Update pipeline templates

nyanhp · nyanhp · commit 4284d113dae4 · 2023-06-18T18:20:09.000+02:00
diff --git a/templates/AppLockerProject/.github/workflows/publish.yml b/templates/AppLockerProject/.github/workflows/publish.yml
@@ -12,23 +12,23 @@ jobs:
     steps:
     - uses: actions/checkout@v1
     - name: Install Prerequisites
-      run: .\build\vsts-prerequisites.ps1
+      run: .\build\prerequisites.ps1 -BuildWorker -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1)
       shell: powershell
     - name: Validate Configuration Data
-      run: .\build\vsts-validate.ps1 -TestType ConfigurationData
+      run: .\build\validate.ps1 -TestType ConfigurationData -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1) -ProjectRoot $env:GITHUB_WORKSPACE
       shell: powershell
     - name: Build
-      run: .\build\vsts-build.ps1 -IncludeRsop
+      run: .\build\build.ps1 -IncludeRsop -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1) -SourcePath (Join-Path $env:GITHUB_WORKSPACE configurationdata) -OutputPath (Join-Path $env:GITHUB_WORKSPACE output)
       shell: powershell
     - uses: actions/upload-artifact@v3
       with:
         name: build-artifacts
         path: |
           .\output\rsop
           .\output\policies
-    - name: Validate Integration Tests
-      run: .\build\vsts-validate.ps1 -TestType Integration
-      shell: powershell
     - name: Publish
-      run: .\build\vsts-publish.ps1
+      run: .\build\publish.ps1
+      shell: powershell
+    - name: Validate Integration Tests
+      run: .\build\validate.ps1 -TestType Integration -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1) -ProjectRoot $env:GITHUB_WORKSPACE
       shell: powershell
diff --git a/templates/AppLockerProject/.github/workflows/validate.yml b/templates/AppLockerProject/.github/workflows/validate.yml
@@ -8,17 +8,17 @@ jobs:
     steps:
     - uses: actions/checkout@v1
     - name: Install Prerequisites
-      run: .\build\vsts-prerequisites.ps1
+      run: .\build\prerequisites.ps1 -BuildWorker -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1)
       shell: powershell
-    - name: Validate
-      run: .\build\vsts-validate.ps1 -TestType ConfigurationData
+    - name: Validate Configuration Data
+      run: .\build\validate.ps1 -TestType ConfigurationData -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1) -ProjectRoot $env:GITHUB_WORKSPACE
       shell: powershell
     - name: Build
-      run: .\build\vsts-build.ps1 -IncludeRsop
+      run: .\build\build.ps1 -IncludeRsop -DependencyPath (Join-Path $env:GITHUB_WORKSPACE build\requiredModules.psd1) -SourcePath (Join-Path $env:GITHUB_WORKSPACE configurationdata) -OutputPath (Join-Path $env:GITHUB_WORKSPACE output)
       shell: powershell
     - uses: actions/upload-artifact@v3
       with:
         name: build-artifacts
         path: |
           .\output\rsop
-          .\output\policies
+          .\output\policies
diff --git a/templates/AppLockerProject/build/publish.ps1 b/templates/AppLockerProject/build/publish.ps1
@@ -12,6 +12,7 @@ $modPath = Resolve-Path -Path $psdependConfig.PSDependOptions.Target
 $modOld = $env:PSModulePath
 $pathSeparator = [System.IO.Path]::PathSeparator
 $env:PSModulePath = "$modPath$pathSeparator$modOld"
+$rsops = Get-DatumRsopCache
 
 foreach ($policy in (Get-ChildItem -Path (Join-Path -Path $OutputPath -ChildPath Policies) -Recurse -Filter *.xml))
 {
@@ -24,6 +25,12 @@ foreach ($policy in (Get-ChildItem -Path (Join-Path -Path $OutputPath -ChildPath
         $null = New-GPO -Name $policy.BaseName -Comment "Auto-updated applocker policy" -Domain $policy.Directory.Name
     }
 
+    $rsop = $rsops | Where-Object { $_.Name -eq $policy.BaseName }
+    foreach ($link in $rsop.Links)
+    {
+        Set-GPLink -Name $rsop.PolicyName -Target $link.OrgUnitDn -LinkEnabled $link.Enabled -Enforced $link.Enforced -Order $link.Order -Domain $policy.Directory.Name -Confirm:0
+    }
+
     $policyFound = $searcher.FindOne()
 
     Set-AppLockerPolicy -XmlPolicy $policy.FullName -Ldap $policyFound.Path
diff --git a/templates/AppLockerProject/configurationdata/Policies/þdomainfqdnþ/Pol1.yml b/templates/AppLockerProject/configurationdata/Policies/þdomainfqdnþ/Pol1.yml
@@ -1,5 +1,14 @@
-PolicyName: Pol1
-Domain: þdomainfqdnþ
+PolicyName: "[x={ $Node.Name }=]"
+Domain: "[x={ $File.Directory.BaseName } =]"
+Links:
+  - OrgUnitDn: "OU=Prod,DC=contoso,DC=com"
+    LinkOrder: 1
+    Enforced: yes # unspecified, no
+    Enabled: no # unspecified, yes
+  - OrgUnitDn: "OU=Test,DC=contoso,DC=com"
+    LinkOrder: 1
+    Enforced: yes # unspecified, no
+    Enabled: yes # unspecified, no
 Apps:
   - Git
-  - Obs
+  - Obs
diff --git a/templates/AppLockerProject/configurationdata/readme.md b/templates/AppLockerProject/configurationdata/readme.md
@@ -29,7 +29,22 @@ The idea is to describe content that is relevant for each domain.
 ## Policies
 
 Grouped by the domain, each policy should be a single yml file that contains
-the Name, Domain and subscribed Apps for that policy.
+the Name, Domain, optional GPLinks and subscribed Apps for that policy.
+
+Through the use of Datum.InvokeCommand, we can run scripts during the build
+process, or rather: When generating the RSOP for the build.
+
+```yaml
+PolicyName: "[x={ $Node.Name }=]"
+Domain: "[x={ $File.Directory.BaseName } =]"
+Links:
+  - OrgUnitDn: "OU=Prod,DC=contoso,DC=com"
+    LinkOrder: 1
+    Enforced: yes # unspecified, no
+    Enabled: no # unspecified, yes
+Apps:
+  - Git
+```
 
 ## Generics
 
