From 88097ff3d1e578a27e15f18eaab32a9f0769dbc8 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Tue, 10 Mar 2020 10:56:25 +0000 Subject: [PATCH 1/6] Updated administration scripts to start or restart as appropriate --- .../SHM_Shutdown_Deployment_VMs.ps1 | 17 +++++++---- .../administration/SHM_Shutdown_IAAM_VMs.ps1 | 17 +++++++---- .../SHM_Shutdown_Mirror_VMs.ps1 | 18 ++++++----- .../SHM_Start_Deployment_VMs.ps1 | 22 +++++++++----- .../administration/SHM_Start_IAAM_VMs.ps1 | 30 +++++++++++-------- .../administration/SHM_Start_Mirror_VMs.ps1 | 20 ++++++++----- .../SRE_DSVM_Remote_Diagnostics.ps1 | 18 ++++++----- .../administration/SRE_DSVM_Reset_Ldap.ps1 | 20 +++++++++---- deployment/administration/SRE_Start_VMs.ps1 | 17 ++++++----- deployment/common/Deployments.psm1 | 28 +++++++++++++++++ .../setup/Create_Package_Mirrors.ps1 | 2 +- 11 files changed, 142 insertions(+), 67 deletions(-) diff --git a/deployment/administration/SHM_Shutdown_Deployment_VMs.ps1 b/deployment/administration/SHM_Shutdown_Deployment_VMs.ps1 index 95012c2512..d4e55fe0f5 100644 --- a/deployment/administration/SHM_Shutdown_Deployment_VMs.ps1 +++ b/deployment/administration/SHM_Shutdown_Deployment_VMs.ps1 @@ -7,15 +7,20 @@ Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName + +# Stopping the deployment servers +# ------------------------------- Add-LogMessage -Level Info "Stopping all Deployment Servers" Get-AzVM -ResourceGroupName "RG_SHM_DEPLOYMENT_POOL" | Stop-AzVM -Force -NoWait + # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SHM_Shutdown_IAAM_VMs.ps1 b/deployment/administration/SHM_Shutdown_IAAM_VMs.ps1 index 5c0420c7d7..bf58a46845 100644 --- a/deployment/administration/SHM_Shutdown_IAAM_VMs.ps1 +++ b/deployment/administration/SHM_Shutdown_IAAM_VMs.ps1 @@ -7,18 +7,23 @@ Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName + +# Stop all IAAM VMs +# ----------------- Add-LogMessage -Level Info "Stopping NPS Server" Stop-AzVM -ResourceGroupName $config.nps.rg -Name $config.nps.vmName -Force -NoWait Add-LogMessage -Level Info "Stopping AD DCs" Stop-AzVM -ResourceGroupName $config.dc.rg -Name $config.dc.vmName -Force -NoWait Stop-AzVM -ResourceGroupName $config.dc.rg -Name $config.dcb.vmName -Force -NoWait + # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SHM_Shutdown_Mirror_VMs.ps1 b/deployment/administration/SHM_Shutdown_Mirror_VMs.ps1 index ebed14755e..71af2f5f6f 100644 --- a/deployment/administration/SHM_Shutdown_Mirror_VMs.ps1 +++ b/deployment/administration/SHM_Shutdown_Mirror_VMs.ps1 @@ -7,15 +7,19 @@ Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; -Add-LogMessage -Level Info "Stopping all Mirror Servers" +# Stopping the package mirrors +# ---------------------------- +Add-LogMessage -Level Info "Stopping all package mirror servers" Get-AzVM -ResourceGroupName "RG_SHM_PKG_MIRRORS" | Stop-AzVM -Force -NoWait + # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SHM_Start_Deployment_VMs.ps1 b/deployment/administration/SHM_Start_Deployment_VMs.ps1 index e03de0bdb3..aac41b89b1 100644 --- a/deployment/administration/SHM_Start_Deployment_VMs.ps1 +++ b/deployment/administration/SHM_Start_Deployment_VMs.ps1 @@ -5,17 +5,23 @@ param( Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force +Import-Module $PSScriptRoot/../common/Deployments.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName + + +# Start/restart the deployment servers +# ------------------------------------ +Add-LogMessage -Level Info "Starting all Deployment Servers" +Get-AzVM -ResourceGroupName "RG_SHM_DEPLOYMENT_POOL" | ForEach-Object { Enable-AzVM -Name $_.Name -ResourceGroupName $_.ResourceGroupName } -Add-LogMessage -Level Info "Stopping all Deployment Servers" -Get-AzVM -ResourceGroupName "RG_SHM_DEPLOYMENT_POOL" | Restart-AzVM -NoWait # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SHM_Start_IAAM_VMs.ps1 b/deployment/administration/SHM_Start_IAAM_VMs.ps1 index d29aad8f65..06f6cd8e6b 100644 --- a/deployment/administration/SHM_Start_IAAM_VMs.ps1 +++ b/deployment/administration/SHM_Start_IAAM_VMs.ps1 @@ -5,22 +5,28 @@ param( Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force +Import-Module $PSScriptRoot/../common/Deployments.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName + +# Start/restart all IAAM VMs +# -------------------------- Add-LogMessage -Level Info "Starting AD DCs..." -Add-LogMessage -Level Info " - Waiting for Primary AD to start before starting other VMs." -Restart-AzVM -ResourceGroupName $config.dc.rg -Name $config.dc.vmName -Add-LogMessage -Level Info " - Waiting for Backup AD to start before starting other VMs." -Restart-AzVM -ResourceGroupName $config.dc.rg -Name $config.dcb.vmName -Add-LogMessage -Level Info "Starting NPS Server" -Restart-AzVM -ResourceGroupName $config.nps.rg -Name $config.nps.vmName +Add-LogMessage -Level Info "Starting Primary AD before other VMs..." +Enable-AzVM -Name $config.dc.vmName -ResourceGroupName $config.dc.rg +Add-LogMessage -Level Info "Starting Backup AD before other VMs..." +Enable-AzVM -Name $config.dcb.vmName -ResourceGroupName $config.dc.rg +Add-LogMessage -Level Info "Starting NPS Server..." +Enable-AzVM -Name $config.nps.vmName -ResourceGroupName $config.nps.rg + # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SHM_Start_Mirror_VMs.ps1 b/deployment/administration/SHM_Start_Mirror_VMs.ps1 index 6bd787e2be..0c459d7606 100644 --- a/deployment/administration/SHM_Start_Mirror_VMs.ps1 +++ b/deployment/administration/SHM_Start_Mirror_VMs.ps1 @@ -5,17 +5,23 @@ param( Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force +Import-Module $PSScriptRoot/../common/Deployments.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SHM config -$config = Get-ShmFullConfig($shmId) -# Temporarily switch to SHM subscription -$prevContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.subscriptionName; +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-ShmFullConfig $shmId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.subscriptionName + +# Start/restart the package mirrors +# --------------------------------- Add-LogMessage -Level Info "Starting all Mirror Servers" -Get-AzVM -ResourceGroupName "RG_SHM_PKG_MIRRORS" | Restart-AzVM -NoWait +Get-AzVM -ResourceGroupName "RG_SHM_PKG_MIRRORS" | ForEach-Object { Enable-AzVM -Name $_.Name -ResourceGroupName $_.ResourceGroupName } + # Switch back to original subscription -$_ = Set-AzContext -Context $prevContext; +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 b/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 index d5ab5707a3..1d79069d27 100644 --- a/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 +++ b/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 @@ -9,11 +9,12 @@ Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SRE config -# -------------- -$config = Get-SreConfig ($sreId); + +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-SreConfig $sreId $originalContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName; +$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName # Find VM with private IP address matching the provided last octect @@ -45,12 +46,15 @@ $params = @{ Add-LogMessage -Level Info "Running diagnostic scripts on VM ${computeVmName}..." foreach ($diagnostic_script in $diagnostic_scripts) { - $scriptPath = Join-Path $PSScriptRoot "remote_scripts" $diagnostic_script + #$scriptPath = Join-Path $PSScriptRoot "remote_scripts" $diagnostic_script + $scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" $diagnostic_script $result = Invoke-AzVMRunCommand -ResourceGroupName $config.sre.dsvm.rg -Name "$computeVmName" ` -CommandId 'RunShellScript' -ScriptPath $scriptPath ` -Parameter $params Write-Output $result.Value; } -# Switch back to previous subscription -$_ = Set-AzContext -Context $originalContext; + +# Switch back to original subscription +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 b/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 index 95725b4b55..80de381f67 100644 --- a/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 +++ b/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 @@ -9,9 +9,12 @@ Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force -# Get SRE config -$config = Get-SreConfig ($sreId); -$prevContext = Get-AzContext + +# Get config and original context before changing subscription +# ------------------------------------------------------------ +$config = Get-SreConfig $sreId +$originalContext = Get-AzContext +$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName # Find VM with private IP address matching the provided last octet @@ -42,7 +45,8 @@ if ($kvLdapPassword -ne $null) { # Set LDAP secret in local Active Directory on the SHM DC # ------------------------------------------------------- $_ = Set-AzContext -SubscriptionId $config.shm.subscriptionName; -$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "ResetLdapPasswordOnAD.ps1" +#$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "ResetLdapPasswordOnAD.ps1" +$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "ResetLdapPasswordOnAD.ps1" $params = @{ samAccountName = "`"$($config.sre.users.ldap.dsvm.samAccountName)`"" ldapPassword = "`"$kvLdapPassword`"" @@ -62,7 +66,8 @@ if ($success) { # ------------------------- Add-LogMessage -Level Info "Setting LDAP secret on compute VM: $($vm.Name)" $_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName; -$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "reset_ldap_password.sh" +#$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "reset_ldap_password.sh" +$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "reset_ldap_password.sh" $params = @{ ldapPassword = "`"$kvLdapPassword`"" } @@ -73,3 +78,8 @@ Write-Output $result.Value if ($success) { Add-LogMessage -Level Success "Setting LDAP secret on compute VM was successful" } + + +# Switch back to original subscription +# ------------------------------------ +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SRE_Start_VMs.ps1 b/deployment/administration/SRE_Start_VMs.ps1 index cd07dab3b7..86e631c3bb 100644 --- a/deployment/administration/SRE_Start_VMs.ps1 +++ b/deployment/administration/SRE_Start_VMs.ps1 @@ -5,6 +5,7 @@ param( Import-Module Az Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force +Import-Module $PSScriptRoot/../common/Deployments.psm1 -Force Import-Module $PSScriptRoot/../common/Logging.psm1 -Force @@ -19,19 +20,19 @@ $_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName # ------------- Add-LogMessage -Level Info "Starting AD DC..." Add-LogMessage -Level Info "Waiting for AD to start before starting other VMs to ensure domain joining works..." -Restart-AzVM -ResourceGroupName $config.sre.dc.rg -Name $config.sre.dc.vmName +Enable-AzVM -ResourceGroupName $config.sre.dc.rg -Name $config.sre.dc.vmName Add-LogMessage -Level Info "Starting RDS gateway..." -Restart-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.gateway.vmName -NoWait +Enable-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.gateway.vmName Add-LogMessage -Level Info "Starting RDS session hosts..." -Restart-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.sessionHost1.vmName -NoWait -Restart-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.sessionHost2.vmName -NoWait +Enable-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.sessionHost1.vmName +Enable-AzVM -ResourceGroupName $config.sre.rds.rg -Name $config.sre.rds.sessionHost2.vmName Add-LogMessage -Level Info "Starting dataserver..." -Restart-AzVM -ResourceGroupName $config.sre.dataserver.rg -Name $config.sre.dataserver.vmName -NoWait +Enable-AzVM -ResourceGroupName $config.sre.dataserver.rg -Name $config.sre.dataserver.vmName Add-LogMessage -Level Info "Starting web app servers..." -Restart-AzVM -ResourceGroupName $config.sre.webapps.rg -Name $config.sre.webapps.gitlab.vmName -NoWait -Restart-AzVM -ResourceGroupName $config.sre.webapps.rg -Name $config.sre.webapps.hackmd.vmName -NoWait +Enable-AzVM -ResourceGroupName $config.sre.webapps.rg -Name $config.sre.webapps.gitlab.vmName +Enable-AzVM -ResourceGroupName $config.sre.webapps.rg -Name $config.sre.webapps.hackmd.vmName Add-LogMessage -Level Info "Starting all compute VMs..." -Get-AzVM -ResourceGroupName $config.sre.dsvm.rg | Restart-AzVM -NoWait +Get-AzVM -ResourceGroupName $config.sre.dsvm.rg | ForEach-Object { Enable-AzVM -Name $_.Name -ResourceGroupName $_.ResourceGroupName } # Switch back to original subscription diff --git a/deployment/common/Deployments.psm1 b/deployment/common/Deployments.psm1 index 9465fa2016..e674ed636a 100644 --- a/deployment/common/Deployments.psm1 +++ b/deployment/common/Deployments.psm1 @@ -450,6 +450,34 @@ function Deploy-VirtualNetwork { Export-ModuleMember -Function Deploy-VirtualNetwork +# Ensure that an Azure VM is turned on +# ------------------------------------ +function Enable-AzVM { + param( + [Parameter(Position = 0, Mandatory = $true, HelpMessage = "Name of VM to enable")] + $Name, + [Parameter(Position = 1, Mandatory = $true, HelpMessage = "Name of resource group that the VM belongs to")] + $ResourceGroupName + ) + Add-LogMessage -Level Info "[ ] Ensuring that '$Name' is running" + $powerState = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status).Statuses.Code[1] + if ($powerState -eq "PowerState/running") { + $_ = Restart-AzVM -Name $Name -ResourceGroupName $ResourceGroupName + $success = $? + } else { + $_ = Start-AzVM -Name $Name -ResourceGroupName $ResourceGroupName + $success = $? + } + $powerState = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status).Statuses.Code[1] + if ($success) { + Add-LogMessage -Level Success "Successfully (re)started '$Name' [$powerstate]" + } else { + Add-LogMessage -Level Fatal "Failed to (re)start '$Name' [$powerstate]!" + } +} +Export-ModuleMember -Function Enable-AzVM + + # Create subnet if it does not exist # ---------------------------------- function Get-AzSubnet { diff --git a/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 b/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 index de2e7a753c..5e9c4f21bd 100644 --- a/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 +++ b/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 @@ -17,7 +17,7 @@ Import-Module $PSScriptRoot/../../common/Security.psm1 -Force # Get config and original context before changing subscription # ------------------------------------------------------------ -$config = Get-ShmFullConfig($shmId) +$config = Get-ShmFullConfig $shmId $originalContext = Get-AzContext $_ = Set-AzContext -SubscriptionId $config.subscriptionName From 1cb626c5617cb4b6c47695cb43174f572e54ec3a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Tue, 10 Mar 2020 11:04:54 +0000 Subject: [PATCH 2/6] Moved context call inside retry loop --- .../create_dc/scripts/Configure_Domain_Trust.