locked
ARM template & DSC - providing credential to configuration file RRS feed

  • Question

  • I am working on my first AzureRM/DSC template project by customizing the Azure deployment templates found here: https://github.com/Azure/azure-quickstart-templates/tree/master/201-vmss-automation-dsc

    As part of that, I modified WindowsIISServerConfig.ps1 to add some Windows features and the ability to download a certificate and install it. The problem is I don't know how to pass the credential for the certificate into this configuration.

    Here is my code...how can I pass in the $certPass parameter?

    configuration WindowsIISServerConfig
    {
    
        param
        (
            [Parameter(Mandatory = $true)]
            [ValidateNotNullorEmpty()]
            [System.Management.Automation.PSCredential]
            $certPass
        )
    
        Import-DscResource -ModuleName 'xWebAdministration'
        Import-DscResource -ModuleName 'xPSDesiredStateConfiguration'
        Import-DscResource -ModuleName 'CertificateDsc'
        Import-DscResource -ModuleName 'PSDesiredStateConfiguration'    
    
        WindowsFeature WebServer
        {
            Ensure  = 'Present'
            Name    = 'Web-Server'
        }
    
        WindowsFeature WebManagement
        {
            Ensure  = 'Present'
            Name    = 'Web-Mgmt-Console'
            DependsOn = '[WindowsFeature]WebServer'
        }
    
        WindowsFeature WebASPNet47
        {
            Ensure  = 'Present'
            Name    = 'Web-Asp-Net45'
            DependsOn = '[WindowsFeature]WebServer'
        }
    
        WindowsFeature WebNetExt
        {
            Ensure  = 'Present'
            Name    = 'Web-Net-Ext45'
            DependsOn = '[WindowsFeature]WebServer'
        }
    
        # IIS Site Default Settings
        xWebSiteDefaults SiteDefaults
        {
            ApplyTo                 = 'Machine'
            LogFormat               = 'IIS'
            LogDirectory            = 'C:\inetpub\logs\LogFiles'
            TraceLogDirectory       = 'C:\inetpub\logs\FailedReqLogFiles'
            DefaultApplicationPool  = 'DefaultAppPool'
            AllowSubDirConfig       = 'true'
            DependsOn               = '[WindowsFeature]WebServer'
        }
    
        # IIS App Pool Default Settings
        xWebAppPoolDefaults PoolDefaults
        {
           ApplyTo               = 'Machine'
           ManagedRuntimeVersion = 'v4.0'
           IdentityType          = 'ApplicationPoolIdentity'
           DependsOn             = '[WindowsFeature]WebServer'
        }
    
        # Get SSL cert file from Azure Storage using SAS URI
        xRemoteFile CertPfx
        {
            Uri = "https://example.blob.core.windows.net/resources/cert.pfx?sp=r&st=2019-06-02T22:00:11Z&se=2019-07-03T06:00:11Z&spr=https&sv=2018-03-28&sig=xxxxxx&sr=b"
            DestinationPath = "C:\temp\cert.pfx"
        }
    
        # Import the PFX file which was downloaded to local path
        PfxImport ImportCertPFX
        {
            Ensure     = "Present"
            DependsOn  = "[xRemoteFile]CertPfx"
            Thumbprint = "c124bf740b256316bd756g689140d6ff3dcdd65f"
            Path       = "c:\temp\cert.pfx"
            Location   = "LocalMachine"
            Store      = "WebHosting"
            Credential = $certPass
        }
    
    }

    Thursday, June 13, 2019 12:35 PM

All replies

  • Hi noamo48,

    You may pass credentials into the configuration by setting up parameterized configurations

    You may leverage Get-AutomationPSCredential cmdlet that uses Azure Automation credential asset in your configuration. For illustration, refer this document. 

    To understand process to create Azure Automation credential asset, refer this document.

    Other related references:

    To specify user credentials for the configuration using PsDscRunAsCredential property

    To encrypt credentials in the configuration MOF file

    Credentials Options in Configuration Data



    Hope this helps!! Cheers!!

