Merge key/value pairs in vault secret

README.md

@@ -72,6 +72,11 @@ When **provisioning** the appliance through the vCenter 'Deploy OVF template...'
       "addsconfig.safemodepw"      = var.adds_safemodepassword
       # "addsconfig.ntpserver"       = "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org"
 
+      "vault.api"                   = "https://vault.example.org/v1"
+      "vault.token"                 = "s.R2E1anlOcTZrTmZSTVZRazJM"
+      "vault.pwpolicy"              = "complex"
+      "vault.secret"                = "contoso-project42"
+
       # "dhcpconfig.startip"         = "10.0.0.50"
       # "dhcpconfig.endip"           = "10.0.0.250"
       # "dhcpconfig.subnetmask"      = "255.255.255.0"

scripts/ADDS/payload/Provision-VaultPassword.ps1

@@ -7,19 +7,68 @@ Param(
     [Parameter()]
     [string]$VaultPwPolicy,
     [Parameter(Mandatory)]
-    [string]$Container,
+    [string]$VaulSecret,
     [Parameter(Mandatory)]
     [string]$Username
 )
 
+# Generate new password
 $InvokeWebRequestSplat = @{
     Uri     = "$($VaultAPIAddress)/sys/policies/password/$($VaultPasswordPolicy)/generate"
     Headers = @{'X-Vault-Token'="$VaultToken"} 
 }
 $NewPassword = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data.password
 
-$InvokeWebRequestSplat = @{
-    Uri     = "$($VaultAPIAddress)/secret/data/$($Container)"
+# Check for existense of secret
+$Response, $ErrResponse = $Null, $Null
+Try {
+    $InvokeWebRequestSplat = @{
+        Uri             = "$(VaultAPIAddress)/secret/metadata/$($VaultSecret)"
+        Headers         = @{'X-Vault-Token' = "$VaultToken"}
+        UseBasicParsing = $True
+    }
+    $Response = Invoke-WebRequest @InvokeWebRequestSplat
+}
+Catch {
+    $StreamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
+    $StreamReader.BaseStream.Position = 0
+    $ErrResponse = $StreamReader.ReadToEnd()
+    $StreamReader.Close()
+}
+
+If ([boolean]$Response) {
+    # Secret already exists; retrieve existing key/value pairs
+    $InvokeWebRequestSplat = @{
+        Uri             = "$(VaultAPIAddress)/secret/data/$($VaultSecret)"
+        Headers         = @{'X-Vault-Token' = "$VaultToken"}
+        UseBasicParsing = $True
+    }
+    $Secret = (Invoke-WebRequest @InvokeWebRequestSplat | ConvertFrom-Json).data
+
+    # Merge new password into dictionary
+    $AddMemberSplat = @{
+        MemberType = 'NoteProperty'
+        Name       = "password.$($Username)"
+        Value      = $NewPassword
+        Force      = $True
+    }
+    $Secret.data | Add-Member @AddMemberSplat
+
+    # Store as new version
+    $InvokeWebRequestSplat = @{
+        Uri     = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
+        Method  = 'POST'
+        Headers = @{'X-Vault-Token'="$VaultToken"}
+        Body    = @{
+            data = $Secret.data
+        } | ConvertTo-Json
+    }
+    Invoke-WebRequest @InvokeWebRequestSplat
+}
+ElseIf ([boolean]$ErrResponse) {
+    # Secret did not exist yet, store as new secret
+    $InvokeWebRequestSplat = @{
+        Uri     = "$($VaultAPIAddress)/secret/data/$($VaulSecret)"
         Method  = 'POST'
         Headers = @{'X-Vault-Token'="$VaultToken"}
         Body    = @{
@@ -27,7 +76,8 @@ $InvokeWebRequestSplat = @{
                 "password.$($Username)" = $NewPassword
             }
         } | ConvertTo-Json
+    }
+    Invoke-WebRequest @InvokeWebRequestSplat
 }
-Invoke-WebRequest @InvokeWebRequestSplat
 
 Return $NewPassword

scripts/ADDS/payload/scripts/03.Users.yml

@@ -17,4 +17,4 @@ Users:
 Variables:
 - Name: password.janedoe
   Expression: |
-    & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -Container $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']
+    & "$($PSScriptRoot)\..\Provision-VaultPassword.ps1" -VaulSecret $Parameter['vault.secret'] -Username 'janedoe' -VaultAPIAddress $Parameter['vault.api'] -VaultToken $Parameter['vault.token'] -VaultPwPolicy $Parameter['vault.pwpolicy']