1 files changed, 18 insertions, 11 deletions

diff --git a/ansible/scripts/setup-websql.ps1 b/ansible/scripts/setup-websql.ps1
index 7881291..77377c3 100644
--- a/ansible/scripts/setup-websql.ps1
+++ b/ansible/scripts/setup-websql.ps1
@@ -1,6 +1,7 @@
 param (
     [string]$DomainName  = "contoso.com",
-    [string]$SvcUsername = "svc_websql01",
+    [string]$IISSvcUsername = "svc_iis01",
+    [string]$SQLSvcUsername = "svc_mssql01",
     [string]$SvcPassword = "Svc1234!"
 )
 
@@ -65,12 +66,12 @@ FTSVCACCOUNT="NT Service\MSSQLFDLauncher"
     New-NetFirewallRule -DisplayName "SQLServer default instance" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow
 
     $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn"
-    SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS"
-    SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'"
+    SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SQLSvcUsername] FROM WINDOWS"
+    SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SQLSvcUsername', 'SYSADMIN'"
 
     SqlCmd -E -Q "ALTER LOGIN sa ENABLE"
-    SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF"
-    Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin"
+    SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SQLSvcPassword', CHECK_POLICY=OFF"
+    Write-Host "[inf] Added $NetBiosName\$SQLSvcUsername as MSSQL login and sysadmin"
     Write-Host "[inf] Enabled SA login"
 } catch {
     Write-Host "[err] SQL Server setup failed"
@@ -146,7 +147,7 @@ public partial class UploadPage : Page
 
 try {
     New-WebSite -Name "MyASPXSite" -Port 80 -PhysicalPath $wwwroot1 -ApplicationPool "DefaultAppPool"
-    Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3}
+    Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$IISSvcUsername";password="$SvcPassword";identityType=3}
     New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
     Restart-WebAppPool -Name "DefaultAppPool"
     Write-Host "[inf] Site 1 created on port 80"
@@ -155,9 +156,9 @@ try {
 }
 
 try {
-    $svcRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$SvcUsername", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
+    $svcAcl = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$IISSvcUsername", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
     $acl = Get-Acl $wwwroot1
-    $acl.SetAccessRule($svcRule)
+    $acl.SetAccessRule($svcAcl)
     Set-Acl -Path $wwwroot1 -AclObject $acl
     Write-Host "[inf] ACL set for $wwwroot1"
 } catch {
@@ -170,9 +171,9 @@ try {
     New-WebSite -Name "MyASPXSite2" -Port 8080 -PhysicalPath $wwwroot2 -ApplicationPool "DefaultAppPool2"
     Set-ItemProperty "IIS:\AppPools\DefaultAppPool2" -Name processModel -Value @{identityType=2}
     New-NetFirewallRule -DisplayName "HTTP (8080)" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
+    $svcAcl = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
     $acl = Get-Acl $wwwroot2
-    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
-    $acl.SetAccessRule($rule)
+    $acl.SetAccessRule($svcAcl)
     Set-Acl -Path $wwwroot2 -AclObject $acl
     Restart-WebAppPool -Name "DefaultAppPool2"
     Write-Host "[inf] Site 2 created on port 8080"
@@ -184,7 +185,7 @@ try {
     Copy-Item $wwwroot1 -Destination $wwwroot3 -Recurse -Force
     New-WebAppPool -Name "SqlQueryAppPool"
     New-WebSite -Name "SqlQuerySite" -Port 9090 -PhysicalPath $wwwroot3 -ApplicationPool "SqlQueryAppPool"
-    Set-ItemProperty "IIS:\AppPools\SqlQueryAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3}
+    Set-ItemProperty "IIS:\AppPools\SqlQueryAppPool" -Name processModel -Value @{userName="$IISSvcUsername";password="$SvcPassword";identityType=3}
     New-NetFirewallRule -DisplayName "HTTP (9090)" -Direction Inbound -Protocol TCP -LocalPort 9090 -Action Allow
 
     @"
@@ -248,7 +249,13 @@ try {
 </html>
 "@ | Out-File "$wwwroot3\sqlquery.aspx" -Force
 
+
+    $svcAcl = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$IISSvcUsername", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
+    $acl = Get-Acl $wwwroot3
+    $acl.SetAccessRule($svcAcl)
+    Set-Acl -Path $wwwroot3 -AclObject $acl
     Restart-WebAppPool -Name "SqlQueryAppPool"
+
     Write-Host "[inf] Site 3 created on port 9090 with SQL query page"
 } catch {
     Write-Host "[err] Failed to create SQL query site"