[DSC] Securing Mof Files with dsc_resource or other means? - Exchange Server

Hell Chef Community,

Had a question for you and maybe you can help me to find the answer. I have finally started to use chef and I am trying to automate everything as much as possible. Currently, a task is to automate the installation of Exchange Server with dsc module xExchange.

Technology

• Exchange
• DSC - dsc_resource
• Chef

Everything works with DSC but now I am trying to translate it into chef. One of the things that needs to be done is to have secure the mof file in DSC so it can detect the correct account with the correct permissions.

Example Script:

Configuration InstallExchange
{
    param
    (
        [PSCredential] $ShellCreds
    )


    Node $allnodes.Nodename
    {
     
        xExchInstall InstallExchange
        {
            Path       = "C:\Exch\Setup.exe"
            Arguments  = "/mode:Install /role:Mailbox /Iacceptexchangeserverlicenseterms"
            Credential = $ShellCreds
        }

    }
}
$ConfigData=@{
    AllNodes = @(
 
        @{
            NodeName = "*"
                  #Replace thumbprint with yours or use precreated cert
                  CertificateFile = "$env:temp\XXXXXX.cer"
                  Thumbprint = "XXXXXXXXXXXXXXXXXXX"
                  
        }
 
        @{
            NodeName = "localhost"
        }
    );
}

Question:

• Is there a way we can secure the mof files in Chef with the thumbprint of a certificate that is needed in the ConfigData? https://docs.microsoft.com/en-us/powershell/dsc/securemof
• Or is there any other way this can be pass through to DSC that way it works?

It seems this is one of the requirements for the install of exchange. Let me know or if there is any other better way to do it. Appreciate the help and thank you!

Why about chef vault? That’s what I’ve used with DSC in the past.

I would stay away from MOF if you’re using Chef and DSC. Instead, I would recommend using the dsc_resource resource as it is much cleaner and provides the dynamic abilities of runtime manipulation vs using static MOF files.

I’ve used Chef Vault in this instance in a dev/test scenario and found it useful. But there are some areas you need to consider around scale that may steer you away from it. Here is an article on such a subject if you’re interested: http://www.pburkholder.com/blog/2015/12/04/why-chef-vault-and-autoscaling-dont-mix/. There are some other considerations around how you manage vaults, but you can ascertain these on your own and make your own decisions as to whether you think it is worthy or not.

Thank you for all the information. I wanted to let you know after some time that we started using chef-vault and its working as expected. if anyone has questions on this please let me know.

dsc_resource 'install_exchange' do
  resource :xExchInstall
  property :Path, 'C:\exchange_install\Setup.exe'
  property :Arguments, exchange_inst_args
  property :Credential, ps_credential(domain_user_full, domain_pass)
  timeout 7200
  not_if { exchange_installed }
end