Idempotent IIS


#1

My initial testing demonstrates that the IIS Cookbook is not fully
idempotent (See below for an example)

Code

176 iis_config “-section:system.webServer/httpCompression
/+“dynamicTypes.[mimeType=‘application/json;
charset=utf-8’,enabled=‘True’]” /commit:apphost” do
177 action :config
178 end

Results from first run

[2014-02-20T17:28:57-05:00] INFO: IIS Config command run
[2014-02-20T17:28:57-05:00] INFO: Processing
iis_config[-section:system.webServer/httpCompression
/+“dynamicTypes.[mimeType=‘application/json;
charset=utf-8’,enabled=‘True’]” /commit:apphost] action config
(webserver::iisbase line 176)
[2014-02-20T17:28:57-05:00] INFO: IIS Config command run

Results from second run


[2014-02-20T17:29:40-05:00] INFO: Processing iis_config[-section:system.
webServer/httpCompression /
+“dynamicTypes.[mimeType=‘application/json; charset=utf-8’,enabled=‘True’]”
/commit:apphost] action
config (webserver::iisbase line 176)

================================================================================
Error executing action config on resource
’iis_config[-section:system.webServer/httpCompression /
+“dynamicTypes.[mimeType=‘application/json; charset=utf-8’,enabled=‘True’]”
/commit:apphost]’

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?


#2

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


#3

I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#4

Can I use powershell to check the settings, but if the powershell indicates
they are different than what they should be, have the iis cookbook sections
run again?

Something like

powershell_script “checking setting #1
(check if settings are the same)

iis_config
only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write
my own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring
Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#5

Chef resources do not return a value (as far as I know). You will have to use “powershell_out” to check for certain condition and based on what it returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates they are different than what they should be, have the iis cookbook sections run again?
Something like
powershell_script “checking setting #1
(check if settings are the same)
iis_config
only do this is “checking setting #1” returned false.
This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS
Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.
S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203tel:%2B44%20(0)%201329%20550203
Mobile: +44 (0) 7917 101919tel:%2B44%20(0)%207917%20101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#6

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates
they are different than what they should be, have the iis cookbook sections
run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write my
own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#7

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"
            $status = 0
            if($x -ne $null)
            {
                            $installed = $x.Installed
                            if($installed -eq $false)
                            {
                                            $status = 1
                            }
                            else
                            {
                                            $status = 0
                            }

            }
            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do
code <<-EOH

            Install-WindowsFeature -name "Web-Server" -IncludeManagementTools -IncludeAllSubFeature

            EOH
            only_if { x == '1' }
            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce powershell to return an exit code using the exit command in powershell - here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.commailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to use “powershell_out” to check for certain condition and based on what it returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates they are different than what they should be, have the iis cookbook sections run again?
Something like
powershell_script “checking setting #1
(check if settings are the same)
iis_config
only do this is “checking setting #1” returned false.
This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS
Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.
S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203tel:%2B44%20(0)%201329%20550203
Mobile: +44 (0) 7917 101919tel:%2B44%20(0)%207917%20101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#8

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell
indicates they are different than what they should be, have the iis
cookbook sections run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write
my own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#9

Kenneth, I would start with Kapil’s example below (Kapil, did you verify
that it worked for you?). Here’s the full context of my example, which was
not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already

set

powershell_script “set execution policy” do

code “set-executionpolicy remotesigned”

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

end

So the approach is to use the exit command in PowerShell to set a non-zero
(i.e. failed) process exit code when we identify a condition in which the
resource should run. The non-zero exit code is interpreted by not_if as
"false," and therefore the resource will be executed. See this part of the
docs for more on how “guard” expressions like not_if can be used to provide
idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates
they are different than what they should be, have the iis cookbook sections
run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write my
own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#10

It would be something like this:
Iis_config “Configure_IIS” do

End
not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

Thanks

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 12:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if 'powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”'
I’m new enough to chef to see how this works, but not see where i would “place it”.
I’ve never used nor seen a not_if. Do you have a link to an exanded use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"
            $status = 0
            if($x -ne $null)
            {
                            $installed = $x.Installed
                            if($installed -eq $false)
                            {
                                            $status = 1
                            }
                            else
                            {
                                            $status = 0
                            }

