djpbessems/Packer.Images
djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge key/value pairs in vault secret
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Danny Bessems 2021-03-10 11:32:53 +01:00
parent 03f800c623
commit 1a39e9df3a
3 changed files with 67 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -72,6 +72,11 @@ When **provisioning** the appliance through the vCenter 'Deploy OVF template...'
"addsconfig.safemodepw" = var.adds_safemodepassword "addsconfig.safemodepw" = var.adds_safemodepassword
# "addsconfig.ntpserver" = "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" # "addsconfig.ntpserver" = "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org"
"vault.api" = "https://vault.example.org/v1"
"vault.token" = "s.R2E1anlOcTZrTmZSTVZRazJM"
"vault.pwpolicy" = "complex"
"vault.secret" = "contoso-project42"
# "dhcpconfig.startip" = "10.0.0.50" # "dhcpconfig.startip" = "10.0.0.50"
# "dhcpconfig.endip" = "10.0.0.250" # "dhcpconfig.endip" = "10.0.0.250"
# "dhcpconfig.subnetmask" = "255.255.255.0" # "dhcpconfig.subnetmask" = "255.255.255.0"

72
scripts/ADDS/payload/Provision-VaultPassword.ps1
View File

@ -7,27 +7,77 @@ Param(
[Parameter()] [Parameter()]
[string]$VaultPwPolicy, [string]$VaultPwPolicy,
[Parameter(Mandatory)] [Parameter(Mandatory)]
[string]$Container, [string]$VaulSecret,
[Parameter(Mandatory)] [Parameter(Mandatory)]
[string]$Username [string]$Username
) )
# Generate new password
$InvokeWebRequestSplat = @{ $InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate" Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
Headers = @{'X-Vault-Token'="$VaultToken"} Headers = @{'X-Vault-Token'="$VaultToken"}
} }
$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password $NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
$InvokeWebRequestSplat = @{ # Check for existense of secret
Uri = "$($VaultAPIAddress)/secret/data/$($Container)" $Response, $ErrResponse = $Null, $Null
Method = 'POST' Try {
Headers = @{'X-Vault-Token'="$VaultToken"} $InvokeWebRequestSplat = @{
Body = @{ Uri = "$(VaultAPIAddress)/secret/metadata/$($VaultSecret)"
data = @{ Headers = @{'X-Vault-Token' = "$VaultToken"}
"password.$($Username)" = $NewPassword UseBasicParsing = $True
} }
} | ConvertTo-Json $Response = Invoke-WebRequest @InvokeWebRequestSplat
}
Catch {
$StreamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
$StreamReader.BaseStream.Position = 0
$ErrResponse = $StreamReader.ReadToEnd()
$StreamReader.Close()
}
If ([boolean]$Response) {
# Secret already exists; retrieve existing key/value pairs
$InvokeWebRequestSplat = @{
Uri = "$(VaultAPIAddress)/secret/data/$($VaultSecret)"
Headers = @{'X-Vault-Token' = "$VaultToken"}
UseBasicParsing = $True
}
$Secret = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data
# Merge new password into dictionary
$AddMemberSplat = @{
MemberType = 'NoteProperty'
Name = "password.$($Username)"
Value = $NewPassword
Force = $True
}
$Secret.data | Add-Member @AddMemberSplat
# Store as new version
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
Method = 'POST'
Headers = @{'X-Vault-Token'="$VaultToken"}
Body = @{
data = $Secret.data
} | ConvertTo-Json
}
Invoke-WebRequest @InvokeWebRequestSplat
}
ElseIf ([boolean]$ErrResponse) {
# Secret did not exist yet, store as new secret
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
Method = 'POST'
Headers = @{'X-Vault-Token'="$VaultToken"}
Body = @{
data = @{
"password.$($Username)" = $NewPassword
}
} | ConvertTo-Json
}
Invoke-WebRequest @InvokeWebRequestSplat
} }
Invoke-WebRequest @InvokeWebRequestSplat
Return $NewPassword Return $NewPassword

2
scripts/ADDS/payload/scripts/03.Users.yml
View File

@ -17,4 +17,4 @@ Users:
Variables: Variables:
- Name: password.janedoe - Name: password.janedoe
Expression: | Expression: |
& "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy'] & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']