The Puppet dsc module manages Windows PowerShell DSC (Desired State Configuration) resources.
This module generates Puppet types based on DSC Resources MOF (Managed Object Format) schema files.
In this version, the following DSC Resources are already built and ready for use:
puppet module install puppetlabs-dsc
See known issues for troubleshooting setup.
You can use a DSC Resource by prefixing each DSC Resource name and parameter with ‘dsc_’ and lowercasing the values.
So a DSC resource specified in PowerShell…
WindowsFeature IIS {
Ensure = 'present'
Name = 'Web-Server'
}
…would look like this in Puppet:
dsc_windowsfeature {'IIS':
dsc_ensure => 'present',
dsc_name => 'Web-Server',
}
All DSC Resource names and parameters have to be in lowercase, for example: dsc_windowsfeature or dsc_name.
You can use either ensure => (Puppet’s ensure) or dsc_ensure => (DSC’s Ensure) in your manifests for Puppet DSC resource types. If you use both in a Puppet DSC resource, dsc_ensure overrides the value in ensure, so the value for ensure is essentially ignored.
We recommend that you use dsc_ensure instead of ensure, as it is a closer match for converting the DSC properties to Puppet DSC resources. It also overrides ensure, so there is less confusion if both are accidentally included.
Note: While you can use either
ensure =>(Puppet’sensure) ordsc_ensure =>(DSC’sEnsure) in your manifests, there is currently a known issue whereensure => absentreports success but does nothing. See MODULES-2966 for details. Until this issue is resolved, we recommend usingdsc_ensureexclusively.
Add the following reboot resource to your manifest. It must have the name dsc_reboot for the dsc module to find and use it.
reboot { 'dsc_reboot' :
message => 'DSC has requested a reboot',
when => 'pending'
}
Install MSIs or EXEs with DSC using the Puppet type dsc_package, which maps to the Package DSC Resource.
dsc_package{'installpython'
dsc_ensure => 'Present',
dsc_name => 'Python 2.7.10',
dsc_productid => 'E2B51919-207A-43EB-AE78-733F9C6797C2'
dsc_path => 'C:\\python.msi',
}
The Package DSC Resource requires the following information to install an MSI:
Name of product being installed.ProductCode property of the MSI, which is a unique identifier for the particular product release, represented as a GUID string. For more information see the MSDN ProductCode property documentation page.You can obtain this information in a variety of ways.
Name and ProductCode.Name and ProductCode in the Windows Add/Remove Programs Control Panel.Name and ProductCode, as in the example PowerShell script below, which was adapted from Stack Overflow.function Get-MsiDatabaseInfo{
param ([IO.FileInfo]$FilePath)
$productName = Invoke-MSIQuery -FilePath $filePath.FullName -Query "SELECT Value FROM Property WHERE Property = 'ProductName'"
$productCode = Invoke-MSIQuery -FilePath $filePath.FullName -Query "SELECT Value FROM Property WHERE Property = 'ProductCode'"
return [PSCustomObject]@{
FullName = $FilePath.FullName
ProductName = ([string]$productName).TrimStart()
ProductCode = ([string]$productCode).Replace("{","").Replace("}","").TrimStart()
}
}
function Invoke-MSIQuery{
param($FilePath, $Query)
try{
$windowsInstaller = New-Object -com WindowsInstaller.Installer
$database = $windowsInstaller.GetType().InvokeMember("OpenDatabase", "InvokeMethod", $Null, $windowsInstaller, @($FilePath, 0))
}catch{
throw "Failed to open MSI file. The error was: {0}." -f $_
}
try{
$View = $database.GetType().InvokeMember("OpenView", "InvokeMethod", $Null, $database, ($query))
$View.GetType().InvokeMember("Execute", "InvokeMethod", $Null, $View, $Null)
$record = $View.GetType().InvokeMember("Fetch", "InvokeMethod", $Null, $View, $Null)
$property = $record.GetType().InvokeMember("StringData", "GetProperty", $Null, $record, 1)
$View.GetType().InvokeMember("Close", "InvokeMethod", $Null, $View, $Null)
return $property
}catch{
throw "Failed to read MSI file. The error was: {0}." -f $_
}
}
Supply a hash to any parameter that accepts PowerShell hashes, and Puppet handles creating the appropriate values for you.
dsc_example_resource { 'examplefoo':
dsc_ensure => present,
dsc_hash_parameter => {
'key1' => 'value1',
'key2' => 'value2'
},
}
DSC uses MSFT_Credential objects to pass credentials to DSC Resources. Supply a hash to any credential parameter, and Puppet handles creating the credential object for you.
