Pretty much every DSC module is designed to store credentials in the MOF and if configured in such a way you can configure it to encrypt those credentials. However, for my current environment we don't want any credentials stored in the DSC configuration MOFs.
To do this we are using a combination of Hasicorp's Terraform & Vault products to provision infrastructure. Each peice of infrastructure that requires access to secrets is provisioned with a unique Vault AppRole, policy and wrapped token.
Since the majority of the Microsoft based DSC modules are about 90% fit for purpose with the exception of the credential part basically all I am doing is taking this modules and rewriting them to get the secret from the Vault API then create the credentail object during processing instead of having them expect the credentials be present in the MOF
- xDSCVault_Download
- Downloads a copy of the vault binary if for some reason you can't use the API to access the Vault endpoint
- xDSCVault_Unwrap
- Checks to see if a wrapped token is still wrapped and if it is it will unwrap it and stores the AppRole and RoleID in the local Windows Credential Manager
- All the subsequent modules are designed to obtain the credentials from the location this module saves them
- xDSCVault_Write
- Writes secrets to the vault endpoint
- xDSCVault_LocalUser
- Based on the local user module from PSDSCResources
- xDSCVault_ADDomain
- Based on the ADDomain module from xActiveDirectory
- xDSCVault_WaitForADDomain
- Based on the WaitForADDomain module from xActiveDirectory
- xDSCVault_ADDomainController
- Based on the ADDomainController module from xActiveDirectory
List of processes that I want to get working
- AD users
- Service accounts
- SQL clusters
- Octopus Deploy step template
- [String] VaultAddress (Required): URL to the Vault
- [String] RoleID (Key): RoleID for the AppRole
- [String] WrappedToken (Required): Wrapped token for the AppRole
VaultUnwrap Unwrap
{
RoleId = randomroleID
WrappedToken = dee09a64-429b-619c-0466-9c108320105e
VaultAddress = https://pathtovaultserver.com
} - [String] VaultAddress (Key): URL to the Vault
- [String] VaultPath (Required): Path to where the credential will be written to in the Vault
- [String] VaultValue (Write): Specify the value to be written
- Either a value must be specified or random secret must be $true
- [Boolean] RandomSecret (Required): Generate a random secret
- Either a value must be specified or random secret must be $true
- [Boolean] ForceUpdate (Required): Everytime the module runs it will write the value to Vault
- [String] AuthBackend (Write): Specify an alternate approle authentication backend. if nothing is specified it will default to the default approle backend
VaultWrite LocalAdministratorPassword
{
VaultAddress = https://pathtovaultserver.com
VaultPath = "secret/path/somevalue-administrator"
RandomSecret = $true
ForceUpdate = $false
} - [String] VaultAddress (Required): URL to the Vault
- [String] UserName (Key): Indicates the account name for which you want to ensure a specific state.
- [String] VaultPath (Required): Path to where the secret will be read from the Vault
- [String] Description (Write): Indicates the description you want to use for the user account.
- [Boolean] Disabled (Write): Indicates if the account is disabled. Set this property to true to ensure that this account is disabled, and set it to false to ensure that it is enabled. The default value is false.
- [String] Ensure (Write): Ensures that the feature is present or absent { Present | Absent }.
- [String] FullName (Write): Represents a string with the full name you want to use for the user account.
- [PSCredential] Password (Write): Indicates the password you want to use for this account.
- [Boolean] PasswordChangeNotAllowed (Write): Indicates if the user can change the password. Set this property to true to ensure that the user cannot change the password, and set it to false to allow the user to change the password. The default value is false.
- [Boolean] PasswordChangeRequired (Write): Indicates if the user must change the password at the next sign in. Set this property to true if the user must change their password. The default value is true.
- [Boolean] PasswordNeverExpires (Write): Indicates if the password will expire. To ensure that the password for this account will never expire, set this property to true. The default value is false.