    Sunday, June 16, 2019 5:11 AM
  • I actually started following the example here to pass the configurationData as part of the ARM template: 

    https://github.com/azureautomation/automation-packs/blob/master/201-Deploy-And-Compile-DSC-Configuration-Credentials/deployThroughARM.ps1

    https://github.com/azureautomation/automation-packs/blob/master/201-Deploy-And-Compile-DSC-Configuration-Credentials/azuredeploy.json

    However, I get the error that :

    Converting and storing encrypted passwords as plain text is not recommended.

    I have tried everything I can think to fix this. Here is my config file and the relevant section of the ARM template:

    configuration WindowsIISServerConfig
    {
    
    	Import-DscResource -ModuleName 'xWebAdministration'
    	Import-DscResource -ModuleName 'xPSDesiredStateConfiguration'
    	Import-DscResource -ModuleName 'CertificateDsc'
    	Import-DscResource -ModuleName 'PSDesiredStateConfiguration'	
    
    	$certPass = Get-AutomationPSCredential 'PfxPassword'
    
    	Node $AllNodes.NodeName
        {
    		WindowsFeature WebServer
    		{
    			Ensure  = 'Present'
    			Name    = 'Web-Server'
    		}
    
    		WindowsFeature WebManagement
    		{
    			Ensure  = 'Present'
    			Name    = 'Web-Mgmt-Console'
    			DependsOn = '[WindowsFeature]WebServer'
    		}
    
    		WindowsFeature WebASPNet47
    		{
    			Ensure  = 'Present'
    			Name    = 'Web-Asp-Net45'
    			DependsOn = '[WindowsFeature]WebServer'
    		}
    
    		WindowsFeature WebNetExt
    		{
    			Ensure  = 'Present'
    			Name    = 'Web-Net-Ext45'
    			DependsOn = '[WindowsFeature]WebServer'
    		}
    
    		# IIS Site Default Settings
    		xWebSiteDefaults SiteDefaults
    		{
    			ApplyTo                 = 'Machine'
    			LogFormat               = 'IIS'
    			LogDirectory            = 'C:\inetpub\logs\LogFiles'
    			TraceLogDirectory       = 'C:\inetpub\logs\FailedReqLogFiles'
    			DefaultApplicationPool  = 'DefaultAppPool'
    			AllowSubDirConfig       = 'true'
    			DependsOn               = '[WindowsFeature]WebServer'
    		}
    
    		# IIS App Pool Default Settings
    		xWebAppPoolDefaults PoolDefaults
    		{
    		   ApplyTo               = 'Machine'
    		   ManagedRuntimeVersion = 'v4.0'
    		   IdentityType          = 'ApplicationPoolIdentity'
    		   DependsOn             = '[WindowsFeature]WebServer'
    		}
    
    		# Get SSL cert file from Azure Storage using SAS URI
    		xRemoteFile CertPfx
    		{
    			Uri = "https://example.blob.core.windows.net/resources/cert.pfx?sp=r&st=2019-06-02T22:00:11Z&se=2019-07-03T06:00:11Z&spr=https&sv=2018-03-28&sig=xxxxxx&sr=b"
    			DestinationPath = "C:\temp\cert.pfx"
    		}
    	
    		# Import the PFX file which was downloaded to local path
    		PfxImport ImportCertPFX
    		{
    			Ensure     = "Present"
    			DependsOn  = "[xRemoteFile]CertPfx"
    			Thumbprint = "b124bf740b256316bd7439f89140d6ff6dccf658"
    			Path       = "c:\temp\cert.pfx"
    			Location   = "LocalMachine"
    			Store      = "WebHosting"
    			Credential = $certPass
    		}
    	}
    }

    In azuredeploy.json:

    "variables": { "automationAccountName": "[concat('DSC-',take(guid(resourceGroup().id),5))]", "jobConfigurationData": "{\"AllNodes\":[{\"NodeName\":\"*\",\"PSDscAllowPlainTextPassword\":true}]}",

    .

    .

    .