Optionally use the Puppet Sensitive type to ensure logs and reports redact the password.
dsc_user { 'jane-doe':
dsc_username => 'jane-doe',
dsc_description => 'Jane Doe user',
dsc_ensure => present,
dsc_password => {
'user' => 'jane-doe',
'password' => Sensitive('jane-password')
},
dsc_passwordneverexpires => false,
dsc_disabled => true,
}
Creating and modifying Registry keys and values is done with the dsc_registry Puppet type which maps to the Registry DSC Resource.
Set simple values by specifying key-value pairs.
dsc_registry {'registry_test':
dsc_ensure => 'Present'
dsc_key => 'HKEY_LOCAL_MACHINE\SOFTWARE\ExampleKey'
dsc_valuename => 'TestValue'
dsc_valuedata => 'TestData'
}
The ‘Binary’ data type expects hexadecimal in a single string.
dsc_registry {'registry_test':
dsc_ensure => 'Present',
dsc_key => 'HKEY_LOCAL_MACHINE\SOFTWARE\TestKey',
dsc_valuename => 'TestBinaryValue',
dsc_valuedata => 'BEEF',
dsc_valuetype => 'Binary',
}
The ‘Dword’ and ‘Qword’ data types expect signed integer values, as opposed to hexadecimal or unsigned.
dsc_registry {'registry_test':
dsc_ensure => 'Present',
dsc_key => 'HKEY_LOCAL_MACHINE\SOFTWARE\TestKey',
dsc_valuename => 'TestDwordValue',
dsc_valuedata => '-2147483648',
dsc_valuetype => 'Dword',
}
Note: DSC Resources are executed under the SYSTEM context by default, which means you are unable to access any user level Registry key without providing alternate credentials.
You can add or remove Windows Features using Puppet type dsc_windowsfeature which maps to the WindowsFeature DSC Resource.
dsc_windowsfeature {'featureexample':
dsc_ensure = 'present'
dsc_name = 'Web-Server'
}
dsc_windowsfeature {'featureexample':
dsc_ensure = 'absent'
dsc_name = 'Web-Server'
}
You can find the name to use when adding or removing Windows Features by executing the Get-WindowsFeature cmdlet and using the Name property.
[PS]> Get-WindowsFeature
An end-to-end example installation of a test website.
class fourthcoffee(
$websitename = 'FourthCoffee',
$zipname = 'FourthCoffeeWebSiteContent.zip',
$sourcerepo = 'https://github.com/msutter/fourthcoffee/raw/master',
$destinationpath = 'C:\inetpub\FourthCoffee',
$defaultwebsitepath = 'C:\inetpub\wwwroot',
$zippath = 'C:\tmp'
){
$zipuri = "${sourcerepo}/${zipname}"
$zipfile = "${zippath}\\${zipname}"
# Install the IIS role
dsc_windowsfeature {'IIS':
dsc_ensure => 'present',
dsc_name => 'Web-Server',
} ->
# Install the ASP .NET 4.5 role
dsc_windowsfeature {'AspNet45':
dsc_ensure => 'present',
dsc_name => 'Web-Asp-Net45',
} ->
# Stop an existing website (set up in Sample_xWebsite_Default)
dsc_xwebsite {'Stop DefaultSite':
dsc_ensure => 'present',
dsc_name => 'Default Web Site',
dsc_state => 'Stopped',
dsc_physicalpath => $defaultwebsitepath,
} ->
# Create tmp folder
dsc_file {'tmp folder':
dsc_ensure => 'present',
dsc_type => 'Directory',
dsc_destinationpath => $zippath,
} ->
# Download the site content
dsc_xremotefile {'Download WebContent Zip':
dsc_destinationpath => $zipfile,
dsc_uri => $zipuri,
} ->
# Extract the website content
dsc_archive {'Unzip and Copy the WebContent':
dsc_ensure => 'present',
dsc_path => $zipfile,
dsc_destination => $destinationpath,
} ->
# Create a new website
dsc_xwebsite {'BackeryWebSite':
dsc_ensure => 'present',
dsc_name => $websitename,
dsc_state => 'Started',
dsc_physicalpath => $destinationpath,
}
}
As you can see, you can mix and match DSC resources with common Puppet resources. All Puppet metaparameters are also supported.
A comprehensive list of all types included in the dsc module is available in the types document. This list maps each Puppet resource (for example, dsc_xcertreq) to the corresponding DSC resource.
Because types are built from the source code of each DSC Resources MOF schema files, the name of the DSC resource in the types document links to a local copy of that resource code (in this case, xCertReq), so that you can see how the code is applied to your system.