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 b/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 index dfb5806100..808feb76fb 100644 --- a/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 +++ b/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 @@ -45,25 +45,25 @@ if ($relationshipExists) { $sreDcAdminPasswordSecureString = ConvertTo-SecureString -String $sreDcAdminPasswordEncrypted -Key (1..16) $sreDcAdminPassword = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($sreDcAdminPasswordSecureString)) - # Access remote domain - Write-Host " [ ] Accessing remote domain '$sreFqdn'..." - $remoteSreDirectoryContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $sreFqdn, $sreDcAdminUsername, $sreDcAdminPassword) - + # Keep retrying access until a cap is reached $retryElapsedSec = 0 $maxRetrySec = 200 $retryIntervalSec = 10 $success = $false + # Access remote domain + Write-Host " [ ] Accessing remote domain '$sreFqdn'..." while ($success -eq $false ) { + $remoteSreDirectoryContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $sreFqdn, $sreDcAdminUsername, $sreDcAdminPassword) $remoteSreDomainConnection = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($remoteSreDirectoryContext) if ($?) { $success = $true Write-Host " [o] Accessing remote (SRE) domain succeeded" } else { - $retryElapsedSec = $retryElapsedSec + $retryIntervalSec + $retryElapsedSec += $retryIntervalSec if ($retryElapsedSec -gt $maxRetrySec) { Write-Host " [x] Accessing remote (SRE) domain failed after '$retryElapsedSec' seconds!" - throw "Failed to access remote domain!" + throw "Failed to access remote domain!" } else { Write-Host " [ ] Accessing remote (SRE) domain failed after '$retryElapsedSec' seconds - sleeping and retrying" Start-Sleep -Seconds $retryIntervalSec From 2b73fe8f3c86d5c693f3357f84438c39f307e40a Mon Sep 17 00:00:00 2001 From: James Robinson Date: Tue, 10 Mar 2020 11:36:10 +0000 Subject: [PATCH 3/6] Switched to Enable-AzVM throughout --- deployment/common/Deployments.psm1 | 19 ++++++++++--------- .../setup/Create_Package_Mirrors.ps1 | 2 +- .../setup/Setup_SHM_DC.ps1 | 2 +- .../setup/Setup_SHM_NPS.ps1 | 2 +- .../setup/Create_Compute_VM.ps1 | 2 +- .../setup/Create_Web_App_Servers.ps1 | 2 +- .../setup/Setup_SRE_DC.ps1 | 2 +- .../setup/Setup_SRE_RDS_Servers.ps1 | 2 +- 8 files changed, 17 insertions(+), 16 deletions(-) diff --git a/deployment/common/Deployments.psm1 b/deployment/common/Deployments.psm1 index e674ed636a..aa87041572 100644 --- a/deployment/common/Deployments.psm1 +++ b/deployment/common/Deployments.psm1 @@ -578,15 +578,16 @@ function Invoke-WindowsConfigureAndUpdate { Write-Output $result.Value # Reboot the VM Add-LogMessage -Level Info "[ ] Rebooting VM '$VMName'" - $_ = Restart-AzVM -Name $VMName -ResourceGroupName $ResourceGroupName - # The following syntax is preferred in future, but does not yet work - # $vmID = (Get-AzVM -ResourceGroupName $config.sre.rds.gateway.vmName -Name $config.sre.rds.rg).Id - # Restart-AzVM -Id $vmID - if ($?) { - Add-LogMessage -Level Success "Rebooting VM '$VMName' succeeded" - } else { - Add-LogMessage -Level Fatal "Rebooting VM '$VMName' failed!" - } + # $_ = Restart-AzVM -Name $VMName -ResourceGroupName $ResourceGroupName + # # The following syntax is preferred in future, but does not yet work + # # $vmID = (Get-AzVM -ResourceGroupName $config.sre.rds.gateway.vmName -Name $config.sre.rds.rg).Id + # # Restart-AzVM -Id $vmID + # if ($?) { + # Add-LogMessage -Level Success "Rebooting VM '$VMName' succeeded" + # } else { + # Add-LogMessage -Level Fatal "Rebooting VM '$VMName' failed!" + # } + Enable-AzVM -Name $VMName -ResourceGroupName $ResourceGroupName } Export-ModuleMember -Function Invoke-WindowsConfigureAndUpdate diff --git a/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 b/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 index 5e9c4f21bd..345961d6e8 100644 --- a/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 +++ b/deployment/safe_haven_management_environment/setup/Create_Package_Mirrors.ps1 @@ -299,7 +299,7 @@ function Deploy-PackageMirror { } } # Restart the VM - $_ = Restart-AzVM -Name $vmName -ResourceGroupName $config.mirrors.rg + Enable-AzVM -Name $vmName -ResourceGroupName $config.mirrors.rg # If we have deployed an internal mirror we need to let the external connect to it # -------------------------------------------------------------------------------- diff --git a/deployment/safe_haven_management_environment/setup/Setup_SHM_DC.ps1 b/deployment/safe_haven_management_environment/setup/Setup_SHM_DC.ps1 index 929f941cdc..a3958e710b 100644 --- a/deployment/safe_haven_management_environment/setup/Setup_SHM_DC.ps1 +++ b/deployment/safe_haven_management_environment/setup/Setup_SHM_DC.ps1 @@ -440,7 +440,7 @@ Write-Output $result.Value # --------------- foreach ($vmName in ($config.dc.vmName, $config.dcb.vmName)) { Add-LogMessage -Level Info "Restarting $vmName..." - Restart-AzVM -Name $vmName -ResourceGroupName $config.dc.rg + Enable-AzVM -Name $vmName -ResourceGroupName $config.dc.rg if ($?) { Add-LogMessage -Level Success "Restarting DC $vmName succeeded" } else { diff --git a/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1 b/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1 index 3aee40ce6c..1b3915d609 100644 --- a/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1 +++ b/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1 @@ -80,7 +80,7 @@ Write-Output $result.Value # Restart the NPS server # ---------------------- Add-LogMessage -Level Info "Restarting $($config.nps.vmName)..." -$_ = Restart-AzVM -Name $config.nps.vmName -ResourceGroupName $config.nps.rg +Enable-AzVM -Name $config.nps.vmName -ResourceGroupName $config.nps.rg if ($?) { Add-LogMessage -Level Success "Restarting NPS $($config.nps.vmName) succeeded" } else { diff --git a/deployment/secure_research_environment/setup/Create_Compute_VM.ps1 b/deployment/secure_research_environment/setup/Create_Compute_VM.ps1 index e92ecdc1f4..feb1ce62b7 100644 --- a/deployment/secure_research_environment/setup/Create_Compute_VM.ps1 +++ b/deployment/secure_research_environment/setup/Create_Compute_VM.ps1 @@ -237,7 +237,7 @@ Add-VmToNSG -VMName $vmName -NSGName $secureNsg.Name # Restart after the NSG switch # ---------------------------- Add-LogMessage -Level Info "Rebooting $vmName..." -$_ = Restart-AzVM -Name $vmName -ResourceGroupName $config.sre.dsvm.rg +Enable-AzVM -Name $vmName -ResourceGroupName $config.sre.dsvm.rg if ($?) { Add-LogMessage -Level Success "Rebooting '${vmName}' succeeded" } else { diff --git a/deployment/secure_research_environment/setup/Create_Web_App_Servers.ps1 b/deployment/secure_research_environment/setup/Create_Web_App_Servers.ps1 index 808d12f028..bb3cccf4c0 100644 --- a/deployment/secure_research_environment/setup/Create_Web_App_Servers.ps1 +++ b/deployment/secure_research_environment/setup/Create_Web_App_Servers.ps1 @@ -141,7 +141,7 @@ Add-LogMessage -Level Info "Summary: NICs associated with '$($nsg.Name)' NSG" foreach ($nameVMNameParamsPair in (("HackMD", $config.sre.webapps.hackmd.vmName), ("GitLab", $config.sre.webapps.gitlab.vmName))) { $name, $vmName = $nameVMNameParamsPair Add-LogMessage -Level Info "Rebooting the $name VM: '$vmName'" - $_ = Restart-AzVM -Name $vmName -ResourceGroupName $config.sre.webapps.rg + Enable-AzVM -Name $vmName -ResourceGroupName $config.sre.webapps.rg if ($?) { Add-LogMessage -Level Success "Rebooting the $name VM ($vmName) succeeded" } else { diff --git a/deployment/secure_research_environment/setup/Setup_SRE_DC.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_DC.ps1 index 27419567a3..899d406ff2 100644 --- a/deployment/secure_research_environment/setup/Setup_SRE_DC.ps1 +++ b/deployment/secure_research_environment/setup/Setup_SRE_DC.ps1 @@ -215,7 +215,7 @@ Write-Output $result.Value # Restart the DC # -------------- Add-LogMessage -Level Info "Restarting $($config.sre.dc.vmName)..." -Restart-AzVM -Name $config.sre.dc.vmName -ResourceGroupName $config.sre.dc.rg +Enable-AzVM -Name $config.sre.dc.vmName -ResourceGroupName $config.sre.dc.rg if ($?) { Add-LogMessage -Level Success "Restarting DC succeeded" } else { diff --git a/deployment/secure_research_environment/setup/Setup_SRE_RDS_Servers.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_RDS_Servers.ps1 index d76527e502..fc3c5a5f68 100644 --- a/deployment/secure_research_environment/setup/Setup_SRE_RDS_Servers.ps1 +++ b/deployment/secure_research_environment/setup/Setup_SRE_RDS_Servers.ps1 @@ -380,7 +380,7 @@ Write-Output $result.Value foreach ($nameVMNameParamsPair in $vmNamePairs) { $name, $vmName = $nameVMNameParamsPair Add-LogMessage -Level Info "Rebooting the ${name} VM: '$vmName'" - $_ = Restart-AzVM -Name $vmName -ResourceGroupName $config.sre.rds.rg + Enable-AzVM -Name $vmName -ResourceGroupName $config.sre.rds.rg if ($?) { Add-LogMessage -Level Success "Rebooting the ${name} succeeded" } else { From dfdb8fa3d509e0ebe8c2c7bf5b4f5b02c2f40b8e Mon Sep 17 00:00:00 2001 From: James Robinson Date: Tue, 10 Mar 2020 11:40:01 +0000 Subject: [PATCH 4/6] Added explanatory comment --- .../remote/create_dc/scripts/Configure_Domain_Trust.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 b/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 index 808feb76fb..7cd6f22ef5 100644 --- a/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 +++ b/deployment/secure_research_environment/remote/create_dc/scripts/Configure_Domain_Trust.ps1 @@ -51,7 +51,10 @@ if ($relationshipExists) { $retryIntervalSec = 10 $success = $false - # Access remote domain + # Attempt to access remote domain. Failure here can indicate a DNS problem. + # In particular if the conditional forwarders on the SHM DC and/or the SRE DC + # have been configured incorrectly then attempting to resolve the FQDN into + # an IP address will fail Write-Host " [ ] Accessing remote domain '$sreFqdn'..." while ($success -eq $false ) { $remoteSreDirectoryContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain", $sreFqdn, $sreDcAdminUsername, $sreDcAdminPassword) From 55d0f2f2ad97797d09687aba975e5f7f894be295 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 20 Mar 2020 15:31:16 +0000 Subject: [PATCH 5/6] Consolidated diagnostic scripts --- .../SRE_DSVM_Remote_Diagnostics.ps1 | 101 +++++++++++++----- .../administration/SRE_DSVM_Reset_Ldap.ps1 | 85 --------------- 2 files changed, 74 insertions(+), 112 deletions(-) delete mode 100644 deployment/administration/SRE_DSVM_Reset_Ldap.ps1 diff --git a/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 b/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 index 1d79069d27..b5f9467d9f 100644 --- a/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 +++ b/deployment/administration/SRE_DSVM_Remote_Diagnostics.ps1 @@ -17,41 +17,88 @@ $originalContext = Get-AzContext $_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName -# Find VM with private IP address matching the provided last octect -## Turn provided last octect into full IP address in the data subnet -$vmIpAddress = ($config.sre.network.subnets.data.prefix + "." + $ipLastOctet) -Add-LogMessage -Level Info "Finding VM with IP ${vmIpAddress}..." -## Get all compute VMs -$computeVms = Get-AzVM -ResourceGroupName $config.sre.dsvm.rg -## Get the NICs attached to all the compute VMs -$computeVmNicIds = ($computeVms | ForEach-Object { (Get-AzVM -ResourceGroupName $config.sre.dsvm.rg -Name $_.Name).NetworkProfile.NetworkInterfaces.Id }) -$computeVmNics = ($computeVmNicIds | ForEach-Object { Get-AzNetworkInterface -ResourceGroupName $config.sre.dsvm.rg -Name $_.Split("/")[-1] }) -## Filter the NICs to the one matching the desired IP address and get the name of the VM it is attached to -$computeVmName = ($computeVmNics | Where-Object { $_.IpConfigurations.PrivateIpAddress -match $vmIpAddress })[0].VirtualMachine.Id.Split("/")[-1] - -# Run remote scripts -$diagnostic_scripts = @("check_ldap_connection.sh", "restart_name_resolution_service.sh", "rerun_realm_join.sh", "restart_sssd_service.sh") -$testHost = $config.shm.dc.fqdn -$ldapUser = $config.sre.users.ldap.dsvm.samAccountName -$domainLower = $config.shm.domain.fqdn -$servicePath = $config.shm.domain.serviceOuPath +# Find VM with private IP address matching the provided last octet +# ---------------------------------------------------------------- +Add-LogMessage -Level Info "Finding compute VM with last IP octet: $ipLastOctet" +$vmId = Get-AzNetworkInterface -ResourceGroupName $config.sre.dsvm.rg | Where-Object { ($_.IpConfigurations.PrivateIpAddress).Split(".") -eq $ipLastOctet } | ForEach-Object { $_.VirtualMachine.Id } +$vm = Get-AzVM -ResourceGroupName $config.sre.dsvm.rg | Where-Object { $_.Id -eq $vmId } +if ($?) { + Add-LogMessage -Level Success "Found compute VM '$($vm.Name)'" +} else { + Add-LogMessage -Level Fatal "Could not find VM with last IP octet '$ipLastOctet'" +} +# Run remote diagnostic scripts +# ----------------------------- +Add-LogMessage -Level Info "Running diagnostic scripts on VM $($vm.Name)..." $params = @{ TEST_HOST = $config.shm.dc.fqdn LDAP_USER = $config.sre.users.ldap.dsvm.samAccountName DOMAIN_LOWER = $config.shm.domain.fqdn - SERVICE_PATH = "'" + $config.shm.domain.serviceOuPath + "'" + SERVICE_PATH = "'$($config.shm.domain.serviceOuPath)'" +} +foreach ($scriptNamePair in (("LDAP connection", "check_ldap_connection.sh"), + ("name resolution", "restart_name_resolution_service.sh"), + ("realm join", "rerun_realm_join.sh"), + ("SSSD service", "restart_sssd_service.sh"))) { + $name, $diagnostic_script = $scriptNamePair + $scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" $diagnostic_script + Add-LogMessage -Level Info "[ ] Configuring $name ($diagnostic_script) on compute VM '$($vm.Name)'" + $result = Invoke-RemoteScript -Shell "UnixShell" -ScriptPath $scriptPath -VMName $vm.Name -ResourceGroupName $config.sre.dsvm.rg -Parameter $params + $success = $? + Write-Output $result.Value + if ($success) { + Add-LogMessage -Level Success "Configuring $name on $($vm.Name) was successful" + } else { + Add-LogMessage -Level Failure "Configuring $name on $($vm.Name) failed!" + } } -Add-LogMessage -Level Info "Running diagnostic scripts on VM ${computeVmName}..." -foreach ($diagnostic_script in $diagnostic_scripts) { - #$scriptPath = Join-Path $PSScriptRoot "remote_scripts" $diagnostic_script - $scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" $diagnostic_script - $result = Invoke-AzVMRunCommand -ResourceGroupName $config.sre.dsvm.rg -Name "$computeVmName" ` - -CommandId 'RunShellScript' -ScriptPath $scriptPath ` - -Parameter $params - Write-Output $result.Value; +# Get LDAP secret from the KeyVault +# --------------------------------- +Add-LogMessage -Level Info "[ ] Loading LDAP secret from key vault '$($config.sre.keyVault.name)'" +$kvLdapPassword = (Get-AzKeyVaultSecret -VaultName $config.sre.keyVault.Name -Name $config.sre.keyVault.secretNames.dsvmLdapPassword).SecretValueText; +if ($kvLdapPassword) { + Add-LogMessage -Level Success "Found LDAP secret in the key vault" +} else { + Add-LogMessage -Level Fatal "Could not load LDAP secret from key vault '$($config.sre.keyVault.name)'" +} + + +# Set LDAP secret on the compute VM +# --------------------------------- +Add-LogMessage -Level Info "[ ] Setting LDAP secret on compute VM '$($vm.Name)'" +$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "reset_ldap_password.sh" +$params = @{ + ldapPassword = "`"$kvLdapPassword`"" +} +$result = Invoke-RemoteScript -Shell "UnixShell" -ScriptPath $scriptPath -VMName $vm.Name -ResourceGroupName $config.sre.dsvm.rg -Parameter $params +$success = $? +Write-Output $result.Value +if ($success) { + Add-LogMessage -Level Success "Setting LDAP secret on compute VM $($vm.Name) was successful" +} else { + Add-LogMessage -Level Fatal "Setting LDAP secret on compute VM $($vm.Name) failed!" +} + + +# Set LDAP secret in local Active Directory on the SHM DC +# ------------------------------------------------------- +$_ = Set-AzContext -SubscriptionId $config.shm.subscriptionName +$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "ResetLdapPasswordOnAD.ps1" +$params = @{ + samAccountName = "`"$($config.sre.users.ldap.dsvm.samAccountName)`"" + ldapPassword = "`"$kvLdapPassword`"" +} +Add-LogMessage -Level Info "[ ] Setting LDAP secret in local AD on '$($config.shm.dc.vmName)'" +$result = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $config.shm.dc.vmName -ResourceGroupName $config.shm.dc.rg -Parameter $params +$success = $? +Write-Output $result.Value +if ($success) { + Add-LogMessage -Level Success "Setting LDAP secret on SHM DC was successful" +} else { + Add-LogMessage -Level Fatal "Setting LDAP secret on SHM DC failed!" } diff --git a/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 b/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 deleted file mode 100644 index 80de381f67..0000000000 --- a/deployment/administration/SRE_DSVM_Reset_Ldap.ps1 +++ /dev/null @@ -1,85 +0,0 @@ -param( - [Parameter(Position = 0,Mandatory = $true,HelpMessage = "Enter SRE ID (a short string) e.g 'sandbox' for the sandbox environment")] - [string]$sreId, - [Parameter(Position = 1,Mandatory = $true,HelpMessage = "Enter last octet of compute VM IP address (e.g. 160)")] - [string]$ipLastOctet -) - -Import-Module Az -Import-Module $PSScriptRoot/../common/Configuration.psm1 -Force -Import-Module $PSScriptRoot/../common/Logging.psm1 -Force - - -# Get config and original context before changing subscription -# ------------------------------------------------------------ -$config = Get-SreConfig $sreId -$originalContext = Get-AzContext -$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName - - -# Find VM with private IP address matching the provided last octet -# ---------------------------------------------------------------- -$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName; -Add-LogMessage -Level Info "Finding VM with last IP octet: $ipLastOctet" -$vmId = Get-AzNetworkInterface -ResourceGroupName $config.sre.dsvm.rg | Where-Object { ($_.IpConfigurations.PrivateIpAddress).Split(".") -eq $ipLastOctet } | ForEach-Object { $_.VirtualMachine.Id } -$vm = Get-AzVM -ResourceGroupName $config.sre.dsvm.rg | Where-Object { $_.Id -eq $vmId } -if ($?) { - Add-LogMessage -Level Success "Found VM: $($vm.Name)" -} else { - Add-LogMessage -Level Fatal "Could not find VM with last IP octet '$ipLastOctet'" -} - - -# Get LDAP secret from the KeyVault -# --------------------------------- -$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName; -Add-LogMessage -Level Info "Checking LDAP secret in KeyVault: $($config.sre.keyVault.name)" -$kvLdapPassword = (Get-AzKeyVaultSecret -VaultName $config.sre.keyVault.Name -Name $config.sre.keyVault.secretNames.dsvmLdapPassword).SecretValueText; -if ($kvLdapPassword -ne $null) { - Add-LogMessage -Level Success "Found LDAP secret in the KeyVault" -} else { - Add-LogMessage -Level Fatal "Could not load LDAP secret from KeyVault '$($config.sre.keyVault.name)'" -} - - -# Set LDAP secret in local Active Directory on the SHM DC -# ------------------------------------------------------- -$_ = Set-AzContext -SubscriptionId $config.shm.subscriptionName; -#$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "ResetLdapPasswordOnAD.ps1" -$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "ResetLdapPasswordOnAD.ps1" -$params = @{ - samAccountName = "`"$($config.sre.users.ldap.dsvm.samAccountName)`"" - ldapPassword = "`"$kvLdapPassword`"" -} -Add-LogMessage -Level Info "Setting LDAP secret in local AD on: $($config.shm.dc.vmName)" -$result = Invoke-AzVMRunCommand -ResourceGroupName $config.shm.dc.rg -Name $config.shm.dc.vmName ` - -CommandId 'RunPowerShellScript' -ScriptPath $scriptPath ` - -Parameter $params -$success = $? -Write-Output $result.Value -if ($success) { - Add-LogMessage -Level Success "Setting LDAP secret on SHM DC was successful" -} - - -# Set LDAP secret on the VM -# ------------------------- -Add-LogMessage -Level Info "Setting LDAP secret on compute VM: $($vm.Name)" -$_ = Set-AzContext -SubscriptionId $config.sre.subscriptionName; -#$scriptPath = Join-Path $PSScriptRoot "remote_scripts" "reset_ldap_password.sh" -$scriptPath = Join-Path $PSScriptRoot ".." "secure_research_environment" "remote" "compute_vm" "scripts" "reset_ldap_password.sh" -$params = @{ - ldapPassword = "`"$kvLdapPassword`"" -} -$result = Invoke-AzVMRunCommand -ResourceGroupName $config.sre.dsvm.rg -Name $vm.Name ` - -CommandId 'RunShellScript' -ScriptPath $scriptPath -Parameter $params -$success = $? -Write-Output $result.Value -if ($success) { - Add-LogMessage -Level Success "Setting LDAP secret on compute VM was successful" -} - - -# Switch back to original subscription -# ------------------------------------ -$_ = Set-AzContext -Context $originalContext From 3ea8d4b3208e598400e224c36be7a4f2599cddd6 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Fri, 20 Mar 2020 16:25:01 +0000 Subject: [PATCH 6/6] Fixed incorrect paths in Remove_SRE_Data_From_SHM --- .../administration/SRE_Minimise_VM_Sizes.ps1 | 2 +- .../administration/SRE_Shutdown_VMs.ps1 | 2 +- .../scripts/Add_New_SRE_To_DNS_Remote.ps1 | 170 ++++++++--------- ...e_New_SRE_User_Service_Accounts_Remote.ps1 | 180 +++++++++--------- .../scripts/Remove_AD_Trust_Remote.ps1 | 6 +- .../scripts/Remove_DNS_Entries_Remote.ps1 | 8 +- ...emove_RDS_Gateway_RADIUS_Client_Remote.ps1 | 6 +- .../Remove_Users_And_Groups_Remote.ps1 | 43 ++--- .../setup/Remove_SRE_Data_From_SHM.ps1 | 11 +- 9 files changed, 213 insertions(+), 215 deletions(-) diff --git a/deployment/administration/SRE_Minimise_VM_Sizes.ps1 b/deployment/administration/SRE_Minimise_VM_Sizes.ps1 index b0585c751a..6b03751597 100644 --- a/deployment/administration/SRE_Minimise_VM_Sizes.ps1 +++ b/deployment/administration/SRE_Minimise_VM_Sizes.ps1 @@ -51,4 +51,4 @@ Update-AzVM -VM $vm -ResourceGroupName $config.sre.dc.rg -NoWait # Switch back to original subscription # ------------------------------------ -$_ = Set-AzContext -Context $originalContext \ No newline at end of file +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/administration/SRE_Shutdown_VMs.ps1 b/deployment/administration/SRE_Shutdown_VMs.ps1 index f3f93eeb1b..74510908a7 100644 --- a/deployment/administration/SRE_Shutdown_VMs.ps1 +++ b/deployment/administration/SRE_Shutdown_VMs.ps1 @@ -35,4 +35,4 @@ Stop-AzVM -ResourceGroupName $config.sre.dc.rg -Name $config.sre.dc.vmName -Forc # Switch back to original subscription # ------------------------------------ -$_ = Set-AzContext -Context $originalContext \ No newline at end of file +$_ = Set-AzContext -Context $originalContext diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Add_New_SRE_To_DNS_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Add_New_SRE_To_DNS_Remote.ps1 index 54b5200fe0..a5965bc568 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Add_New_SRE_To_DNS_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Add_New_SRE_To_DNS_Remote.ps1 @@ -1,85 +1,85 @@ -# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them -# and remote execution will stall waiting for the non-present user to enter the missing parameter on the -# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in -# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled -# job, but this does not seem to have an immediate effect -# Fror details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command -param( - $shmFqdn, - $sreFqdn, - $sreDcIp, - $sreDcName, - $identitySubnetCidr, - $rdsSubnetCidr, - $dataSubnetCidr -) - -# NB. This function also exists in the SHM configuration (Active_Directory_Configuration.ps1) -# but cannot easily be split out into a common function as it is a remote script and cannot import other scripts -function DNSZoneExists($cidr) { - $oct1, $oct2, $oct3, $oct4 = $cidr.split(".") - $zoneName = "$oct3.$oct2.$oct1.in-addr.arpa" - # Check for a match in existing zone - $zoneExists = $false - ForEach ($zone in Get-DnsServerZone) { - if (($zone.ZoneName -eq $zoneName) -and $zone.IsReverseLookupZone) { - $zoneExists = $true - } - } - return $zoneExists -} - -# Create Reverse Lookup Zones -# --------------------------- -if (DNSZoneExists $identitySubnetCidr) { - Write-Host "Reverse lookup record for SRE Identity subnet already exists" -} else { - Write-Host " [ ] Adding reverse lookup record for SRE Identity subnet (CIDR: $identitySubnetCidr)" - Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $identitySubnetCidr -ReplicationScope Domain - if ($?) { - Write-Host " [o] Successfully created reverse lookup record for SRE Identity subnet" - } else { - Write-Host " [x] Failed to create reverse lookup record for SRE Identity subnet" - } -} - -if (DNSZoneExists $rdsSubnetCidr) { - Write-Host "Reverse lookup record for SRE RDS subnet already exists" -} else { - Write-Host " [ ] Adding reverse lookup record for SRE RDS subnet (CIDR: $rdsSubnetCidr)" - Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $rdsSubnetCidr -ReplicationScope Domain - if ($?) { - Write-Host " [o] Successfully created reverse lookup record for SRE RDS subnet" - } else { - Write-Host " [x] Failed to create reverse lookup record for SRE RDS subnet" - } -} - -if (DNSZoneExists $dataSubnetCidr) { - Write-Host "Reverse lookup record for SRE Data subnet already exists" -} else { - Write-Host " [ ] Adding reverse lookup record for SRE Data subnet (CIDR: $dataSubnetCidr)" - Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $dataSubnetCidr -ReplicationScope Domain - if ($?) { - Write-Host " [o] Successfully created reverse lookup record for SRE Data subnet" - } else { - Write-Host " [x] Failed to create reverse lookup record for SRE Data subnet" - } -} - -# Create conditional forwarder / zone delegation -# ---------------------------------------------- -# Check whether the SRE fqdn ends with the SHM fqdn -if ($sreFqdn -match "$($shmFqdn)$") { - $childzone = $sreFqdn -replace ".$($shmFqdn)$" - Write-Host " [ ] Adding zone delegation record for SRE subdomain (domain: $sreFqdn; SRE DC IP: $sreDcIp)" - Add-DnsServerZoneDelegation -Name $shmFqdn -ChildZoneName $childzone -NameServer $sreDcName -IPAddress $sreDcIp -} else { - Write-Host " [ ] Adding conditional forwarder record for SRE domain (domain: $sreFqdn; SRE DC IP: $sreDcIp)" - Add-DnsServerConditionalForwarderZone -name $sreFqdn -MasterServers $sreDcIp -ReplicationScope "Forest" -} -if ($?) { - Write-Host " [o] Successfully created/updated record for SRE domain" -} else { - Write-Host " [x] Failed to create/update record for SRE domain" -} +# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them +# and remote execution will stall waiting for the non-present user to enter the missing parameter on the +# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in +# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled +# job, but this does not seem to have an immediate effect +# Fror details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command +param( + [String]$shmFqdn, + [String]$sreFqdn, + [String]$sreDcIp, + [String]$sreDcName, + [String]$identitySubnetCidr, + [String]$rdsSubnetCidr, + [String]$dataSubnetCidr +) + +# NB. This function also exists in the SHM configuration (Active_Directory_Configuration.ps1) +# but cannot easily be split out into a common function as it is a remote script and cannot import other scripts +function DNSZoneExists($cidr) { + $oct1, $oct2, $oct3, $oct4 = $cidr.split(".") + $zoneName = "$oct3.$oct2.$oct1.in-addr.arpa" + # Check for a match in existing zone + $zoneExists = $false + ForEach ($zone in Get-DnsServerZone) { + if (($zone.ZoneName -eq $zoneName) -and $zone.IsReverseLookupZone) { + $zoneExists = $true + } + } + return $zoneExists +} + +# Create Reverse Lookup Zones +# --------------------------- +if (DNSZoneExists $identitySubnetCidr) { + Write-Host "Reverse lookup record for SRE Identity subnet already exists" +} else { + Write-Host " [ ] Adding reverse lookup record for SRE Identity subnet (CIDR: $identitySubnetCidr)" + Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $identitySubnetCidr -ReplicationScope Domain + if ($?) { + Write-Host " [o] Successfully created reverse lookup record for SRE Identity subnet" + } else { + Write-Host " [x] Failed to create reverse lookup record for SRE Identity subnet" + } +} + +if (DNSZoneExists $rdsSubnetCidr) { + Write-Host "Reverse lookup record for SRE RDS subnet already exists" +} else { + Write-Host " [ ] Adding reverse lookup record for SRE RDS subnet (CIDR: $rdsSubnetCidr)" + Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $rdsSubnetCidr -ReplicationScope Domain + if ($?) { + Write-Host " [o] Successfully created reverse lookup record for SRE RDS subnet" + } else { + Write-Host " [x] Failed to create reverse lookup record for SRE RDS subnet" + } +} + +if (DNSZoneExists $dataSubnetCidr) { + Write-Host "Reverse lookup record for SRE Data subnet already exists" +} else { + Write-Host " [ ] Adding reverse lookup record for SRE Data subnet (CIDR: $dataSubnetCidr)" + Add-DnsServerPrimaryZone -DynamicUpdate Secure -NetworkId $dataSubnetCidr -ReplicationScope Domain + if ($?) { + Write-Host " [o] Successfully created reverse lookup record for SRE Data subnet" + } else { + Write-Host " [x] Failed to create reverse lookup record for SRE Data subnet" + } +} + +# Create conditional forwarder / zone delegation +# ---------------------------------------------- +# Check whether the SRE fqdn ends with the SHM fqdn +if ($sreFqdn -match "$($shmFqdn)$") { + $childzone = $sreFqdn -replace ".$($shmFqdn)$" + Write-Host " [ ] Adding zone delegation record for SRE subdomain (domain: $sreFqdn; SRE DC IP: $sreDcIp)" + Add-DnsServerZoneDelegation -Name $shmFqdn -ChildZoneName $childzone -NameServer $sreDcName -IPAddress $sreDcIp +} else { + Write-Host " [ ] Adding conditional forwarder record for SRE domain (domain: $sreFqdn; SRE DC IP: $sreDcIp)" + Add-DnsServerConditionalForwarderZone -name $sreFqdn -MasterServers $sreDcIp -ReplicationScope "Forest" +} +if ($?) { + Write-Host " [o] Successfully created/updated record for SRE domain" +} else { + Write-Host " [x] Failed to create/update record for SRE domain" +} diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Create_New_SRE_User_Service_Accounts_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Create_New_SRE_User_Service_Accounts_Remote.ps1 index 168e7b4aa7..04b4cebe58 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Create_New_SRE_User_Service_Accounts_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Create_New_SRE_User_Service_Accounts_Remote.ps1 @@ -1,90 +1,90 @@ -# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them -# and remote execution will stall waiting for the non-present user to enter the missing parameter on the -# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in -# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled -# job, but this does not seem to have an immediate effect -# Fror details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command -param( - [String]$sreFqdn, - [String]$shmFqdn, - [String]$researchUserSgName, - [String]$researchUserSgDescription, - [String]$ldapUserSgName, - [String]$securityOuPath, - [String]$serviceOuPath, - [String]$researchUserOuPath, - [String]$hackmdSamAccountName, - [String]$hackmdName, - [String]$hackmdPasswordEncrypted, - [String]$gitlabSamAccountName, - [String]$gitlabName, - [String]$gitlabPasswordEncrypted, - [String]$dsvmSamAccountName, - [String]$dsvmName, - [String]$dsvmPasswordEncrypted, - [String]$testResearcherSamAccountName, - [String]$testResearcherName, - [String]$testResearcherPasswordEncrypted -) - -function New-SreGroup($name, $description, $path, $groupCategory, $groupScope) { - if(Get-ADGroup -Filter "Name -eq '$name'"){ - Write-Output " [o] Group '$name' already exists" - } else { - Write-Output " [ ] Creating group '$name' in OU '$serviceOuPath'..." - $group = (New-ADGroup -Name "$name" -Description $description -Path $path -GroupScope $groupScope -GroupCategory Security) - if ($?) { - Write-Output " [o] Group '$name' created" - } else { - Write-Output " [x] Failed to create group '$name'!" - } - return $group - } -} - -function New-SreUser($samAccountName, $name, $path, $passwordSecureString) { - if(Get-ADUser -Filter "SamAccountName -eq '$samAccountName'"){ - Write-Output " [o] User '$samAccountName' already exists" - } else { - $principalName = $samAccountName + "@" + $shmFqdn; - Write-Output " [ ] Creating user '$name' ($samAccountName)..." - $user = (New-ADUser -Name "$name" ` - -UserPrincipalName $principalName ` - -Path $path ` - -SamAccountName $samAccountName ` - -DisplayName "$name" ` - -Description "$name" ` - -AccountPassword $passwordSecureString ` - -Enabled $true ` - -PasswordNeverExpires $true) - if ($?) { - Write-Output " [o] User '$name' ($samAccountName) created" - } else { - Write-Output " [x] Failed to create user '$name' ($samAccountName)!" - } - return $user - } -} - -# Convert encrypted string to secure string -$hackmdPasswordSecureString = ConvertTo-SecureString -String $hackmdPasswordEncrypted -Key (1..16) -$gitlabPasswordSecureString = ConvertTo-SecureString -String $gitlabPasswordEncrypted -Key (1..16) -$dsvmPasswordSecureString = ConvertTo-SecureString -String $dsvmPasswordEncrypted -Key (1..16) -$testResearcherPasswordSecureString = ConvertTo-SecureString -String $testResearcherPasswordEncrypted -Key (1..16) - -# Create SRE Security Group -New-SreGroup -name $researchUserSgName -description $researchUserSgDescription -Path $securityOuPath -GroupScope Global -GroupCategory Security - -# Create Service Accounts for SRE -New-SreUser -samAccountName $hackmdSamAccountName -name $hackmdName -path $serviceOuPath -passwordSecureString $hackmdPasswordSecureString -New-SreUser -samAccountName $gitlabSamAccountName -name $gitlabName -path $serviceOuPath -passwordSecureString $gitlabPasswordSecureString -New-SreUser -samAccountName $dsvmSamAccountName -name $dsvmName -path $serviceOuPath -passwordSecureString $dsvmPasswordSecureString -New-SreUser -samAccountName $testResearcherSamAccountName -name $testResearcherName -path $researchUserOuPath -passwordSecureString $testResearcherPasswordSecureString - -# Add Data Science LDAP users to SG Data Science LDAP Users security group -Write-Output " [ ] Adding '$dsvmSamAccountName' user to group '$ldapUserSgName'" -Add-ADGroupMember "$ldapUserSgName" "$dsvmSamAccountName" - -# Add SRE test users to the relative Security Groups -Write-Output " [ ] Adding '$testResearcherSamAccountName' user to group '$researchUserSgName'" -Add-ADGroupMember "$researchUserSgName" "$testResearcherSamAccountName" +# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them +# and remote execution will stall waiting for the non-present user to enter the missing parameter on the +# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in +# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled +# job, but this does not seem to have an immediate effect +# Fror details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command +param( + [String]$sreFqdn, + [String]$shmFqdn, + [String]$researchUserSgName, + [String]$researchUserSgDescription, + [String]$ldapUserSgName, + [String]$securityOuPath, + [String]$serviceOuPath, + [String]$researchUserOuPath, + [String]$hackmdSamAccountName, + [String]$hackmdName, + [String]$hackmdPasswordEncrypted, + [String]$gitlabSamAccountName, + [String]$gitlabName, + [String]$gitlabPasswordEncrypted, + [String]$dsvmSamAccountName, + [String]$dsvmName, + [String]$dsvmPasswordEncrypted, + [String]$testResearcherSamAccountName, + [String]$testResearcherName, + [String]$testResearcherPasswordEncrypted +) + +function New-SreGroup($name, $description, $path, $groupCategory, $groupScope) { + if(Get-ADGroup -Filter "Name -eq '$name'"){ + Write-Output " [o] Group '$name' already exists" + } else { + Write-Output " [ ] Creating group '$name' in OU '$serviceOuPath'..." + $group = (New-ADGroup -Name "$name" -Description $description -Path $path -GroupScope $groupScope -GroupCategory Security) + if ($?) { + Write-Output " [o] Group '$name' created" + } else { + Write-Output " [x] Failed to create group '$name'!" + } + return $group + } +} + +function New-SreUser($samAccountName, $name, $path, $passwordSecureString) { + if(Get-ADUser -Filter "SamAccountName -eq '$samAccountName'"){ + Write-Output " [o] User '$samAccountName' already exists" + } else { + $principalName = $samAccountName + "@" + $shmFqdn; + Write-Output " [ ] Creating user '$name' ($samAccountName)..." + $user = (New-ADUser -Name "$name" ` + -UserPrincipalName $principalName ` + -Path $path ` + -SamAccountName $samAccountName ` + -DisplayName "$name" ` + -Description "$name" ` + -AccountPassword $passwordSecureString ` + -Enabled $true ` + -PasswordNeverExpires $true) + if ($?) { + Write-Output " [o] User '$name' ($samAccountName) created" + } else { + Write-Output " [x] Failed to create user '$name' ($samAccountName)!" + } + return $user + } +} + +# Convert encrypted string to secure string +$hackmdPasswordSecureString = ConvertTo-SecureString -String $hackmdPasswordEncrypted -Key (1..16) +$gitlabPasswordSecureString = ConvertTo-SecureString -String $gitlabPasswordEncrypted -Key (1..16) +$dsvmPasswordSecureString = ConvertTo-SecureString -String $dsvmPasswordEncrypted -Key (1..16) +$testResearcherPasswordSecureString = ConvertTo-SecureString -String $testResearcherPasswordEncrypted -Key (1..16) + +# Create SRE Security Group +New-SreGroup -name $researchUserSgName -description $researchUserSgDescription -Path $securityOuPath -GroupScope Global -GroupCategory Security + +# Create Service Accounts for SRE +New-SreUser -samAccountName $hackmdSamAccountName -name $hackmdName -path $serviceOuPath -passwordSecureString $hackmdPasswordSecureString +New-SreUser -samAccountName $gitlabSamAccountName -name $gitlabName -path $serviceOuPath -passwordSecureString $gitlabPasswordSecureString +New-SreUser -samAccountName $dsvmSamAccountName -name $dsvmName -path $serviceOuPath -passwordSecureString $dsvmPasswordSecureString +New-SreUser -samAccountName $testResearcherSamAccountName -name $testResearcherName -path $researchUserOuPath -passwordSecureString $testResearcherPasswordSecureString + +# Add Data Science LDAP users to SG Data Science LDAP Users security group +Write-Output " [ ] Adding '$dsvmSamAccountName' user to group '$ldapUserSgName'" +Add-ADGroupMember "$ldapUserSgName" "$dsvmSamAccountName" + +# Add SRE test users to the relative Security Groups +Write-Output " [ ] Adding '$testResearcherSamAccountName' user to group '$researchUserSgName'" +Add-ADGroupMember "$researchUserSgName" "$testResearcherSamAccountName" diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_AD_Trust_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_AD_Trust_Remote.ps1 index 41a402a100..05bcd65448 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_AD_Trust_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_AD_Trust_Remote.ps1 @@ -5,8 +5,8 @@ # job, but this does not seem to have an immediate effect # For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command param( - $shmFqdn, - $sreFqdn + [String]$shmFqdn, + [String]$sreFqdn ) $cmd = "netdom trust $shmFqdn /d:$sreFqdn /remove /force" @@ -21,4 +21,4 @@ if(Get-ADTrust -Filter {Target -eq $sreFqdn}) { } } else { Write-Output "No AD Trust from '$shmFqdn' for domain '$sreFqdn' exists" -} \ No newline at end of file +} diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_DNS_Entries_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_DNS_Entries_Remote.ps1 index bcd351100c..fc52683ab0 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_DNS_Entries_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_DNS_Entries_Remote.ps1 @@ -5,10 +5,10 @@ # job, but this does not seem to have an immediate effect # For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command param( - $sreFqdn, - $identitySubnetPrefix, - $rdsSubnetPrefix, - $dataSubnetPrefix + [String]$sreFqdn, + [String]$identitySubnetPrefix, + [String]$rdsSubnetPrefix, + [String]$dataSubnetPrefix ) function IpPrefixToInAddrArpa($ipPrefix) diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1 index 92b7994f27..301c2d44b9 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1 @@ -5,9 +5,9 @@ # job, but this does not seem to have an immediate effect # For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command param( - $rdsGatewayFqdn + [String]$rdsGatewayFqdn ) -if(Get-NpsRadiusClient | Where-Object {$_.Name -eq "$rdsGatewayFqdn"}){ +if (Get-NpsRadiusClient | Where-Object {$_.Name -eq "$rdsGatewayFqdn"}) { Write-Output " [ ] Removing RADIUS Client '$rdsGatewayFqdn'" Remove-NpsRadiusClient -Name "$rdsGatewayFqdn" if ($?) { @@ -18,4 +18,4 @@ if(Get-NpsRadiusClient | Where-Object {$_.Name -eq "$rdsGatewayFqdn"}){ } } else { Write-Output "No RADIUS Client '$rdsGatewayFqdn' exists" -} \ No newline at end of file +} diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_Users_And_Groups_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_Users_And_Groups_Remote.ps1 index 6f63a7a202..179f1c1995 100644 --- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_Users_And_Groups_Remote.ps1 +++ b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_Users_And_Groups_Remote.ps1 @@ -5,53 +5,50 @@ # job, but this does not seem to have an immediate effect # For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command param( - $testResearcherSamAccountName, - $dsvmLdapSamAccountName, - $gitlabLdapSamAccountName, - $hackmdLdapSamAccountName, - $sreResearchUserSG + [String]$testResearcherSamAccountName, + [String]$dsvmLdapSamAccountName, + [String]$gitlabLdapSamAccountName, + [String]$hackmdLdapSamAccountName, + [String]$sreResearchUserSG ) function Remove-SreUser($samAccountName) { - $user = Get-ADUser -Filter "SamAccountName -eq '$samAccountName'" - if ($user) { - Write-Output " [ ] Removing user '$samAccountName'" + if (Get-ADUser -Filter "SamAccountName -eq '$samAccountName'") { + Write-Host " [ ] Removing user '$samAccountName'" Remove-ADUser (Get-AdUser $samAccountName) -Confirm:$False if ($?) { - Write-Output " [o] Succeeded" + Write-Host " [o] Succeeded" } else { - Write-Output " [x] Failed" + Write-Host " [x] Failed" exit 1 } } else { - Write-Output "No user named '$samAccountName' exists" + Write-Host "No user named '$samAccountName' exists" } } - function Remove-SreGroup($groupName) { - $group = Get-ADGroup -Filter "Name -eq '$groupName'" - if ($group) { - Write-Output " [ ] Removing group '$groupName'" + if (Get-ADGroup -Filter "Name -eq '$groupName'") { + Write-Host " [ ] Removing group '$groupName'" Remove-ADGroup (Get-ADGroup $groupName) -Confirm:$False if ($?) { - Write-Output " [o] Succeeded" + Write-Host " [o] Succeeded" } else { - Write-Output " [x] Failed" + Write-Host " [x] Failed" exit 1 } } else { - Write-Output "No group named '$groupName' exists" + Write-Host "No group named '$groupName' exists" } } # Remove users -Remove-SreUser($testResearcherSamAccountName) -Remove-SreUser($dsvmLdapSamAccountName) -Remove-SreUser($gitlabLdapSamAccountName) -Remove-SreUser($hackmdLdapSamAccountName) +Remove-SreUser $testResearcherSamAccountName +Remove-SreUser $dsvmLdapSamAccountName +Remove-SreUser $gitlabLdapSamAccountName +Remove-SreUser $hackmdLdapSamAccountName # Remove groups -Remove-SreGroup($sreResearchUserSG) \ No newline at end of file +Remove-SreGroup $sreResearchUserSG diff --git a/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1 b/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1 index e94b1ce38f..c6c5c18e87 100644 --- a/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1 +++ b/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1 @@ -39,10 +39,11 @@ if ($sreResources -or $sreResourceGroups) { # ... otherwise continuing removing artifacts in the SHM subscription } else { + $_ = Set-AzContext -SubscriptionId $config.shm.subscriptionName + # Remove SHM side of peerings involving this SRE # ---------------------------------------------- Add-LogMessage -Level Info "Removing peerings for SRE VNet from SHM VNets..." - $_ = Set-AzContext -SubscriptionId $config.shm.subscriptionName # Remove main SRE <-> SHM VNet peering $peeringName = "PEER_$($config.sre.network.vnet.name)" @@ -71,7 +72,7 @@ if ($sreResources -or $sreResourceGroups) { # Remove SRE users and groups from SHM DC # --------------------------------------- Add-LogMessage -Level Info "Removing SRE users and groups from SHM DC..." - $scriptPath = Join-Path $PSScriptRoot ".." "scripts" "configure_shm_dc" "remote_scripts" "Remove_Users_And_Groups_Remote.ps1" -Resolve + $scriptPath = Join-Path $PSScriptRoot ".." "remote" "configure_shm_dc" "scripts" "Remove_Users_And_Groups_Remote.ps1" -Resolve $params = @{ testResearcherSamAccountName = "`"$($config.sre.users.researchers.test.samAccountName)`"" dsvmLdapSamAccountName = "`"$($config.sre.users.ldap.dsvm.samAccountName)`"" @@ -86,7 +87,7 @@ if ($sreResources -or $sreResourceGroups) { # Remove SRE DNS records from SHM DC # ---------------------------------- Add-LogMessage -Level Info "Removing SRE DNS records from SHM DC..." - $scriptPath = Join-Path $PSScriptRoot ".." "scripts" "configure_shm_dc" "remote_scripts" "Remove_DNS_Entries_Remote.ps1" -Resolve + $scriptPath = Join-Path $PSScriptRoot ".." "remote" "configure_shm_dc" "scripts" "Remove_DNS_Entries_Remote.ps1" -Resolve $params = @{ sreFqdn = "`"$($config.sre.domain.fqdn)`"" identitySubnetPrefix = "`"$($config.sre.network.subnets.identity.prefix)`"" @@ -100,7 +101,7 @@ if ($sreResources -or $sreResourceGroups) { # Remove SRE AD Trust from SHM DC # ------------------------------- Add-LogMessage -Level Info "Removing SRE AD Trust from SHM DC..." - $scriptPath = Join-Path $PSScriptRoot ".." "scripts" "configure_shm_dc" "remote_scripts" "Remove_AD_Trust_Remote.ps1" -Resolve + $scriptPath = Join-Path $PSScriptRoot ".." "remote" "configure_shm_dc" "scripts" "Remove_AD_Trust_Remote.ps1" -Resolve $params = @{ shmFqdn = "`"$($config.shm.domain.fqdn)`"" sreFqdn = "`"$($config.sre.domain.fqdn)`"" @@ -112,7 +113,7 @@ if ($sreResources -or $sreResourceGroups) { # Remove RDS Gateway RADIUS Client from SHM NPS # --------------------------------------------- Add-LogMessage -Level Info "Removing RDS Gateway RADIUS Client from SHM NPS..." - $scriptPath = Join-Path $PSScriptRoot ".." "scripts" "configure_shm_dc" "remote_scripts" "Remove_RDS_Gateway_RADIUS_Client_Remote.ps1" -Resolve + $scriptPath = Join-Path $PSScriptRoot ".." "remote" "configure_shm_dc" "scripts" "Remove_RDS_Gateway_RADIUS_Client_Remote.ps1" -Resolve $params = @{ rdsGatewayFqdn = "`"$($config.sre.rds.gateway.fqdn)`"" }