    {
          "name": "provisionConfiguration",
          "type": "Microsoft.Resources/deployments",
          "apiVersion": "2018-02-01",
          "properties": {
            "mode": "Incremental",
            "templateLink": {
              "uri": "[variables('provisionConfigurationURL')]",
              "contentVersion": "1.0.0.0"
            },
            "parameters": {
              "_artifactsLocation": {
                "value": "[parameters('_artifactsLocation')]"
              },
              "_artifactsLocationSasToken": {
                "value": "[parameters('_artifactsLocationSasToken')]"
              },
              "automationAccountName": {
                "value": "[variables('automationAccountName')]"
              },
              "certPassword": {
                "value": "[parameters('certPassword')]"
              },
              "location": {
                "value": "[parameters('location')]"
              },
              "compileName": {
                "value": "[parameters('compileName')]"
              },
              "jobConfigurationData": {
                "value": "[variables('jobConfigurationData')]"
              }
            }
          }
        }


    In provisionConfiguration.json:

    "resources": [
        {
          "name": "[parameters('automationAccountName')]",
          "type": "Microsoft.Automation/automationAccounts",
          "apiversion": "2018-06-30",
          "location": "[parameters('location')]",
          "properties": {
            "sku": {
              "name": "Basic"
            }
          },
          "resources": [
            {
              "name": "[variables('dscResources').xWebAdministration.name]",
              "type": "modules",
              "apiVersion": "2018-06-30",
              "location": "[parameters('location')]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]"
              ],
              "properties": {
                "contentLink": {
                  "uri": "[variables('dscResources').xWebAdministration.url]"
                }
              }
            },
            {
              "name": "[variables('dscResources').xPSDesiredStateConfiguration.name]",
              "type": "modules",
              "apiVersion": "2018-06-30",
              "location": "[parameters('location')]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]"
              ],
              "properties": {
                "contentLink": {
                  "uri": "[variables('dscResources').xPSDesiredStateConfiguration.url]"
                }
              }
            },
            {
              "name": "[variables('dscResources').CertificateDsc.name]",
              "type": "modules",
              "apiVersion": "2018-06-30",
              "location": "[parameters('location')]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]"
              ],
              "properties": {
                "contentLink": {
                  "uri": "[variables('dscResources').CertificateDsc.url]"
                }
              }
            },
            {
              "name": "PfxPassword",
              "type": "credentials",
              "apiVersion": "2018-06-30",
              "location": "[resourceGroup().location]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]"
              ],
              "tags": {},
              "properties": {
                "userName": "certificate",
                "password": "[parameters('certPassword')]"
              }
            },
            {
              "name": "[variables('dscConfigurations').WindowsIISServerConfig.name]",
              "type": "configurations",
              "apiVersion": "2018-06-30",
              "location": "[parameters('location')]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]",
                "[variables('dscResources').xWebAdministration.name]",
                "[variables('dscResources').xPSDesiredStateConfiguration.name]",
                "[variables('dscResources').CertificateDsc.name]"
              ],
              "properties": {
                "state": "Published",
                "overwrite": "true",
                "source": {
                  "type": "uri",
                  "value": "[concat(parameters('_artifactsLocation'), variables('dscConfigurations').WindowsIISServerConfig.script, parameters('_artifactsLocationSasToken'))]"
                }
              }
            },
            {
              "name": "[parameters('compileName')]",
              "type": "compilationjobs",
              "apiVersion": "2018-06-30",
              "tags": {},
              "dependsOn": [
                "[parameters('AutomationAccountName')]",
                "[concat('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'),'/Credentials/', 'PfxPassword')]",
                "[variables('dscConfigurations').WindowsIISServerConfig.name]"
              ],
              "properties": {
                "configuration": {
                  "name": "[variables('dscConfigurations').WindowsIISServerConfig.name]"
                },
                "parameters": {
                  "ConfigurationData": "[parameters('jobConfigurationData')]"
                }
              }
            },
            {
              "name": "[variables('runbook').Name]",
              "type": "runbooks",
              "apiversion": "2018-06-30",
              "location": "[parameters('location')]",
              "dependsOn": [
                "[parameters('AutomationAccountName')]"
              ],
              "properties": {
                "runbookType": "PowerShell",
                "logProgress": false,
                "logVerbose": false,
                "description": "[variables('runbook').Description]",
                "publishContentLink": {
                  "uri": "[concat(parameters('_artifactsLocation'), variables('runbook').Uri, parameters('_artifactsLocationSasToken'))]",
                  "version": "[variables('runbook').Version]"
                }
              }
            }
          ]
        }






    • Edited by noamo48 Monday, June 17, 2019 9:06 PM
    Monday, June 17, 2019 9:01 PM