Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add resource gmsa #92

Closed
wants to merge 6 commits into from
Closed

add resource gmsa #92

wants to merge 6 commits into from

Conversation

jpatigny
Copy link
Contributor

Description

Allow provider to manage gmsa (aka Group Managed Services Account(s)).

References

#54

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

@ghost ghost added the size/XXL label Mar 26, 2021
Copy link
Contributor

@koikonom koikonom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this!

Great work, I have some comments in parts of the code.

Please take a look while I look into adding some acceptance tests.

ad/internal/winrmhelper/winrm_gmsa.go Outdated Show resolved Hide resolved
if len(sp) > 0 {
spnlist := strings.Join(sp, ",")
log.Printf("[DEBUG] SPN list: %s", spnlist)
cmds = append(cmds, fmt.Sprintf("; Set-ADServiceAccount -Identity %q -ServicePrincipalNames @{Add=%q}", g.GUID, spnlist))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely a simpler way to handle additions and deletetions without having to compare lists
etc. My only concern here is that if this command fails for any reasons then the ServicePrincipalNames
attribute will be left empty, which could potentially cause operational issues.

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed it would be better to update only what is needed for all parameters that have a list (SPN, principals etc) but the thing is that I'm not super comfortable (yet) to do this part.
I would need to look at what you did in the membership resource.
I'm afraid it's gonna take me a bit of time to achieve it but I fully agree it's the smoothest approach to avoid problems.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this example I call diffGroupMemberLists.

In that function I am passing two lists as arguments, the first one is the list of members as expressed in the configuration and the second is a list of members as retrieved from AD. It then compares one to the other and returns two new lists, a list of members to add and a list of members to remove.

It's not exactly performant, but given that the lists are relatively small it will do what we need.

ad/internal/winrmhelper/winrm_gmsa.go Show resolved Hide resolved
simplify-double-quoted-comma-separated-lists
@koikonom
Copy link
Contributor

It would also be nice if you could add some acceptance tests, I've pushed a PR yesterday that removes all the hardcoded bits from the tests and moves them to env vars so anyone can run tests against their own test AD controller.

@mr-miles
Copy link

mr-miles commented Jun 9, 2021

Thanks for doing this - it would be really useful for me! Is it just the acceptance tests that are left to get it working? If I have time, I'd be happy to pitch in to get it over the line

@jpatigny
Copy link
Contributor Author

@mr-miles ,

The way to handle the update of certain parameters (SPN,PrincipalsAllowedToDelegateToAccount,PrincipalsAllowedToRetrieveManagedPassword) isn't optimal.

I updated the code to perform the update in one command (SPN parameters allows to use "replace" argument and both other parameters are natively replacing the value by the new input).
I know it's still not the best implementation (refer to @koikonom comment above) but it should be enough to start.

To be honest I haven't digged into how manage/update arrays/list in golang yet.

I still need to :

  • add acceptance tests (feel free to help)
  • adapt code to fit changes that @koikonom made for version 0.4.3

@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022

CLA assistant check
All committers have signed the CLA.

@jpatigny
Copy link
Contributor Author

Closing this PR as preparing a fresh new one

@jpatigny jpatigny closed this Apr 13, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants