feat: add Windows Server 2025 and SQL 2022 AMI templates, improve provisioning and documentation#85
Merged
Merged
Conversation
… cases **Added:** - Added fallback logic in PowerShell to resolve gMSA and computer accounts by SamAccountName, Get-ADServiceAccount, and Get-ADComputer if $ was stripped - Introduced WaitForInstanceStopped method to EC2 client for polling stopped state - cli/internal/aws/ec2.go **Changed:** - Enhanced AD object lookup in acl role to robustly handle gMSA/computer accounts whose trailing $ may be stripped, improving idempotency and error handling - Improved ACL permission check logic in validator to support DN paths and handle gMSA/computer accounts by stripping trailing $ and using Get-Acl or Get-ADObject as appropriate - Updated lab command to use DiscoverInstances with "stopped" state for start actions and wait for stopped state before starting instances, improving state synchronization - Modified SSM connect command to ignore SIGINT in parent process so Ctrl+C is forwarded to the SSM session, preventing premature teardown - Clarified project root resolution and fallback logic in lab_config.py for more reliable path handling in plugin environments **Removed:** - Removed unconditional skip of ACLs with DN targets in validator to support more generic ACL verification
dreadnode-renovate-bot
Bot
added
area/playbooks
**Added:** - Extended lab map config to support MSSQL impersonation, linked servers, gMSA and LAPS readers - Added new facts and helper methods for gMSA, LAPS, and MSSQL in lab mapping - Implemented validation checks for scheduled tasks, LLMNR/NBT-NS, GPO abuse, gMSA, LAPS, SID filtering, SMB shares, firewall status, and password policy - Expanded MSSQL validator to check sysadmins, impersonation rights, linked servers, and xp_cmdshell status **Changed:** - Updated MSSQL installation to grant sysadmin to NETWORK SERVICE in both Ansible and PowerShell scripts for consistency - Enhanced gMSA role to update existing accounts with new configuration - Improved documentation and defaults for MSSQL connection types in role README and defaults - Improved error handling in AMI purge command to filter resources correctly - Added search for project root config in CLI config initialization - Clarified and expanded CLI help text and validation descriptions - Updated Terragrunt runner logic to use --no-auto-approve only when needed **Removed:** - Pruned verbose cleanup comments and Write-Host statements from MSSQL base Ansible playbook to streamline AMI creation steps
…mber to mssql **Added:** - Introduced `goad-dc-base-2025` template for Windows Server 2025 domain controllers, including documentation and provisioning for the DRACARYS lab - Added `goad-mssql-base-2025` template for Windows Server 2025 with MSSQL Express 2022 for member servers, including all setup scripts and documentation - Created `goad-mssql-base-2016` template by refactoring the old member server base, adding MSSQL Express 2019 installation and configuration scripts - Updated SQL Server detection and configuration in `mssql_base.yml` playbook to support dynamic selection of SQL version/installer based on Windows version **Changed:** - Refactored all references from `goad-member-base-2016` to `goad-mssql-base-2016` across documentation, Terragrunt configs, and warpgate templates to clarify purpose and ensure MSSQL is always pre-installed - Updated `host-registry.yaml` to include a "test" environment for deployments - Modified `terragrunt.hcl` for both staging and test to use `goad-mssql-base-2016` instead of the deprecated member-only base - Improved documentation in `warpgate-templates/README.md` and related files to cover new 2025 templates and clarify template usage for both GOAD and DRACARYS labs - Enhanced Ansible MSSQL configuration to use `SYSTEM` for privilege escalation, ensuring reliable sysadmin configuration regardless of SSM session user - Updated registry and SQL Server configuration paths in `mssql_base.yml` to support dynamic SQL versioning - Corrected example build commands and documentation to match new template names and structure **Removed:** - Deleted the `goad-member-base-2016` template and all related documentation and scripts, as all member servers are now built from MSSQL-enabled bases
l50
changed the title
…ify CLI docs **Added:** - New `mssql_base_setup.yml` playbook to handle system setup for MSSQL base images, including DSC modules, IIS, WebDAV, and RDP enablement (Ansible) - CLI reference documentation (`docs/mkdocs/docs/cli-reference.md`) with detailed command and flag listing for the dreadgoad CLI - Blog post announcing DreadGOAD open-source release (`docs/blog-open-source-release.md`) **Changed:** - Split MSSQL provisioning into two playbooks (`mssql_base_setup.yml` for system setup, `mssql_base_sql.yml` for SQL Server install and config) to stay under AWS Image Builder 16K limit; updated documentation and warpgate templates to reflect this split - `mssql_base_sql.yml` refactored to remove system setup tasks and add explicit ssm-user SQL sysadmin grant for SSM access; SQL sysadmin for ssm-user is now bracketed during role config for least privilege - Role `mssql` config tasks updated to bracket ssm-user SQL sysadmin (grant at start, revoke at end) for idempotency and privilege minimization - Documentation (`docs/mkdocs/docs/installation`, `docs/cli.md`, `infra/README.md`, provider docs, usage docs) updated to reflect new CLI workflows, VPC CIDR config, and removal of legacy interactive console in favor of CLI commands - DreadGOAD configuration and CLI (`cli/internal/config/`, `cli/cmd/`, `dreadgoad.yaml`) updated to support per-environment `vpc_cidr` with deterministic fallback and explicit documentation/examples - Terragrunt/infra documentation now references CLI-based environment scaffolding and region creation, superseding manual directory duplication - Removed legacy PowerShell install scripts from warpgate MSSQL/DC templates; all provisioning now occurs via Ansible playbooks - Updated references and migration guides to clarify DreadGOAD workflows and migration from GOAD interactive shell **Removed:** - Legacy monolithic `mssql_base.yml` playbook (replaced by split setup/sql playbooks) - All PowerShell provisioning scripts from warpgate-templates for MSSQL/DC (now handled by Ansible only) - Obsolete interactive console documentation and references; replaced with CLI migration and reference guides
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
Added:
goad-dc-base-2025: Windows Server 2025 AMI for DRACARYS DC01goad-mssql-base-2016: Windows Server 2016 + SQL Server 2019 AMI for SRV03goad-mssql-base-2025: Windows Server 2025 + SQL Server 2022 AMI for DRACARYS SRV01mssql_base_setup.ymlto provision system and IIS for MSSQL hostsChanged:
mssql_base_setup.ymlhandles DSC modules, IIS, RDP, firewallmssql_base_sql.ymlhandles SQL Server installation and configurationgoad-mssql-base-2016instead of removed member-base AMIRemoved:
goad-member-base-2016AMI template and related scripts, replaced with MSSQL base AMIs