            }
            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do
code <<-EOH

            Install-WindowsFeature -name "Web-Server" -IncludeManagementTools -IncludeAllSubFeature

            EOH
            only_if { x == '1' }
            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.commailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce powershell to return an exit code using the exit command in powershell - here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.commailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to use “powershell_out” to check for certain condition and based on what it returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates they are different than what they should be, have the iis cookbook sections run again?
Something like
powershell_script “checking setting #1
(check if settings are the same)
iis_config
only do this is “checking setting #1” returned false.
This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS
Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.
S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203tel:%2B44%20(0)%201329%20550203
Mobile: +44 (0) 7917 101919tel:%2B44%20(0)%207917%20101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#11

Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify that it worked for you?). Here’s the full context of my example, which was not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already set

powershell_script “set execution policy” do
code "set-executionpolicy remotesigned"
not_if 'powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”'
end

So the approach is to use the exit command in PowerShell to set a non-zero (i.e. failed) process exit code when we identify a condition in which the resource should run. The non-zero exit code is interpreted by not_if as “false,” and therefore the resource will be executed. See this part of the docs for more on how “guard” expressions like not_if can be used to provide idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.commailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if 'powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”'
I’m new enough to chef to see how this works, but not see where i would “place it”.
I’ve never used nor seen a not_if. Do you have a link to an exanded use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"
            $status = 0
            if($x -ne $null)
            {
                            $installed = $x.Installed
                            if($installed -eq $false)
                            {
                                            $status = 1
                            }
                            else
                            {
                                            $status = 0
                            }

            }
            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do
code <<-EOH

            Install-WindowsFeature -name "Web-Server" -IncludeManagementTools -IncludeAllSubFeature

            EOH
            only_if { x == '1' }
            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.commailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce powershell to return an exit code using the exit command in powershell - here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.commailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to use “powershell_out” to check for certain condition and based on what it returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates they are different than what they should be, have the iis cookbook sections run again?
Something like
powershell_script “checking setting #1
(check if settings are the same)
iis_config
only do this is “checking setting #1” returned false.
This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS
Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.
S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203tel:%2B44%20(0)%201329%20550203
Mobile: +44 (0) 7917 101919tel:%2B44%20(0)%207917%20101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#12

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

As i read this is will not perform the code ( configure iis) if there is no
windows feature names web-server…
I see the context.
Thanks for the feedback, I am going to give this a shot. not_if figures
out the context required to run the command? Do i need to have
powershell.exe’s location in my environment path? Sorry for the new
question, there may be a lot of “granted” knowledge from a little
experience that I still lack.

On Mon, Feb 24, 2014 at 10:13 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify
that it worked for you?). Here’s the full context of my example, which was
not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already

set

powershell_script “set execution policy” do

code “set-executionpolicy remotesigned”

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

end

So the approach is to use the exit command in PowerShell to set a non-zero
(i.e. failed) process exit code when we identify a condition in which the
resource should run. The non-zero exit code is interpreted by not_if as
"false," and therefore the resource will be executed. See this part of the
docs for more on how “guard” expressions like not_if can be used to provide
idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell
indicates they are different than what they should be, have the iis
cookbook sections run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write
my own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#13

Kenneth, currently guard expressions that use strings (i.e. not_if followed
by a string, not curly braces) are executed as batch scripts via cmd.exe
(this cmd.exe thing is something I am proposing we change, see pointers to
an RFC earlier in the thread if you are interested in that side
conversation). So you do need to have powershell.exe in the path - it
should already be there since Windows ships that way (and if you install
powershell it will add it to the path).

