From 3caf1f23d737ee7b776f3809762ae6c2e96a6b59 Mon Sep 17 00:00:00 2001
From: IjazMoJ <134407207+IjazMoJ@users.noreply.github.com>
Date: Tue, 2 Jan 2024 16:57:54 +0000
Subject: [PATCH] csr/dsos-2434/leave_domain_doc (#4418)

* Initial script write

* working script

* Tf resource for ssm doc added

* name adjusted
---
 .../corporate-staff-rostering/ec2_common.tf   | 16 ++++-
 .../ssm-documents/leave-windows-domain.yaml   | 72 +++++++++++++++++++
 2 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 terraform/environments/corporate-staff-rostering/ssm-documents/leave-windows-domain.yaml

diff --git a/terraform/environments/corporate-staff-rostering/ec2_common.tf b/terraform/environments/corporate-staff-rostering/ec2_common.tf
index 1a9057f153b..8825b4fdda7 100644
--- a/terraform/environments/corporate-staff-rostering/ec2_common.tf
+++ b/terraform/environments/corporate-staff-rostering/ec2_common.tf
@@ -54,6 +54,20 @@ resource "aws_ssm_document" "ami_build_automation" {
   )
 }
 
+resource "aws_ssm_document" "leave_windows_domain" {
+  name            = "leave-windows-domain"
+  document_type   = "Command"
+  document_format = "YAML"
+  content         = file("./ssm-documents/leave-windows-domain.yaml")
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "leave-windows-domain"
+    },
+  )
+}
+
 # resource "aws_ssm_document" "network-testing-tools" {
 #   name            = "network-testing-tools"
 #   document_type   = "Command"
@@ -66,4 +80,4 @@ resource "aws_ssm_document" "ami_build_automation" {
 #       Name = "network-testing-tools"
 #     },
 #   )
-# }
\ No newline at end of file
+# }
diff --git a/terraform/environments/corporate-staff-rostering/ssm-documents/leave-windows-domain.yaml b/terraform/environments/corporate-staff-rostering/ssm-documents/leave-windows-domain.yaml
new file mode 100644
index 00000000000..bd0cbac0f43
--- /dev/null
+++ b/terraform/environments/corporate-staff-rostering/ssm-documents/leave-windows-domain.yaml
@@ -0,0 +1,72 @@
+---
+schemaVersion: "2.2"
+description: "SSM Document for removing Windows EC2 instances from the Active Directory domain."
+parameters:
+  domain:
+    type: "String"
+    default: "dev"
+    description: "Domain to join, either Dev (default) or Prod"
+    allowedValues:
+      - dev
+      - prod
+  domainLeaveUsername:
+    type: "String"
+    description: "Username with domain leave permissions"
+  domainLeavePassword:
+    type: "String"
+    description: "Password for domain leave user (NOTE: Do not use a password containing quotes)"
+  restart:
+    type: "String"
+    description: "If set to true, the instance will be restarted after leaving the domain. If set to false, the instance will not be restarted. Default is true."
+    default: "true"
+    allowedValues:
+      - "true"
+      - "false"
+mainSteps:
+  - name: WindowsDomainLeave
+    action: aws:runPowerShellScript
+    precondition:
+      StringEquals:
+        - platformType
+        - Windows
+    inputs:
+      runCommand:
+        - |
+          $ErrorActionPreference = "Stop" # all errors will terminate the script
+          $domain = "{{domain}}"
+          $domainLeaveUsername = "{{domainLeaveUsername}}"
+          $domainLeavePassword = "{{domainLeavePassword}}"
+          $restart = "{{restart}}"
+
+          # Define environment settings
+          $environments = @{
+            "dev" = @{
+                "domain" = "azure.noms.root";
+                "primarydns" = "10.102.0.196";
+                "serveraddresses" = @("10.102.0.196","10.102.0.200");
+                "suffixsearchlist" = @("azure.noms.root", "noms.root");
+                "domaincontroller" = "MGMCW0002.azure.noms.root";
+                "usernameprefix" = "azure";
+            };
+            "prod" = @{
+                "domain" = "azure.hmpp.root";
+                "primarydns" = "10.40.128.196";
+                "serveraddresses" = @("10.40.128.196","10.40.0.133");
+                "suffixsearchlist" = @("azure.hmpp.root", "hmpp.root");
+                "domaincontroller" = "PCMCW0011.azure.hmpp.root";
+                "usernameprefix" = "hmpp";
+            };
+          }
+
+          $secpasswd = ConvertTo-SecureString $domainLeavePassword -AsPlainText -Force
+          $credentials = New-Object System.Management.Automation.PSCredential (($environments[$domain]["usernameprefix"] + "\" + $domainLeaveUsername), $secpasswd)
+
+          # splatting Remove-Computer parameters to make it easier to read
+          $args = @{
+            UnjoinDomainCredential = $credentials
+            Verbose = $true
+            Force = $true
+          }
+
+          # Run the command to remove the computer from the domain
+          Remove-Computer @args