Merge key/value pairs in vault secret
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Danny Bessems 2021-03-10 11:32:53 +01:00
parent 03f800c623
commit 1a39e9df3a
3 changed files with 67 additions and 12 deletions

View File

@ -72,6 +72,11 @@ When **provisioning** the appliance through the vCenter 'Deploy OVF template...'
"addsconfig.safemodepw" = var.adds_safemodepassword
# "addsconfig.ntpserver" = "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org"
"vault.api" = "https://vault.example.org/v1"
"vault.token" = "s.R2E1anlOcTZrTmZSTVZRazJM"
"vault.pwpolicy" = "complex"
"vault.secret" = "contoso-project42"
# "dhcpconfig.startip" = "10.0.0.50"
# "dhcpconfig.endip" = "10.0.0.250"
# "dhcpconfig.subnetmask" = "255.255.255.0"

View File

@ -7,19 +7,68 @@ Param(
[Parameter()]
[string]$VaultPwPolicy,
[Parameter(Mandatory)]
[string]$Container,
[string]$VaulSecret,
[Parameter(Mandatory)]
[string]$Username
)
# Generate new password
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
Headers = @{'X-Vault-Token'="$VaultToken"}
}
$NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
# Check for existense of secret
$Response, $ErrResponse = $Null, $Null
Try {
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/secret/data/$($Container)"
Uri = "$(VaultAPIAddress)/secret/metadata/$($VaultSecret)"
Headers = @{'X-Vault-Token' = "$VaultToken"}
UseBasicParsing = $True
}
$Response = Invoke-WebRequest @InvokeWebRequestSplat
}
Catch {
$StreamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
$StreamReader.BaseStream.Position = 0
$ErrResponse = $StreamReader.ReadToEnd()
$StreamReader.Close()
}
If ([boolean]$Response) {
# Secret already exists; retrieve existing key/value pairs
$InvokeWebRequestSplat = @{
Uri = "$(VaultAPIAddress)/secret/data/$($VaultSecret)"
Headers = @{'X-Vault-Token' = "$VaultToken"}
UseBasicParsing = $True
}
$Secret = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data
# Merge new password into dictionary
$AddMemberSplat = @{
MemberType = 'NoteProperty'
Name = "password.$($Username)"
Value = $NewPassword
Force = $True
}
$Secret.data | Add-Member @AddMemberSplat
# Store as new version
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
Method = 'POST'
Headers = @{'X-Vault-Token'="$VaultToken"}
Body = @{
data = $Secret.data
} | ConvertTo-Json
}
Invoke-WebRequest @InvokeWebRequestSplat
}
ElseIf ([boolean]$ErrResponse) {
# Secret did not exist yet, store as new secret
$InvokeWebRequestSplat = @{
Uri = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
Method = 'POST'
Headers = @{'X-Vault-Token'="$VaultToken"}
Body = @{
@ -29,5 +78,6 @@ $InvokeWebRequestSplat = @{
} | ConvertTo-Json
}
Invoke-WebRequest @InvokeWebRequestSplat
}
Return $NewPassword

View File

@ -17,4 +17,4 @@ Users:
Variables:
- Name: password.janedoe
Expression: |
& "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
& "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']