You could also look at Kapil’s solution since it is working for him - it
essentially does the same thing, as my example, but runs the powershell
script code outside the context of the resource, assigns the value to a
Ruby variable, and then evaluates that variable in the not_if guard as a
Ruby expression rather than a script to be interpreted by cmd.exe.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 10:31 AM
To: chef@lists.opscode.com
Cc: adamed@getchef.com
Subject: Re: [chef] RE: RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

As i read this is will not perform the code ( configure iis) if there is no
windows feature names web-server…

I see the context.

Thanks for the feedback, I am going to give this a shot. not_if figures
out the context required to run the command? Do i need to have
powershell.exe’s location in my environment path? Sorry for the new
question, there may be a lot of “granted” knowledge from a little
experience that I still lack.

On Mon, Feb 24, 2014 at 10:13 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify
that it worked for you?). Here’s the full context of my example, which was
not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already

set

powershell_script “set execution policy” do

code “set-executionpolicy remotesigned”

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

end

So the approach is to use the exit command in PowerShell to set a non-zero
(i.e. failed) process exit code when we identify a condition in which the
resource should run. The non-zero exit code is interpreted by not_if as
"false," and therefore the resource will be executed. See this part of the
docs for more on how “guard” expressions like not_if can be used to provide
idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates
they are different than what they should be, have the iis cookbook sections
run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write my
own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#14

I’m going to go with your method Adam, as I am still getting my hear
wrapped around ruby enough to really understand whats getting passed where
:slight_smile:

Neither of these are how it might be in the future, but its pretty close :slight_smile:

On Mon, Feb 24, 2014 at 11:52 AM, Adam Edwards adamed@getchef.com wrote:

Kenneth, currently guard expressions that use strings (i.e. not_if
followed by a string, not curly braces) are executed as batch scripts via
cmd.exe (this cmd.exe thing is something I am proposing we change, see
pointers to an RFC earlier in the thread if you are interested in that side
conversation). So you do need to have powershell.exe in the path - it
should already be there since Windows ships that way (and if you install
powershell it will add it to the path).

You could also look at Kapil’s solution since it is working for him - it
essentially does the same thing, as my example, but runs the powershell
script code outside the context of the resource, assigns the value to a
Ruby variable, and then evaluates that variable in the not_if guard as a
Ruby expression rather than a script to be interpreted by cmd.exe.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 10:31 AM
To: chef@lists.opscode.com
Cc: adamed@getchef.com
Subject: Re: [chef] RE: RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

As i read this is will not perform the code ( configure iis) if there is
no windows feature names web-server…

I see the context.

Thanks for the feedback, I am going to give this a shot. not_if figures
out the context required to run the command? Do i need to have
powershell.exe’s location in my environment path? Sorry for the new
question, there may be a lot of “granted” knowledge from a little
experience that I still lack.

On Mon, Feb 24, 2014 at 10:13 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify
that it worked for you?). Here’s the full context of my example, which was
not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already

set

powershell_script “set execution policy” do

code “set-executionpolicy remotesigned”

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

end

So the approach is to use the exit command in PowerShell to set a non-zero
(i.e. failed) process exit code when we identify a condition in which the
resource should run. The non-zero exit code is interpreted by not_if as
"false," and therefore the resource will be executed. See this part of the
docs for more on how “guard” expressions like not_if can be used to provide
idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell
indicates they are different than what they should be, have the iis
cookbook sections run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write my
own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring Idempotent
Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#15

powershell_script “write test file without clobber” do

code <<-EOB
get-process | select -first 5 | out-file c:\testexp.txt
EOB

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32](test-path c:\testexp.txt)”’

end

I expect this to write a few lines to c:\testexp.txt IF there is no file
at that path already.

Im not familiar with the use of the exit command as you have used it.

output of chef-client

[2014-02-24T15:51:44-05:00] INFO: *** Chef 11.8.2 ***
[2014-02-24T15:51:44-05:00] INFO: Chef-client pid: 3716
[2014-02-24T15:51:48-05:00] WARN: unable to detect ip6address
[2014-02-24T15:52:19-05:00] INFO: Run List is [recipe[poshMover::exetest]]
[2014-02-24T15:52:19-05:00] INFO: Run List expands to [poshMover::exetest]
[2014-02-24T15:52:19-05:00] INFO: Starting Chef Run for
pa02devops01.tunein.corp
[2014-02-24T15:52:19-05:00] INFO: Running start handlers
[2014-02-24T15:52:19-05:00] INFO: Start handlers complete.
[2014-02-24T15:52:20-05:00] INFO: HTTP Request Returned 404 Object Not
Found:
[2014-02-24T15:52:20-05:00] INFO: Loading cookbooks [poshMover]
[2014-02-24T15:52:20-05:00] INFO: Storing updated
cookbooks/poshMover/recipes/exetest.rb in the cac
he.
[2014-02-24T15:52:20-05:00] INFO: Processing powershell_script[write test
file without clobber] act
ion run (poshMover::exetest line 12)
[2014-02-24T15:52:21-05:00] INFO: Chef Run complete in 1.156254 seconds
[2014-02-24T15:52:21-05:00] INFO: Running report handlers
[2014-02-24T15:52:21-05:00] INFO: Report handlers complete

troubleshooting this is tricky because i can’t tell if it tried running the
code block or not, because it might be trying, but he codeblock isnt janky,
and needs fixing, . Is there something in the results that will indicate if
it tried the code or not?

On Mon, Feb 24, 2014 at 12:26 PM, Kenneth Barry kbarry-x@tunein.com wrote:

I’m going to go with your method Adam, as I am still getting my hear
wrapped around ruby enough to really understand whats getting passed where
:slight_smile:

Neither of these are how it might be in the future, but its pretty close :slight_smile:

On Mon, Feb 24, 2014 at 11:52 AM, Adam Edwards adamed@getchef.com wrote:

Kenneth, currently guard expressions that use strings (i.e. not_if
followed by a string, not curly braces) are executed as batch scripts via
cmd.exe (this cmd.exe thing is something I am proposing we change, see
pointers to an RFC earlier in the thread if you are interested in that side
conversation). So you do need to have powershell.exe in the path - it
should already be there since Windows ships that way (and if you install
powershell it will add it to the path).

You could also look at Kapil’s solution since it is working for him - it
essentially does the same thing, as my example, but runs the powershell
script code outside the context of the resource, assigns the value to a
Ruby variable, and then evaluates that variable in the not_if guard as a
Ruby expression rather than a script to be interpreted by cmd.exe.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 10:31 AM
To: chef@lists.opscode.com
Cc: adamed@getchef.com
Subject: Re: [chef] RE: RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

As i read this is will not perform the code ( configure iis) if there is
no windows feature names web-server…

I see the context.

Thanks for the feedback, I am going to give this a shot. not_if figures
out the context required to run the command? Do i need to have
powershell.exe’s location in my environment path? Sorry for the new
question, there may be a lot of “granted” knowledge from a little
experience that I still lack.

On Mon, Feb 24, 2014 at 10:13 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify
that it worked for you?). Here’s the full context of my example, which was
not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not

already set

powershell_script “set execution policy” do

code “set-executionpolicy remotesigned”

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

end

So the approach is to use the exit command in PowerShell to set a
non-zero (i.e. failed) process exit code when we identify a condition in
which the resource should run. The non-zero exit code is interpreted by
not_if as “false,” and therefore the resource will be executed. See this
part of the docs for more on how “guard” expressions like not_if can be
used to provide idempotence where needed:
http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

I’m new enough to chef to see how this works, but not see where i would
"place it".

I’ve never used nor seen a not_if. Do you have a link to an exanded
use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"

            $status = 0

            if($x -ne $null)

            {

                            $installed = $x.Installed

                            if($installed -eq $false)

                            {

                                            $status = 1

                            }

                            else

                            {

                                            $status = 0

                            }



            }

            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do

            code <<-EOH





            Install-WindowsFeature -name "Web-Server"

-IncludeManagementTools -IncludeAllSubFeature

            EOH

            only_if { x == '1' }

            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce
powershell to return an exit code using the exit command in powershell -
here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit
[int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s
execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell
and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to
use “powershell_out” to check for certain condition and based on what it
returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell
indicates they are different than what they should be, have the iis
cookbook sections run again?

