-
Notifications
You must be signed in to change notification settings - Fork 11
/
gcp_hardened_windows_server.json
98 lines (97 loc) · 4.26 KB
/
gcp_hardened_windows_server.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
{
"variables": {
"alt_admin_user": "{{env `ALT_ADMIN_USER`}}",
"admin_password": "{{env `ADMIN_PASSWORD`}}",
"alt_admin_pwd": "{{.WinRMPassword}}",
"source_image": "{{env `SOURCE_IMAGE`}}",
"image_family": "{{env `IMAGE_FAMILY`}}",
"project_id": "{{env `PROJECT_ID`}}",
"network_id": "{{env `NETWORK_ID`}}",
"subnetwork_id": "{{env `GCP_SUBNETWORK`}}",
"secrets_key": "{{env `SECRETS_KEY`}}",
"secrets_keyring": "{{env `SECRETS_KEYRING`}}"
},
"_comment": "Packs a security hardened Image of Windows Server 2019 for GCP",
"builders": [
{
"type": "googlecompute",
"project_id": "{{user `project_id`}}",
"network": "{{user `network_id`}}",
"subnetwork": "{{user `subnetwork_id`}}",
"source_image": "{{user `source_image`}}",
"disk_size": "120",
"machine_type": "n1-standard-4",
"communicator": "winrm",
"winrm_username": "{{user `alt_admin_user`}}",
"winrm_insecure": true,
"winrm_use_ssl": true,
"state_timeout" : "15m",
"metadata": {
"windows-startup-script-cmd": "winrm quickconfig -quiet & net user /add {{user `alt_admin_user`}} & net localgroup administrators {{user `alt_admin_user`}} /add & winrm set winrm/config/service/auth @{Basic=\"true\"}"
},
"zone": "us-west1-a",
"image_name": "acme-{{user `source_image`}}-{{timestamp}}",
"image_family": "acme-{{user `image_family`}}",
"image_description":"acme Custom {{user `source_image`}} Image {{timestamp}}"
}
],
"provisioners": [
{
"type": "shell-local",
"environment_vars": "WINRMPASS={{.WinRMPassword}}",
"inline": ["secret=$(echo -n ${WINRMPASS} | gcloud kms encrypt --location global --keyring {{user `secrets_keyring`}} --key {{user `secrets_key`}} --plaintext-file - --ciphertext-file - | base64) && echo $secret > /tmp/$DRONE_COMMIT_SHA.txt"]
},
{
"type": "file",
"source": "./windows-packer/builder",
"destination": "C:\\Windows",
"direction": "upload"
},
{
"type": "windows-shell",
"inline": [
"echo \"Installing logging and monitoring agents:\"",
"C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -sta -ExecutionPolicy Unrestricted -file C:/Windows/builder/setup-scripts/logging-and-monitoring-agents.ps1"
]
},
{
"type": "powershell",
"valid_exit_codes": [ 0, 259 ],
"elevated_user": "SYSTEM",
"elevated_password": "",
"inline": [
"Write-Host \"Set default Administrator password:\"",
"Set-LocalUser -Name \"Administrator\" -Password (ConvertTo-SecureString -AsPlainText \"{{user `admin_password`}}\" -Force)",
"Write-Host \"Installing Windows Updates:\"",
"Start-Process C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ArgumentList \"-ExecutionPolicy Unrestricted -File C:/Windows/builder/setup-scripts/win-updates.ps1\" -Wait -NoNewWindow -PassThru"
]
},
{
"type": "powershell",
"valid_exit_codes": [ 0, 259 ],
"elevated_user": "SYSTEM",
"elevated_password": "",
"inline": [
"Write-Host \"Installing Python:\"",
"Start-Process C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ArgumentList \"-ExecutionPolicy Unrestricted -File C:/Windows/builder/setup-scripts/install-python.ps1\" -Wait -NoNewWindow -PassThru"
]
},
{
"type": "powershell",
"valid_exit_codes": [ 0, 259 ],
"inline": [
"echo \"Applying security baseline::\"",
"Start-Process C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ArgumentList \"-ExecutionPolicy Unrestricted -file C:/Windows/builder/benchmark-gpos/Local_Script/BaselineLocalInstall.ps1 -WS2019DomainController\"-Wait -NoNewWindow -PassThru" ]
},
{
"type": "powershell",
"valid_exit_codes": [ 0, 259 ],
"elevated_user": "{{user `alt_admin_user`}}",
"elevated_password": "{{.WinRMPassword}}",
"inline": [
"Write-Host \"Running Sysprep:\"",
"Start-Process C:\\PROGRA~1\\Google\\COMPUT~1\\sysprep\\gcesysprep.bat -Wait -NoNewWindow"
]
}
]
}