diff --git a/CHANGELOG.md b/CHANGELOG.md index 53e4ad0b..2a974157 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Release History +## v2.10.1 + +> Release Date: 2024-06-14 + +- Fixed `Invoke-IamDeployment` cmdlet where reduced privileges are applied to the incorrect service account. + ## v2.10.0 > Release Date: 2024-05-28 diff --git a/PowerValidatedSolutions.psd1 b/PowerValidatedSolutions.psd1 index ea0ad48e..2e2a6d42 100644 --- a/PowerValidatedSolutions.psd1 +++ b/PowerValidatedSolutions.psd1 @@ -3,7 +3,7 @@ # Module manifest for module 'PowerValidatedSolutions' # Generated by: Broadcom -# Generated on: 2024-05-28 +# Generated on: 2024-06-14 @{ @@ -11,7 +11,7 @@ RootModule = 'PowerValidatedSolutions.psm1' # Version number of this module. - ModuleVersion = '2.10.0.1056' + ModuleVersion = '2.10.1.1000' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/PowerValidatedSolutions.psm1 b/PowerValidatedSolutions.psm1 index b589c918..d263ebb8 100644 --- a/PowerValidatedSolutions.psm1 +++ b/PowerValidatedSolutions.psm1 @@ -381,17 +381,17 @@ Function Invoke-IamDeployment { if (!$failureDetected) { Show-PowerValidatedSolutionsOutput -message "Reconfiguring the vSphere Role and Permissions Scope for NSX Service Accounts" - Show-PowerValidatedSolutionsOutput -TYPE ADVISORY -message "Going to Sleep for 5 Minutes to Allow vCenter Server Single Sign-On to Finishing Replicating" - Start-Sleep 360 + Show-PowerValidatedSolutionsOutput -TYPE ADVISORY -message "Going to Sleep for 2 Minutes to Allow vCenter Server Single Sign-On to Finishing Replicating" + Start-Sleep 120 foreach ($sddcDomain in $allWorkloadDomains) { - $serviceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $sddcDomain.name -and $_.resource.resourceType -eq "VCENTER" }).username.Split("@")[-0] + $serviceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $sddcDomain.name -and $_.resource.resourceType -eq "VCENTER" -and $_.username -match (($sddcDomain.nsxtCluster.vipFqdn).Split('.',2)[-0]) }).username.Split("@")[-0] $StatusMsg = Add-vCenterGlobalPermission -server $jsonInput.sddcManagerFqdn -user $jsonInput.sddcManagerUser -pass $jsonInput.sddcManagerPass -sddcDomain $sddcDomain.name -domain $sddcDomain.ssoName -principal $serviceAccount -role $jsonInput.vsphereRoleName -propagate true -type user -localdomain -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg if ($StatusMsg -or $WarnMsg) { $null = $ErrorMsg } elseif ($ErrorMsg) { $failureDetected = $true } messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg if ($sddcDomain.type -eq "MANAGEMENT") { $viWorkloadDomains = Get-VCFWorkloadDomain | Where-Object { $_.type -eq "VI" } foreach ($viDomain in $viWorkloadDomains) { - $viServiceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $viDomain.name -and $_.resource.resourceType -eq "VCENTER" }).username.Split("@")[-0] + $viServiceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $viDomain.name -and $_.resource.resourceType -eq "VCENTER" -and $_.username -match (($viDomain.nsxtCluster.vipFqdn).Split('.',2)[-0]) }).username.Split("@")[-0] $StatusMsg = Set-vCenterPermission -server $jsonInput.sddcManagerFqdn -user $jsonInput.sddcManagerUser -pass $jsonInput.sddcManagerPass -domain $sddcDomain.ssoName -workloadDomain $sddcDomain.name -principal $viServiceAccount -role "NoAccess" -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg if ($StatusMsg -or $WarnMsg) { $null = $ErrorMsg } elseif ($ErrorMsg) { $failureDetected = $true } messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg @@ -399,7 +399,7 @@ Function Invoke-IamDeployment { } if ($sddcDomain.type -eq "VI" -and $sddcDomain.ssoName -eq "vsphere.local") { $mgmtWorkloadDomain = Get-VCFWorkloadDomain | Where-Object { $_.type -eq "MANAGEMENT" } - $mgmtServiceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $mgmtWorkloadDomain.name -and $_.resource.resourceType -eq "VCENTER" }).username.Split("@")[-0] + $mgmtServiceAccount = (Get-VCFCredential | Where-Object { $_.accountType -eq "SERVICE" -and $_.resource.domainName -eq $mgmtWorkloadDomain.name -and $_.resource.resourceType -eq "VCENTER" -and $_.username -match (($mgmtWorkloadDomain.nsxtCluster.vipFqdn).Split('.',2)[-0]) }).username.Split("@")[-0] $StatusMsg = Set-vCenterPermission -server $jsonInput.sddcManagerFqdn -user $jsonInput.sddcManagerUser -pass $jsonInput.sddcManagerPass -domain $sddcDomain.ssoName -workloadDomain $sddcDomain.name -principal $mgmtServiceAccount -role "NoAccess" -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -WarningVariable WarnMsg -ErrorVariable ErrorMsg if ($StatusMsg -or $WarnMsg) { $null = $ErrorMsg } elseif ($ErrorMsg) { $failureDetected = $true } messageHandler -statusMessage $StatusMsg -warningMessage $WarnMsg -errorMessage $ErrorMsg