Something like

powershell_script “checking setting #1

(check if settings are the same)

iis_config

only do this is “checking setting #1” returned false.

This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <
Kapil.Shardha@simulationiq.com> wrote:

I ran into same issue when I started using IIS cookbook. I had to write
my own cookbook with powershell script in it to do the job.I used guards to
ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS

Hi,

On 21 February 2014 19:31, Kenneth Barry kbarry-x@tunein.com wrote:

Question:

How are (those of you who are working in Windows/IIS), ensuring
Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent
resources, I call out to powershell, and add a guard where needed.

S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or
otherwise confidential information of, and/or is the property of Education
Management Solutions, Inc. If you are not the intended recipient, please
immediately advise the sender by reply email & delete the message & any
attachments without using, copying or disclosing the contents. Thank you.


#16

The log shows that it did process the powershell_script resource. Did it create a file?

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 3:59 PM
To: Adam Edwards
Cc: chef@lists.opscode.com
Subject: [chef] Re: RE: RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

powershell_script “write test file without clobber” do

code <<-EOB
get-process | select -first 5 | out-file c:\testexp.txt
EOB

not_if ‘powershell -noninteractive -noprofile -command “exit [int32](test-path c:\testexp.txt)”’

end
I expect this to write a few lines to c:\testexp.txt IF there is no file at that path already.
Im not familiar with the use of the exit command as you have used it.
output of chef-client

[2014-02-24T15:51:44-05:00] INFO: *** Chef 11.8.2 ***
[2014-02-24T15:51:44-05:00] INFO: Chef-client pid: 3716
[2014-02-24T15:51:48-05:00] WARN: unable to detect ip6address
[2014-02-24T15:52:19-05:00] INFO: Run List is [recipe[poshMover::exetest]]
[2014-02-24T15:52:19-05:00] INFO: Run List expands to [poshMover::exetest]
[2014-02-24T15:52:19-05:00] INFO: Starting Chef Run for pa02devops01.tunein.corp
[2014-02-24T15:52:19-05:00] INFO: Running start handlers
[2014-02-24T15:52:19-05:00] INFO: Start handlers complete.
[2014-02-24T15:52:20-05:00] INFO: HTTP Request Returned 404 Object Not Found:
[2014-02-24T15:52:20-05:00] INFO: Loading cookbooks [poshMover]
[2014-02-24T15:52:20-05:00] INFO: Storing updated cookbooks/poshMover/recipes/exetest.rb in the cac
he.
[2014-02-24T15:52:20-05:00] INFO: Processing powershell_script[write test file without clobber] act
ion run (poshMover::exetest line 12)
[2014-02-24T15:52:21-05:00] INFO: Chef Run complete in 1.156254 seconds
[2014-02-24T15:52:21-05:00] INFO: Running report handlers
[2014-02-24T15:52:21-05:00] INFO: Report handlers complete
troubleshooting this is tricky because i can’t tell if it tried running the code block or not, because it might be trying, but he codeblock isnt janky, and needs fixing, . Is there something in the results that will indicate if it tried the code or not?

On Mon, Feb 24, 2014 at 12:26 PM, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:
I’m going to go with your method Adam, as I am still getting my hear wrapped around ruby enough to really understand whats getting passed where :slight_smile:
Neither of these are how it might be in the future, but its pretty close :slight_smile:

On Mon, Feb 24, 2014 at 11:52 AM, Adam Edwards <adamed@getchef.commailto:adamed@getchef.com> wrote:
Kenneth, currently guard expressions that use strings (i.e. not_if followed by a string, not curly braces) are executed as batch scripts via cmd.exe (this cmd.exe thing is something I am proposing we change, see pointers to an RFC earlier in the thread if you are interested in that side conversation). So you do need to have powershell.exe in the path - it should already be there since Windows ships that way (and if you install powershell it will add it to the path).

