diff --git a/setup/main.ps1 b/setup/main.ps1 index c2745ce5..d2ec330d 100644 --- a/setup/main.ps1 +++ b/setup/main.ps1 @@ -93,8 +93,16 @@ If ($Locale -eq $null) { } try { - $encryptedSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText - $RuntimeConfig = ConvertFrom-SecureString $encryptedSecret | ConvertFrom-Json | Select-Object -Expand runtime +# Get and decrypt the config from Key Vault + $encryptedConfig = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop + $encryptedBytes = [Convert]::FromBase64String($encryptedConfig) + $decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect( + $encryptedBytes, + $null, + [System.Security.Cryptography.DataProtectionScope]::CurrentUser + ) + $configString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes) + $RuntimeConfig = $configString | ConvertFrom-Json Set-AzContext -SubscriptionId $RuntimeConfig.subscriptionId } catch { @@ -476,7 +484,3 @@ Add-LogEntry 'Information' "Completed execution of main runbook" -workspaceGuid # vduHbe/rUCbpQefqNRPCsYhO6dp/k6CH5XGin8lPPIDdRl+LaSY13QYD9rWEeAFo # A6om4dcNwSng2HswnGtUaDxiDTtAqPv1F5RTFD0ILoHWkDjD4NwHiodDPKn7pbFV # yOVynr1zu8cGneK2fBidzculEjzOfaASvM/aH/oDSpTrM8ZKKURcEsU+PqxeByn2 -# yMExxoMHREyWswmY3LtDgo36H0D1SGJ8OcVHhzGFFV5Q9/u8jodCy2JNH83BuKGh -# 1euy9uKef3TlcDqKCnG2Oaxd6OzqfCTWgWazjQ0M2OZOurZWbXBMVTJuD6GUxNSm -# z8oLhvJYXybSsUZJ6zHql7KukNVheG7WXTrb6Pe0 -# SIG # End signature block diff --git a/src/GuardrailsSolutionAcceleratorSetup/modules/Deploy-GuardrailsSolutionAccelerator/Deploy-GuardrailsSolutionAccelerator.psm1 b/src/GuardrailsSolutionAcceleratorSetup/modules/Deploy-GuardrailsSolutionAccelerator/Deploy-GuardrailsSolutionAccelerator.psm1 index 0aae9ec8..7cc6cacf 100644 --- a/src/GuardrailsSolutionAcceleratorSetup/modules/Deploy-GuardrailsSolutionAccelerator/Deploy-GuardrailsSolutionAccelerator.psm1 +++ b/src/GuardrailsSolutionAcceleratorSetup/modules/Deploy-GuardrailsSolutionAccelerator/Deploy-GuardrailsSolutionAccelerator.psm1 @@ -433,9 +433,17 @@ Function Deploy-GuardrailsSolutionAccelerator { 'deployerAzureID' = $config['runtime']['userId'] } - # $secureValue = - # $secretValue = ConvertFrom-SecureString $secureValue - Set-AzKeyVaultSecret -VaultName $config['runtime']['keyVaultName'] -Name $configSecretName -SecretValue (ConvertTo-SecureString -String (ConvertTo-Json $config -Depth 10) -AsPlainText -Force) -Tag $secretTags -ContentType 'application/json' -Verbose:$useVerbose | Out-Null + $jsonConfig = ConvertTo-Json $config -Depth 10 + $encryptedBytes = [System.Security.Cryptography.ProtectedData]::Protect( + [System.Text.Encoding]::UTF8.GetBytes($jsonConfig), + $null, + [System.Security.Cryptography.DataProtectionScope]::CurrentUser + ) + $encryptedBase64 = [Convert]::ToBase64String($encryptedBytes) + $secureString = ConvertTo-SecureString $encryptedBase64 -AsPlainText -Force + + Set-AzKeyVaultSecret -VaultName $config['runtime']['keyVaultName'] -Name $configSecretName ` + -SecretValue $secureString -Tag $secretTags -ContentType 'application/json' -Verbose:$useVerbose | Out-Null Write-Host "Completed deployment of the Guardrails Solution Accelerator!" -ForegroundColor Green } diff --git a/src/GuardrailsSolutionAcceleratorSetup/modules/Get-GSAExportedConfig/Get-GSAExportedConfig.psm1 b/src/GuardrailsSolutionAcceleratorSetup/modules/Get-GSAExportedConfig/Get-GSAExportedConfig.psm1 index 40cc35a9..c4504a39 100644 --- a/src/GuardrailsSolutionAcceleratorSetup/modules/Get-GSAExportedConfig/Get-GSAExportedConfig.psm1 +++ b/src/GuardrailsSolutionAcceleratorSetup/modules/Get-GSAExportedConfig/Get-GSAExportedConfig.psm1 @@ -1,3 +1,5 @@ +Add-Type -AssemblyName System.Security + Function Get-GSAExportedConfig { <# .SYNOPSIS @@ -45,11 +47,21 @@ Function Get-GSAExportedConfig { } try { - [string]$configValue = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop + $encryptedConfig = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name 'gsaConfigExportLatest' -AsPlainText -ErrorAction Stop + $encryptedBytes = [Convert]::FromBase64String($encryptedConfig) + $decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect( + $encryptedBytes, + $null, + [System.Security.Cryptography.DataProtectionScope]::CurrentUser + ) + $configString = [System.Text.Encoding]::UTF8.GetString($decryptedBytes) + + # Return the decrypted config string + [PSCustomObject]@{ + configString = $configString + } } catch { - Write-Error -Message "Unable to retrieve the latest configuration from the Key Vault. Please ensure that the Key Vault exists and that the latest configuration has been exported. Message: $_" -ErrorAction Stop + Write-Error -Message "Unable to retrieve and decrypt the latest configuration from the Key Vault. Please ensure that the Key Vault exists and that the latest configuration has been exported. Message: $_" -ErrorAction Stop } - - return (New-Object -TypeName PSObject -Property @{configString = $configValue}) }