Open
Description
Use Case
There are 2 things :
- When migrating from old dsc to pwshlib, many resources with dsc_credentials become unusable and it adds a huge burden on migration
- With our scenario using hiera and lookup has (apparently) no easy solution to handle Sensitive String
Hiera
sw_iis::iis_application_pools:
machin.fr:
# // stuff here//
dsc_managedruntimeversion: 'v4.0'
dsc_identitytype: 'SpecificUser'
dsc_credential:
user: 'toto'
password: 'tata'
init.pp
# // stuff//
$iis_application_pools = lookup('sw_iis::iis_application_pools',Hash,$_merge_strategy, {})
include sw_iis::gensite
# //Stuff//
gensite.pp
# //Stuff//
$sw_iis::iis_application_pools.each |String $name, Hash $config| {
ensure_resources(dsc_webapppool, { $name => $config },$defaults_dsc_webapppool)
}
# //Stuff//
Describe the Solution You Would Like
I opened this issue : puppetlabs/Puppet.Dsc#306
The solution would need both.
- Ensure dsc modules are generated with credentials like this
dsc_psdscrunascredential: {
type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
desc: ' ',
behaviour: :parameter,
mandatory_for_get: false,
mandatory_for_set: false,
mof_type: 'PSCredential',
mof_is_embedded: true,
},
Notice the change on type:
type: 'Optional[Struct[{ user => String[1], password => Sensitive[String[1]] }]]',
# to
type: 'Optional[Struct[{ user => String[1], password => Variant[String[1], Sensitive[String[1]]] }]]',
- Ensure the dsc_base_provider does not enforce Sensitive when dealing with PSCredential
Describe Alternatives You've Considered
An easy way maybe would be to catch PSCredential as you do in PSCredential and apply Sensitive at this level if a PSCredential['password'] is a string.
Metadata
Assignees
Labels
No labels