You could also look at Kapil’s solution since it is working for him - it essentially does the same thing, as my example, but runs the powershell script code outside the context of the resource, assigns the value to a Ruby variable, and then evaluates that variable in the not_if guard as a Ruby expression rather than a script to be interpreted by cmd.exe.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.commailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 10:31 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Cc: adamed@getchef.commailto:adamed@getchef.com
Subject: Re: [chef] RE: RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-WindowsFeature -Name Web-Server) -eq $null)”’

As i read this is will not perform the code ( configure iis) if there is no windows feature names web-server…
I see the context.
Thanks for the feedback, I am going to give this a shot. not_if figures out the context required to run the command? Do i need to have powershell.exe’s location in my environment path? Sorry for the new question, there may be a lot of “granted” knowledge from a little experience that I still lack.

On Mon, Feb 24, 2014 at 10:13 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
Adam,

The example that I suggested (with powershell_out) worked for me.

-Kapil

From: Adam Edwards [mailto:adamed@getchef.commailto:adamed@getchef.com]
Sent: Monday, February 24, 2014 1:09 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Kenneth, I would start with Kapil’s example below (Kapil, did you verify that it worked for you?). Here’s the full context of my example, which was not about iis, but about setting execution policy:

Sets x64 execution policy to remote signed, but only if it’s not already set

powershell_script “set execution policy” do
code "set-executionpolicy remotesigned"
not_if 'powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”'
end

So the approach is to use the exit command in PowerShell to set a non-zero (i.e. failed) process exit code when we identify a condition in which the resource should run. The non-zero exit code is interpreted by not_if as “false,” and therefore the resource will be executed. See this part of the docs for more on how “guard” expressions like not_if can be used to provide idempotence where needed: http://docs.opscode.com/resource_common.html.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.commailto:kbarry-x@tunein.com]
Sent: Monday, February 24, 2014 9:58 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: RE: RE: Re: RE: Re: Idempotent IIS

Adam, re: the example:

not_if 'powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”'
I’m new enough to chef to see how this works, but not see where i would “place it”.
I’ve never used nor seen a not_if. Do you have a link to an exanded use-case example?

On Fri, Feb 21, 2014 at 12:13 PM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
That is a good idea! I was suggesting something like this:

---------- 1. Install IIS Role, if not already installed ----------

script =<<-EOF

            $x = Get-WindowsFeature -name "Web-Server"
            $status = 0
            if($x -ne $null)
            {
                            $installed = $x.Installed
                            if($installed -eq $false)
                            {
                                            $status = 1
                            }
                            else
                            {
                                            $status = 0
                            }

            }
            return $status

EOF

cmd = powershell_out(script)

x = cmd.stdout.chop

powershell_script “Install_IIS” do
code <<-EOH

            Install-WindowsFeature -name "Web-Server" -IncludeManagementTools -IncludeAllSubFeature

            EOH
            only_if { x == '1' }
            end

-Kapil

From: Adam Edwards [mailto:adamed@getchef.commailto:adamed@getchef.com]
Sent: Friday, February 21, 2014 3:09 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: RE: Re: RE: Re: Idempotent IIS

Seems like you can do this without powershell_out - you can coerce powershell to return an exit code using the exit command in powershell - here’s an example:

not_if ‘powershell -noninteractive -noprofile -command “exit [int32]((Get-ExecutionPolicy) -eq ‘RemoteSigned’)”’

The above guard will cause the resource to not execute if powershell’s execution policy is set to remotesigned.

Somewhat related, here is a proposal to make it easier to use powershell and other script resources in guard expressions:

https://github.com/opscode/chef-rfc/blob/adamed/resource-guard/rfc0001-resource-guard.md

-Adam

From: Kapil Shardha [mailto:Kapil.Shardha@SimulationIQ.commailto:Kapil.Shardha@SimulationIQ.com]
Sent: Friday, February 21, 2014 12:02 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] RE: Re: RE: Re: Idempotent IIS

Chef resources do not return a value (as far as I know). You will have to use “powershell_out” to check for certain condition and based on what it returns you can trigger the iis_config resource.

