[DSC] Securing Mof Files with dsc_resource or other means? - Exchange Server


#1

Hell Chef Community,

Had a question for you and maybe you can help me to find the answer. I have finally started to use chef and I am trying to automate everything as much as possible. Currently, a task is to automate the installation of Exchange Server with dsc module xExchange.

Technology

  • Exchange
  • DSC - dsc_resource
  • Chef

Everything works with DSC but now I am trying to translate it into chef. One of the things that needs to be done is to have secure the mof file in DSC so it can detect the correct account with the correct permissions.

Example Script:

Configuration InstallExchange
{
    param
    (
        [PSCredential] $ShellCreds
    )


    Node $allnodes.Nodename
    {
     
        xExchInstall InstallExchange
        {
            Path       = "C:\Exch\Setup.exe"
            Arguments  = "/mode:Install /role:Mailbox /Iacceptexchangeserverlicenseterms"
            Credential = $ShellCreds
        }

    }
}
$ConfigData=@{
    AllNodes = @(
 
        @{
            NodeName = "*"
                  #Replace thumbprint with yours or use precreated cert
                  CertificateFile = "$env:temp\XXXXXX.cer"
                  Thumbprint = "XXXXXXXXXXXXXXXXXXX"
                  
        }
 
        @{
            NodeName = "localhost"
        }
    );
}

Question:

It seems this is one of the requirements for the install of exchange. Let me know or if there is any other better way to do it. Appreciate the help and thank you!


#2

Why about chef vault? That’s what I’ve used with DSC in the past.


#3

I would stay away from MOF if you’re using Chef and DSC. Instead, I would recommend using the dsc_resource resource as it is much cleaner and provides the dynamic abilities of runtime manipulation vs using static MOF files.

I’ve used Chef Vault in this instance in a dev/test scenario and found it useful. But there are some areas you need to consider around scale that may steer you away from it. Here is an article on such a subject if you’re interested: http://www.pburkholder.com/blog/2015/12/04/why-chef-vault-and-autoscaling-dont-mix/. There are some other considerations around how you manage vaults, but you can ascertain these on your own and make your own decisions as to whether you think it is worthy or not.