Where available, a link to the external GitHub repo of each resource is also included. The DSC resources are third-party resources that may or may not be documented in their repositories. Available DSC resources and parameters are subject to change.
DSC Composite Resources are not supported.
DSC requires PowerShell Execution Policy for the LocalMachine scope to be set to a less restrictive setting than Restricted. If you see the error below, see MODULES-2500 for more information.
Error: /Stage[main]/Main/Dsc_xgroup[testgroup]: Could not evaluate: Importing module MSFT_xGroupResource failed with
error - File C:\Program
Files\WindowsPowerShell\Modules\PuppetVendoredModules\xPSDesiredStateConfiguration\DscResources\MSFT_xGroupR
esource\MSFT_xGroupResource.psm1 cannot be loaded because running scripts is disabled on this system. For more
information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Path property for the Package DSC Resource. The underlying implementation does not accept forward slashes instead of backward slashes in paths, and it throws a misleading error that it could not find a Package with the Name and ProductId provided. MODULES-2486 has more examples and information on this subject.dsc_ensure overrides and ignores the value in ensure if both are present in a Puppet DSC resource. See Using DSC Resources with Puppet.The DSC Local Configuration Manager (LCM) RefreshMode must be set to either Push or Disabled for the Puppet dsc module to function. The default value for RefreshMode in WMF 5.0 and WMF 5.1 is Push — there is no action needed on your part. Changing the value is only needed if the RefreshMode has been set to any value other than Push. The Puppet dsc module uses the Invoke-DscResource cmdlet to invoke DSC Resources of the target machine. If the RefreshMode is set to Pull, DSC Resources will only run from a DSC Pull Server — in this setting DSC does not allow any DSC Resources to be run interactively on the host.
The WaitFor* type of DSC Resources may not work with this module. These DSC Resources use sleeps, timers, or locking to ‘wait’ for other resources to be in a specified state. These waits would ‘pause’ a Puppet run for an amount of time that varies between DSC Resource implementations, which may cause unintended problems in the Puppet run. Puppet cannot test all possible interactions from these WaitFor* DSC Resources, and does not support them at this time.
The dsc_log resource might not appear to work. The “Log” resource writes events to the ‘Microsoft-Windows-Desired State Configuration/Analytic’ event log, which is disabled by default.
You might have issues if you attempt to use dsc_ensure => absent with dsc_service with services that are not running.
When setting resources to absent, you might normally specify a minimal statement such as:
dsc_service{'disable_foo':
dsc_ensure => absent,
dsc_name => 'foo'
}
However, due to the way the Service DSC Resource sets its defaults, if the service is not currently running, the above statement erroneously reports that the service is already absent. To work around this, specify that State => 'Stopped' as well as Ensure => absent'. The following example works:
dsc_service{'disable_foo':
dsc_ensure => absent,
dsc_name => 'foo',
dsc_state => 'stopped'
}
MODULES-2512 has more details.
You might have issues attempting to use dsc_ensure => absent with dsc_xservice with services that are already not present. To work around this problem, always specify the path to the executable for the service when specifying absent. MODULES-2512 has more details. The following example works:
dsc_xservice{'disable_foo':
dsc_ensure => absent,
dsc_name => 'foo',
dsc_path => 'c:\\Program Files\\Foo\\bin\\foo.exe'
}
Use ensure instead of dsc_ensure - ensure => absent will report success while doing nothing - see MODULES-2966 for details. Also see Using DSC Resources with Puppet.
When installing the module on Windows you might run into an issue regarding long file names (LFN) due to the long paths of the generated schema files. If you install your module on a Linux master, and then use plugin sync you will likely not see this issue. If you are attempting to install the module on a Windows machine using puppet module install puppetlabs-dsc you may run into an error that looks similar to the following:
Error: No such file or directory @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/cache/puppet-module/cache/tmp-unpacker20150713-...mof
Error: Try 'puppet help module install' for usage
For Puppet 4.2.2+ (and 3.8.2) we’ve decreased the possibility of the issue occurring based on the fixes in PUP-4854. A complete fix is plannd in a future version of Puppet that incorporates PUP-4866.
If you are affected by this issue:
--module_working_dir parameter to set a different temporary directory which has a smaller length, for example;
puppet module install puppetlabs-dsc --module_working_dir C:\Windows\Temp.tar.gz from the Forge and use puppet module install using the downloaded file, rather than directly installing from the Forge.Windows Server 2003 is not supported. If this module is present on the master, it breaks Windows 2003 agents.