-Kapil

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Friday, February 21, 2014 2:58 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Idempotent IIS

Can I use powershell to check the settings, but if the powershell indicates they are different than what they should be, have the iis cookbook sections run again?
Something like
powershell_script “checking setting #1
(check if settings are the same)
iis_config
only do this is “checking setting #1” returned false.
This is more of a capability/syntax question.

On Fri, Feb 21, 2014 at 11:54 AM, Kapil Shardha <Kapil.Shardha@simulationiq.commailto:Kapil.Shardha@simulationiq.com> wrote:
I ran into same issue when I started using IIS cookbook. I had to write my own cookbook with powershell script in it to do the job.I used guards to ensure idempotency.

Kapil

-------- Original message --------
From: Stephen Nelson-Smith
Date:02/21/2014 2:37 PM (GMT-05:00)
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Idempotent IIS
Hi,

On 21 February 2014 19:31, Kenneth Barry <kbarry-x@tunein.commailto:kbarry-x@tunein.com> wrote:

Question:
How are (those of you who are working in Windows/IIS), ensuring Idempotent Recipes for configuring IIS?

On occasions where the community cookbook doesn’t provide idempotent resources, I call out to powershell, and add a guard where needed.
S.


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203tel:%2B44%20(0)%201329%20550203
Mobile: +44 (0) 7917 101919tel:%2B44%20(0)%207917%20101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


This email and any accompanying documents may contain privileged or otherwise confidential information of, and/or is the property of Education Management Solutions, Inc. If you are not the intended recipient, please immediately advise the sender by reply email & delete the message & any attachments without using, copying or disclosing the contents. Thank you.


#17

What am I doing wrong?

I expect the sode block to “not [run] if” the value of the setting is
current ‘4’.

When I run this code

powershell_script “testDynamicCompressionLevel” do
code <<-EOB
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]” -name
"dynamicCompressionLevel" -value 4
EOB
not_if 'powershell -noninteractive -noprofile -command “exit
[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter “system.webServer/httpCompression/scheme[@name=“gzip”]” -name
"dynamicCompressionLevel”).value -eq 4)"'
end

on machine 1 the powershell command in the not_if evaluated to false
(because its set to 0) I run this command from the prompt on the machine
locally.

upon chef-client i get the following lines:

[2014-02-25T13:23:16-05:00] INFO:
powershell_script[testDynamicCompressionLevel] ran successfully

- execute "powershell.exe" -NoLogo -NonInteractive -NoProfile

-ExecutionPolicy RemoteSigned -InputFormat None -File
"C:/Users/kbarry-x/AppData/Local/Temp/chef-script20140225-2672-jjmxxc.ps1"

and not the setting is ‘4’, so the test evaluates as true

but when I chef-client again i get the same results, instead of a “skipped
due to not_if”


#18

Kenneth, I think there is a quoting issue in the argument for -filter - I
couldn’t execute that when I pasted your command into PowerShell. Using
single quotes instead of double quotes did the trick, i.e.

[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter ‘system.webServer/httpCompression/scheme[@name=“gzip”]’ -name
"dynamicCompressionLevel").value -eq 4)

worked on my system. In general, quoting is something to be mindful of when
mixing languages in this way (i.e. Ruby and PowerShell). Using here
documents can help, though it is less concise.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Tuesday, February 25, 2014 10:26 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: RE: Re: RE: RE: RE: Re: RE: Re:
Idempotent IIS

What am I doing wrong?

I expect the sode block to “not [run] if” the value of the setting is
current ‘4’.

When I run this code

powershell_script “testDynamicCompressionLevel” do
code <<-EOB
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]” -name
"dynamicCompressionLevel" -value 4
EOB
not_if 'powershell -noninteractive -noprofile -command “exit
[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter “system.webServer/httpCompression/scheme[@name=“gzip”]” -name
"dynamicCompressionLevel”).value -eq 4)"'
end

on machine 1 the powershell command in the not_if evaluated to false
(because its set to 0) I run this command from the prompt on the machine
locally.

upon chef-client i get the following lines:

[2014-02-25T13:23:16-05:00] INFO:
powershell_script[testDynamicCompressionLevel] ran successfully

- execute "powershell.exe" -NoLogo -NonInteractive -NoProfile

-ExecutionPolicy RemoteSigned -InputFormat None -File
"C:/Users/kbarry-x/AppData/Local/Temp/chef-script20140225-2672-jjmxxc.ps1"

and not the setting is ‘4’, so the test evaluates as true

but when I chef-client again i get the same results, instead of a “skipped
due to not_if”


#19

powershell_script “DynamicCompressionLevel” do
code <<-EOB
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]” -name
"dynamicCompressionLevel" -value 4
EOB
not_if 'powershell -noninteractive -noprofile -command “exit
[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter ‘system.webServer/httpCompression/scheme[@name=“gzip”]’ -name
"dynamicCompressionLevel”).value -eq 4)"'
end

I get the following:

[2014-02-25T16:01:22-05:00] FATAL: SyntaxError:
c:/chef/cache/cookbooks/poshMover/recipes/exetest.r
b:16: syntax error, unexpected tIDENTIFIER, expecting keyword_end
…BROOT/APPHOST" -filter ‘system.webServer/httpCompression/sc…
… ^
c:/chef/cache/cookbooks/poshMover/recipes/exetest.rb:16: syntax error,
unexpected tSTRING_BEG, expe
cting keyword_end
…mpression/scheme[@name=“gzip”]’ -name "dynamicCompressionLev…
… ^

changed code to the following

powershell_script “DynamicCompressionLevel” do
code <<-EOB
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]” -name
"dynamicCompressionLevel" -value 4
EOB
not_if <<-EOH
’powershell -noninteractive -noprofile -command “exit
[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]”” -name
"dynamicCompressionLevel").value -eq 4)"'
EOH
end

Again it “Works” but the not_if appears to be not functioning (is, it
doesnt skip the second time)

On Tue, Feb 25, 2014 at 11:13 AM, Adam Edwards adamed@getchef.com wrote:

Kenneth, I think there is a quoting issue in the argument for -filter - I
couldn’t execute that when I pasted your command into PowerShell. Using
single quotes instead of double quotes did the trick, i.e.

[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter ‘system.webServer/httpCompression/scheme[@name=“gzip”]’ -name
"dynamicCompressionLevel").value -eq 4)

worked on my system. In general, quoting is something to be mindful of
when mixing languages in this way (i.e. Ruby and PowerShell). Using here
documents can help, though it is less concise.

-Adam

From: Kenneth Barry [mailto:kbarry-x@tunein.com]
Sent: Tuesday, February 25, 2014 10:26 AM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: RE: Re: RE: RE: RE: Re: RE: Re:
Idempotent IIS

What am I doing wrong?

I expect the sode block to “not [run] if” the value of the setting is
current ‘4’.

When I run this code

powershell_script “testDynamicCompressionLevel” do
code <<-EOB
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’
-filter “system.webServer/httpCompression/scheme[@name=‘gzip’]” -name
"dynamicCompressionLevel" -value 4
EOB
not_if 'powershell -noninteractive -noprofile -command “exit
[int32]((get-WebConfigurationProperty -pspath “MACHINE/WEBROOT/APPHOST”
-filter “system.webServer/httpCompression/scheme[@name=“gzip”]” -name
"dynamicCompressionLevel”).value -eq 4)"'
end

on machine 1 the powershell command in the not_if evaluated to false
(because its set to 0) I run this command from the prompt on the machine
locally.

upon chef-client i get the following lines:

[2014-02-25T13:23:16-05:00] INFO:
powershell_script[testDynamicCompressionLevel] ran successfully

- execute "powershell.exe" -NoLogo -NonInteractive -NoProfile

-ExecutionPolicy RemoteSigned -InputFormat None -File
"C:/Users/kbarry-x/AppData/Local/Temp/chef-script20140225-2672-jjmxxc.ps1"

and not the setting is ‘4’, so the test evaluates as true

but when I chef-client again i get the same results, instead of a “skipped
due to not_if”