SqlSpnManager

1.4.0

SqlSpnManager.psd1

@{
    ModuleVersion        = '1.4.0'
    GUID                 = 'b9e38d01-6c8a-4d2e-8a9a-3f9c5d8a2f1b'
    Author               = 'Keith Ramsey'
    CompanyName          = 'Keith Ramsey'
    Copyright            = '(c) Keith Ramsey. All rights reserved.'
    Description          = 'Enterprise SPN governance for SQL Server. Manages Service Principal Name registration across Standalone, AlwaysOn, and FCI scenarios with forest-wide duplicate detection, cross-forest -T flag handling, FCI cluster Virtual Computer Object auto-resolution, AD ACL preflight, per-invocation audit logging, and Windows Event Log SIEM-readiness. v1 public surface is the lab-proven Engine core: Role in {Engine, Agent} x Scenario in {Standalone, AlwaysOn, FCI}. Export-SqlSpnRegistrationScript renders a plan into a clean setspn command bundle for AD-segregated organisations where a sysadmin executes the registration. SSAS, SSRS, PBIRS, Browser, and the MSDTC scenario are deferred as named, demand-sequenced, prove-before-expose post-v1 expansions (DR-309). See Docs\\DECISIONS_PHASE3.md (DR-309, DR-311).'
    PowerShellVersion    = '5.1'
    RootModule           = 'SqlSpnManager.psm1'
    RequiredModules      = @('ActiveDirectory')
    FunctionsToExport    = @(
        'Add-SqlSpn',
        'Assert-SqlAccountStandard',
        'Export-SqlSpnRegistrationScript',
        'Get-SqlSpnAccount',
        'Get-SqlSpnDiscoveryEngine',
        'Get-SqlSpnInfrastructure',
        'Invoke-SqlSpnExecutionEngine',
        'New-SqlSpnPlan',
        'Remove-SqlSpn',
        'Show-SqlSpnDiagnostic',
        'Start-SqlSpnConfiguration',
        'Start-SqlSpnManager',
        'Test-SqlSpnPlan'
    )
    CmdletsToExport      = @()
    VariablesToExport    = @()
    AliasesToExport      = @()
    HelpInfoURI          = ''  # TODO: set when module ships to a help-info host

    # Declarative file inventory of the module's runtime surface (informational
    # per Microsoft docs; the actual .nupkg filtering happens via
    # Tools\Publish-SqlSpnModule.ps1's staging directory).
    FileList             = @(
        'SqlSpnManager.psm1',
        'SqlSpnManager.psd1',
        'readme.md',
        'Public\Add-SqlSpn.ps1',
        'Public\Assert-SqlAccountStandard.ps1',
        'Public\Export-SqlSpnRegistrationScript.ps1',
        'Public\Get-SqlSpnAccount.ps1',
        'Public\Get-SqlSpnDiscoveryEngine.ps1',
        'Public\Get-SqlSpnInfrastructure.ps1',
        'Public\Invoke-SqlSpnExecutionEngine.ps1',
        'Public\New-SqlSpnPlan.ps1',
        'Public\Remove-SqlSpn.ps1',
        'Public\Show-SqlSpnDiagnostic.ps1',
        'Public\Start-SqlSpnConfiguration.ps1',
        'Public\Start-SqlSpnManager.ps1',
        'Public\Test-SqlSpnPlan.ps1',
        'Private\Get-SqlAccountPolicy.ps1',
        'Private\Get-SqlActualPort.ps1',
        'Private\Get-SqlRoleMetadata.ps1',
        'Private\Get-SqlSpnExecutionConfirmation.ps1',
        'Private\Get-SqlSpnScenarioChoice.ps1',
        'Private\Get-SqlSpnSourceChoice.ps1',
        'Private\Get-SqlSpnTargetName.ps1',
        'Private\Get-SqlSpnVisualAccountSelection.ps1',
        'Private\Invoke-SqlSpnNativeCall.ps1',
        'Private\Invoke-SqlSpnSetspnAction.ps1',
        'Private\Resolve-SqlPolicyFromContext.ps1',
        'Private\Resolve-SqlSpnFciCno.ps1',
        'Private\Resolve-SqlSpnLogPath.ps1',
        'Private\Resolve-SqlSpnStandardPool.ps1',
        'Private\Resolve-SqlSpnVirtualAccount.ps1',
        'Private\Test-SqlAdPermission.ps1',
        'Private\Write-SqlSpnEventLog.ps1',
        'Private\Write-SqlSpnLog.ps1'
    )

    PrivateData          = @{
        PSData = @{
            Tags         = @(
                'SQL', 'SPN', 'Kerberos', 'ActiveDirectory', 'AD',
                'FCI', 'AlwaysOn', 'AG',
                'Authentication', 'Audit', 'EventLog', 'SIEM',
                'DBA', 'Governance', 'ServicePrincipalName',
                'CrossForest', 'gMSA', 'ManagedServiceAccount',
                'Windows', 'PSEdition_Desktop', 'PSEdition_Core'
            )
            # ===== GR-003 / PSGallery publish TODO for Keith =====
            # License DECIDED 2026-05-21: MPL-2.0 (LICENSE file at repo root).
            # ProjectUri + LicenseUri SET. IconUri still needs a real asset URL.
            # See Docs/Goals/GR-003-publish-v1-to-psgallery.md for the full publish gate.
            ProjectUri   = 'https://sql-spn-manager.com'
            LicenseUri   = 'https://opensource.org/licenses/MPL-2.0'
            ExternalModuleDependencies = @('ActiveDirectory')
            # IconUri = 'https://<asset-host>/SqlSpnManager-icon.png' # 64x64 or 128x128 PNG
            # =====================================================
            ReleaseNotes = @'
v1.4.0 (Phase 3 close - DR-309 + DR-311):
- Public surface narrowed to the lab-proven Engine core (DR-309):
  Role in {Engine, Agent} x Scenario in {Standalone, AlwaysOn, FCI}.
  SSAS, SSRS, PBIRS, Browser, MSDTC deferred as named, demand-sequenced,
  prove-before-expose post-v1 expansions (internal tables unchanged).
- Added Export-SqlSpnRegistrationScript (DR-311): renders a plan into a
  clean setspn command bundle for an AD admin to execute. Supports Cmd
  and PowerShell formats. Output carries provenance: module version,
  plan GUID, UTC stamp, target account sAMAccountName + DN. Closes the
  workflow for AD-segregated organisations (regulated environments,
  anywhere the DBA does not have AD write rights).
- DR-307 closed as documented v1 limitation (option c): English-locale
  assumption for setspn success detection; engineered fix deferred as a
  named post-v1 increment, reopens on real demand signal.
- DR-310 (Level 1 testing standard) implemented across the unit suite:
  tests run our own real functions and substitute ONLY the true external
  edge (setspn / AD cmdlets / OS APIs). Surfaced and removed a tautology
  test and a 30s remote-registry network hang.
- 213/213 Pester 5 tests; PSScriptAnalyzer gate clean; lab-validated
  Waves 1-3 on a real domain 2026-05-17.
'@
        }
    }
}