- [String] AuthBackend (Write): Specify an alternate approle authentication backend. if nothing is specified it will default to the default approle backend
VaultLocalUser LocalAdministratorPassword
{
VaultAddress = https://pathtovaultserver.com
VaultPath = "secret/path/somevalue-administrator"
Username = 'Administrator'
PasswordNeverExpires = $true
Ensure = 'Present'
} - [String] VaultAddress (Required): URL to the Vault
- [String] DomainName (Key): Name of the domain.
- If no parent name is specified, this is the fully qualified domain name for the first domain in the forest.
- [String] ParentDomainName (Write): Fully qualified name of the parent domain
- [String] DomainAdministratorUsername (Required): Specifies the username for an account that has Domain Administrator privilages
- Note: These are NOT used during domain creation.
- [String] DomainAdministratorVaultPath (Required): Path to where the secret will be read from the Vault for the Domain Administrator account
- Note: These are NOT used during domain creation.
- [String] SafemodeAdministratorPasswordVaultPath (Required): Path to where the secret will be read from the Vault
- [String] DnsDelegationUserName (Write): Username used for creating DNS delegation.
- [String] DnsDelegationVaultPath (Write): Path to the secret in vault to be used for DNS delegation
- [String] DomainNetBIOSName (Write): Specifies the NetBIOS name for the new domain.
- If not specified, then the default is automatically computed from the value of the DomainName parameter.
- [String] DatabasePath (Write): Specifies the fully qualified, non-Universal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database.
- [String] LogPath (Write): Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer where the log file for this operation will be written.
- [String] SysvolPath (Write): Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer where the Sysvol file will be written.
- [String] AuthBackend (Write): Specify an alternate approle authentication backend. if nothing is specified it will default to the default approle backend
VaultADDomain FirstDS
{
VaultAddress = https://pathtovaultserver.com
DomainName = contoso.local
SafemodeAdministratorPasswordVaultPath = "secret/path/somevalue-domainsafemode"
DomainAdministratorUsername = 'Administrator'
DomainAdministratorVaultPath = "secret/path/somevalue-administrator"
}- [String] VaultAddress (Required): URL to the Vault
- [String] DomainName (Key): Name of the domain.
- [String] DomainUserUsername (Write): Credentials used to query for domain existence.
- [String] DomainUserVaultPath (Write): Path to where the secret will be read from the Vault
- [Int] RetryIntervalSec (Write): Interval to check for the domain's existence.
- [Int] RetryCount (Write): Maximum number of retries to check for the domain's existence.
- [String] AuthBackend (Write): Specify an alternate approle authentication backend. if nothing is specified it will default to the default approle backend
VaultWaitForADDomain DscForestWait
{
VaultAddress = https://pathtovaultserver.com
DomainName = contoso.local
DomainUserUsername = 'Administrator'
DomainUserVaultPath = "secret/path/somevalue-administrator"
RetryCount = 50
RetryIntervalSec = 30
}- [String] VaultAddress (Required): URL to the Vault
- [String] DomainName (Key): The fully qualified domain name for the domain where the domain controller will be present.
- [String] DomainAdministratorUsername (Required): Specifies the username for the account used to install the domain controller.
- [String] DomainAdministratorVaultPath (Required): Path to where the secret will be read from the Vault for the Domain Administrator password
- [String] SafemodeAdministratorPasswordVaultPath (Required): Path to where the secret will be read from the Vault for the Safe Mode Administrator password
- [String] DatabasePath (Write): Specifies the fully qualified, non-Universal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database.
- [String] LogPath (Write): Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer where the log file for this operation will be written.
- [String] SysvolPath (Write): Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer where the Sysvol file will be written.
- [String] SiteName (Write): Specify the name of an existing site where new domain controller will be placed.
- [String] AuthBackend (Write): Specify an alternate approle authentication backend. if nothing is specified it will default to the default approle backend
VaultADDomainController SecondDC
{
VaultAddress = https://pathtovaultserver.com
DomainName = contoso.local
DomainAdministratorUsername = 'Administrator'
DomainAdministratorVaultPath = "secret/path/somevalue-administrator"
SafemodeAdministratorPasswordVaultPath = "secret/path/somevalue-domainsafemode"
}