguishedName: CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
-  MemberOf:
+  MemberOf: []
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
 - DistinguishedName: CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
   Description: ''
   Scope: 'DomainLocal'
+  MemberOf: []
+
+# Role groups
+- DistinguishedName: CN=Hypervisor administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
   MemberOf:
-  - CN=Hypervisor administrators,OU=Roles,OU=Groups
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups
+  - CN=DatastoreAdmin - vSphere servers,OU=Resources,OU=Groups
+  - CN=ContentLibraryAdmin - vSphere servers,OU=Resources,OU=Groups
+- DistinguishedName: CN=Firewall administrators,OU=Roles,OU=Groups
+  Description: ''
+  Scope: 'Global'
+  MemberOf:
+  - CN=RemoteDesktop - Management servers,OU=Resources,OU=Groups

scripts/ADDS/payload/scripts/03.Users.yml

@@ -1,7 +1,7 @@
 Users:
 - DistinguishedName: CN=Jane Doe,OU=Employees,OU=Non-privileged,OU=User accounts
-  Password: Complex42!
+  # Password: Complex42!
-  # Password: "{{ password.janedoe }}"
+  Password: "{{ password.janedoe }}"
   MemberOf: []
 - DistinguishedName: CN=John Doe,OU=Contractors,OU=Non-privileged,OU=User accounts
   Password: Complex42!
@@ -13,8 +13,8 @@ Users:
   Password: Complex42!
   MemberOf: []
   
-# ---
+---
-# Variables:
+Variables:
-# - Name: password.janedoe
+- Name: password.janedoe
-#   Expression: |
+  Expression: |
-#     (Invoke-WebRequest -Uri 'vault' -Body '' | ConvertFrom-Json).Password
+    & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']

scripts/Update-OvfConfiguration.yml

@@ -97,7 +97,45 @@ PropertyCategories:
     - primary
     - standalone
     UserConfigurable: true
-- Name: 4) DHCP default scope
+- Name: 4) Credential Management
+  ProductProperties:
+  - Key: vault.api
+    Type: string
+    Label: Vault API address
+    Description: The uri on which a HashiCorp Vault REST API can be reached
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.token
+    Type: string
+    Label: Vault API token
+    Description: An access token which has permissions to read/write to the Vault secrets engine
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.pwpolicy
+    Type: string
+    Label: Vault password policy
+    Description: A Vault password policy which determines complexity rules for generated passwords
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+  - Key: vault.secret
+    Type: string
+    Label: Vault secret name
+    Description: The name of the secret that all generated passwords will be stored in (as key/value pairs)
+    DefaultValue: ''
+    Configurations:
+    - primary
+    - standalone
+    UserConfigurable: true
+- Name: 5) DHCP default scope
   ProductProperties:
   - Key: dhcpconfig.startip
     Type: ip