When installed on a Puppet master to the default production environment, this module causes pluginsync to fail on Windows 2003 agents because of an issue with LFN (long file names). To work around this issue, host your Windows 2003 nodes on a Puppet environment that is separate from production and that does not have the DSC module installed.
--noop mode, puppet resource and property change notifications are currently not implemented - see MODULES-2270 for details.
Known WMF 5.0 Product Incompatibilites
Systems that are running the following server applications should not run Windows Management Framework 5.0 at this time:
The Registry DSC Resource continually changes state, even if the system state matches the desired state, when using a HEX value. See issue #237 for more information.
The Puppet DSC module hangs on systems with WMF 5.1 installed. This is being addressed in MODULES-3690.
If you create files with the dsc_file resource, the resulting file on disk will be UTF-8 with BOM. This can be a problem if you use tools that are not UTF-8 BOM aware. This is by design for Microsoft PowerShell DSC. More information can be found in MODULES-3178.
While there are avenues for using Puppet with a non-administrative account, DSC is limited to only accounts with administrative privileges. The underlying CIM implementation DSC uses for DSC Resource invocation requires administrative credentials to function.
The Puppet agent on a Windows node can run DSC with a normal default install. If the Puppet agent was configured to use an alternate user account, that account must have administrative privileges on the system in order to run DSC.
When Puppet runs, the dsc module takes the code supplied in your puppet manifest and converts that into PowerShell code that is sent to the DSC engine directly using Invoke-DscResource. You can see both the commands sent and the result of this by running puppet interactively, e.g. puppet apply --debug. It will output the PowerShell code that is sent to DSC to execute and the return data from DSC. For example:
Notice: Compiled catalog for win2012r2 in environment production in 0.82 seconds
Debug: Creating default schedules
Debug: Loaded state in 0.03 seconds
Debug: Loaded state in 0.05 seconds
Info: Applying configuration version '1475264065'
Debug: Reloading posix reboot provider
Debug: Facter: value for uses_win32console is still nil
Debug: PowerShell Version: 5.0.10586.117
$invokeParams = @{
Name = 'ExampleDSCResource'
Method = 'test'
Property = @{
property1 = 'value1'
property2 = 'value2'
}
ModuleName = @{
ModuleName = "C:/puppetlabs/modules/dsc/lib/puppet_x/dsc_resources/ExampleDSCResource/ExampleDSCResource.psd1"
RequiredVersion = "1.0"
}
}
############### SNIP ################
Debug: Waited 50 milliseconds...
############### SNIP ################
Debug: Waited 500 total milliseconds.
Debug: Dsc Resource returned: {"rebootrequired":false,"indesiredstate":false,"errormessage":""}
Debug: Dsc Resource Exists?: false
Debug: ensure: present
############### SNIP ################
$invokeParams = @{
Name = 'ExampleDSCResource'
Method = 'set'
Property = @{
property1 = 'value1'
property2 = 'value2'
}
ModuleName = @{
ModuleName = "C:/puppetlabs/modules/dsc/lib/puppet_x/dsc_resources/ExampleDSCResource/ExampleDSCResource.psd1"
RequiredVersion = "1.0"
}
}
############### SNIP ################\
Debug: Waited 100 total milliseconds.
Debug: Create Dsc Resource returned: {"rebootrequired":false,"indesiredstate":true,"errormessage":""}
Notice: /Stage[main]/Main/Dsc_exampledscresource[foober]/ensure: created
Debug: /Stage[main]/Main/Dsc_exampledscresource[foober]: The container Class[Main] will propagate my refresh event
Debug: Class[Main]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 56434520
Debug: Storing state
Debug: Stored state in 0.10 seconds
############### SNIP ################
This shows us that there wasn’t any problem parsing your manifest and turning it into a command to send to DSC. It also shows that there are two commands/operations for every DSC Resource executed, a SET and a test. DSC operates in two stages, it first tests if a system is in the desired state, then it sets the state of the system to the desired state. You can see the result of each operation in the debug log.
By using the debug logging of a puppet run, you can troubleshoot the application of DSC Resources during the development of your puppet manifests.
Puppet Inc modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
For more information, see our module contribution guide.
This module generally follows Semantic Versioning for choosing an appropriate release version number with the following exception:
A minor change may also include rebuilding the DSC resource types. Puppet wants to keep pace with the released DSC Resources from the PowerShell team repository, but this engenders risk as Puppet adopts third party code. Normally this would mean making major version bumps, but since this is anticipated to be frequent that would be too much churn.
To see who’s already involved, see the list of contributors.
You can learn more about PowerShell DSC from the following online resources:
There are several books available as well. Here are some selected books for reference: