Azure/Ansible: improve idempotency (2)
This commit is contained in:
juju4
@@ -1,7 +1,12 @@
|
||||
---
|
||||
|
||||
- name: Set DNS Address
|
||||
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 127.0.0.1,8.8.8.8"
|
||||
win_dns_client:
|
||||
adapter_names: '*'
|
||||
ipv4_addresses:
|
||||
- 127.0.0.1
|
||||
- 8.8.8.8
|
||||
log_path: C:\dns_log.txt
|
||||
|
||||
- name: Install git
|
||||
win_chocolatey:
|
||||
@@ -33,6 +38,8 @@
|
||||
- Users
|
||||
- Administrators
|
||||
password_never_expires: yes
|
||||
# Fail after domain creation: Failed to remove Domain Users: Exception calling \"Remove\" with \"1\" argument(s): \"This operation is not allowed on this special group.
|
||||
ignore_errors: true
|
||||
|
||||
- name: Create the Domain
|
||||
win_shell: .\\provision.ps1
|
||||
@@ -47,6 +54,7 @@
|
||||
pre_reboot_delay: 15
|
||||
reboot_timeout: 600
|
||||
post_reboot_delay: 60
|
||||
when: domain_creation.changed
|
||||
|
||||
- name: Configure OU
|
||||
win_shell: .\\configure-ou.ps1
|
||||
@@ -60,6 +68,7 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in ou_creation.stderr"
|
||||
changed_when: "'already exists. Moving On.' not in ou_creation.stdout"
|
||||
|
||||
- debug: msg="{{ ou_creation.stdout_lines }}"
|
||||
|
||||
@@ -75,8 +84,10 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in wef_gpo.stderr"
|
||||
changed_when: "' already linked on ' not in wef_gpo.stdout"
|
||||
|
||||
- debug: msg="{{ wef_gpo.stdout_lines }}"
|
||||
when: wef_gpo.stdout_lines is defined
|
||||
|
||||
- name: Configure Powershell Logging GPO
|
||||
win_shell: .\\configure-powershelllogging.ps1
|
||||
@@ -90,8 +101,10 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in powershell_gpo.stderr"
|
||||
changed_when: "' already linked on ' not in wef_gpo.stdout"
|
||||
|
||||
- debug: msg="{{ powershell_gpo.stdout_lines }}"
|
||||
when: powershell_gpo.stdout_lines is defined
|
||||
|
||||
- name: Configure Auditing Policy GPO
|
||||
win_shell: .\\configure-AuditingPolicyGPOs.ps1
|
||||
@@ -105,8 +118,10 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in audit_policy.stderr"
|
||||
changed_when: "' already linked on ' not in audit_policy.stdout"
|
||||
|
||||
- debug: msg="{{ audit_policy.stdout_lines }}"
|
||||
when: audit_policy.stdout_lines is defined
|
||||
|
||||
- name: Disable Windows Defender GPO
|
||||
win_shell: .\\configure-disable-windows-defender-gpo.ps1
|
||||
@@ -120,6 +135,7 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in disable_win_def.stderr"
|
||||
changed_when: "' already linked at ' not in disable_win_def.stdout"
|
||||
|
||||
- debug: msg="{{ disable_win_def.stdout_lines }}"
|
||||
|
||||
@@ -135,8 +151,10 @@
|
||||
ansible_become_password: vagrant
|
||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||
failed_when: "'Exception' in rdp_gpo.stderr"
|
||||
changed_when: "' already linked at ' not in rdp_gpo.stdout"
|
||||
|
||||
- debug: msg="{{ rdp_gpo.stdout_lines }}"
|
||||
when: rdp_gpo.stdout_lines is defined
|
||||
|
||||
- name: Configure DC with raw Commands
|
||||
win_shell: "{{ item }}"
|
||||
|
||||
@@ -1,7 +1,12 @@
|
||||
---
|
||||
# This needs to be made idempodent
|
||||
|
||||
- name: Set HostOnly DNS Address
|
||||
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8"
|
||||
win_dns_client:
|
||||
adapter_names: '*'
|
||||
ipv4_addresses:
|
||||
- 192.168.38.102
|
||||
- 8.8.8.8
|
||||
log_path: C:\dns_log.txt
|
||||
|
||||
- name: Install git
|
||||
win_chocolatey:
|
||||
@@ -48,9 +53,21 @@
|
||||
dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso"
|
||||
timeout: 3600
|
||||
|
||||
- name: Check if DetectionLab Clear Event Logs has been done
|
||||
win_stat:
|
||||
path: 'c:\Windows\.detectionlab_clear_done'
|
||||
register: clearevt
|
||||
|
||||
- block:
|
||||
- name: Clear Event Logs
|
||||
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
|
||||
|
||||
- name: Add marker for DetectionLab Clear Event
|
||||
win_file:
|
||||
path: 'c:\Windows\.detectionlab_clear_done'
|
||||
state: touch
|
||||
when: not clearevt.stat.exists
|
||||
|
||||
- name: Downloading the Palantir WEF Configuration
|
||||
win_shell: ".\\download_palantir_wef.ps1"
|
||||
args:
|
||||
@@ -95,10 +112,12 @@
|
||||
win_shell: ".\\configure-pslogstranscriptsshare.ps1"
|
||||
args:
|
||||
chdir: 'c:\vagrant\scripts'
|
||||
creates: c:\pslogs
|
||||
register: pstranscriptshare
|
||||
failed_when: "'Exception' in pstranscriptshare.stdout"
|
||||
|
||||
- debug: msg="{{ pstranscriptshare.stdout_lines }}"
|
||||
when: pstranscriptshare.stdout_lines is defined
|
||||
|
||||
- name: Installing the EVTX Event Samples
|
||||
win_shell: ".\\install-evtx-attack-samples.ps1"
|
||||
|
||||
@@ -1,6 +1,11 @@
|
||||
---
|
||||
- name: Set HostOnly DNS Address
|
||||
win_shell: "Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.38.102,8.8.8.8"
|
||||
win_dns_client:
|
||||
adapter_names: '*'
|
||||
ipv4_addresses:
|
||||
- 192.168.38.102
|
||||
- 8.8.8.8
|
||||
log_path: C:\dns_log.txt
|
||||
|
||||
- name: Install git
|
||||
win_chocolatey:
|
||||
@@ -50,9 +55,21 @@
|
||||
post_reboot_delay: 60
|
||||
when: win10_join_domain.changed
|
||||
|
||||
- name: Check if DetectionLab Clear Event Logs has been done
|
||||
win_stat:
|
||||
path: 'c:\Windows\.detectionlab_clear_done'
|
||||
register: clearevt
|
||||
|
||||
- block:
|
||||
- name: Clear Event Logs
|
||||
win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
|
||||
|
||||
- name: Add marker for DetectionLab Clear Event
|
||||
win_file:
|
||||
path: 'c:\Windows\.detectionlab_clear_done'
|
||||
state: touch
|
||||
when: not clearevt.stat.exists
|
||||
|
||||
- name: Install Classic Shell with Chocolatey
|
||||
win_chocolatey:
|
||||
name:
|
||||
@@ -60,12 +77,19 @@
|
||||
state: present
|
||||
install_args: "ADDLOCAL=ClassicStartMenu"
|
||||
|
||||
- name: Check if DetectionLab Menu Install has been done
|
||||
win_stat:
|
||||
path: 'c:\Program Files\Classic Shell\.menu_install_done'
|
||||
register: menu_install
|
||||
|
||||
- block:
|
||||
- name: Import ClassicShell config
|
||||
win_shell: |
|
||||
"C:\Program Files\Classic Shell\ClassicStartMenu.exe -xml c:\vagrant\resources\windows\MenuSettings.xml"
|
||||
regedit /s c:\vagrant\resources\windows\MenuStyle_Default_Win7.reg
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- name: Add marker for DetectionLab Menu install
|
||||
win_file:
|
||||
path: 'c:\Program Files\Classic Shell\.menu_install_done'
|
||||
state: touch
|
||||
when: not menu_install.stat.exists
|
||||
|
||||
Reference in New Issue
Block a user