feat: add lab reset and ghost-account purge commands#152
Merged
Conversation
…nt purge
**Added:**
- Introduced `lab reset` command to reset lab Active Directory state to a
known-clean baseline, including playbook re-provisioning and ghost account
cleanup
- Implemented ghost machine account purge logic to remove orphaned
WIN-[A-Z0-9]{11}$ computer accounts from each DC via SSM
- Added `lab purge-ghosts` subcommand for dedicated ghost account removal
- Added flags to control reset stages (`--skip-purge`, `--skip-provision`,
`--plays`, etc.) for flexible operation
**Changed:**
- Refactored playbook provisioning logic into new `provisionPlaybooks` function
for reuse between `provision` and `lab reset` commands in `provision.go`
l50
changed the title
l50
changed the title
l50
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Key Changes:
dreadgoad lab resetanddreadgoad lab purge-ghostssubcommands to restore the lab to a known-clean AD baseline without leaving the Go CLIRemove-ADComputeron each DC via SSM under the agent's identity, targetingWIN-[A-Z0-9]{11}$accounts left behind by NoPAC / MachineAccountQuota attemptsprovisionPlaybookshelper soprovisionandlab resetshare the same retry-aware playbook execution pathAdded:
lab purge-ghostssubcommand - discovers DCs from the inventory's[dc]group, resolves their instance IDs, and runs an idempotent PowerShell purge via SSM (cli/cmd/lab_reset.go)lab resetsubcommand - two-stage reset that purges ghost accounts then re-runs the AD-state playbooks (ad-data,ad-acl,ad-relations,ad-trusts,vulnerabilities); supports--skip-purge,--skip-provision,--plays,--limit,--max-retries,--retry-delay(cli/cmd/lab_reset.go)collectDCTargets,runGhostPurgeOnDC, andparseRemovedCountto skip hosts without instance IDs, surface SSM stdout/stderr per host, and tally removed accounts (cli/cmd/lab_reset.go)Changed:
runProvisionto delegate to a newprovisionPlaybooks(ctx, cfg, playbooks, limit, maxRetries, retryDelay)helper, allowinglab resetto reuse the same preflight, logging, retry, and SSM-cleanup logic (cli/cmd/provision.go)