We should have guidance on using PSDscAllowPlainTextPassword=$true in examples about dscresources HOT 26 CLOSED

An example of an example where this is done is here;

https://github.com/PowerShell/SqlServerDsc/blob/dev/Examples/Resources/SqlServerDatabaseMail/1-EnableDatabaseMail.ps1

            <#
                NOTE! THIS IS NOT RECOMMENDED IN PRODUCTION.
                This is added so that AppVeyor automatic tests can pass, otherwise
                the tests will fail on passwords being in plain text and not being
                encrypted. Because it is not possible to have a certificate in
                AppVeyor to encrypt the passwords we need to add the parameter
                'PSDscAllowPlainTextPassword'.
                NOTE! THIS IS NOT RECOMMENDED IN PRODUCTION.
            #>
            PSDscAllowPlainTextPassword = $true

The test framework could create a self signed certificate to be able to compile examples and integration tests with a certificate. It would simplify the documentation, and my previous comment would then become obsolete. Instead a work item would be to create a new issue in DscResource.Tests. I personally would rather prefer having closer to real world examples, which would align with the first suggestion in the issue description.

from dscresources.

👍 Documentation on how to be secure I think is sorely needed with some better ideas put forward on how to manage the infra of SSL keys that are needed.

from dscresources.

I'm all for this 😄

And while we're at it, it would be great to get/include some guidance on the certificate EKU requirements for certificates to be used for DSC credential encryption. It seemed to change in 10586 WMF 5.0 build - the certificate now needs an EKU of Document Encryption (1.3.6.1.4.1.311.80.1). But I couldn't find this documented anywhere. Prior to 10586 the certificate did not require this EKU. Just adding my "nice to haves"!

from dscresources.

I'm torn on this one.

While on one hand I completely understand where one is coming from, on the other hand we are introducing a barrier to adoption for someone learning DSC as you are basically requiring them to have PKI certificates "on the ready" or somehow know ahead of time that the examples wont actually run unless they put extra effort in.

I see no problem with leaving examples as "lab worthy only" as that's what they basically are anyway.

As for managing SSL keys .... that's a totally different conversation that is not really specific to modules ... more like "should a pull server be more than an IIS site/SMB share and have some kind of ID management even with just self-signed cert assignment and GUID generation like puppet"? I ended up writing my own modules to handle SSL keys and track GUID <-> Thumbprint mappings in a csv file (shrug).

from dscresources.

@Justin-DynamicD, @tysonjhayes, @PlagueHO
I think option number 2 would handle justin's concern about not requiring people to have PKI on the ready, but also produce the documentation. We could add warnings to the examples that this example is not secure and point to the documentation on how to secure it. This might be easier to maintain as the secure example would be in one place.

from dscresources.

@TravisEz13 I think that's a great way to do it. Simply standardize the example folder a bit to include the documentation references.

from dscresources.

If we move forward with Option 2 (which I am OK with) I would like to see us generate documentaiton on best practices for securing the environment as well as this is something I've struggedled with in maintaining my environment.

from dscresources.

There is also this blog post on DSC credential encryption. Although I think @TravisEz13's one is better as it doesn't muddy the water with discussion of Pull Servers.

It sounds like the best practices and securing the environment as @tysonjhayes says would be a really useful resource for any DSC users (not just users creating/consuming resources).
So, perhaps it would be worth putting this sort of info into the PowerShell-Docs/Dsc documentation (e.g. https://github.com/PowerShell/PowerShell-Docs/blob/master/dsc/configDataCredentials.md) and then specifically linking to it from the examples? As opposed to creating the document in the PowerShell/DSCResources repo.

The documentation could also show how to use self-signed certificates (although not new-selfsignedcertificate) so that someone could get started with credential encryption easily and without a full PKI.

from dscresources.

@PlagueHO @tysonjhayes @Justin-DynamicD
Here are the work items I see. Some of these were settled in other issues.

• We should create a doc on best practices for securing the environment. The first version could be based on the blog and should be put in PowerShell-Docs/Dsc (this is the proper location because this is a general DSC best practice) documentation (e.g. https://github.com/PowerShell/PowerShell-Docs/blob/master/dsc/configDataCredentials.md)
• Create a standardize credential example which warns that is not secure and references the documentation.
• Update the Guidance to say that you should follow the pattern the standardized credential example
• We need to create documentation on how to properly use self-signed certificates. So that someone could get started with credential encryption easily and without a full PKI. (again this sounds like a general DSC best practice, so it should go in the DSC docs area repo.)

Anyone willing to help with any of these. FYI, I have the GitHub markup for my blog I can share.

from dscresources.

@TravisEz13 - thanks for formalizing the work items - that makes things really clear.

I'm not totally clear on what we'd do in regards item 2. So I'm happy to help out on items 1,3 & 4 (and 2 once I had a better idea of what was expected we'd do with it). I could start with item 1 based on your blog markdown - that should be fairly easy as it wouldn't really need to be changed too much from your blog post.

from dscresources.

I can take item 2. I'll probably start by updating and existing example. Then, we can decide what elements are generic and which are specific. So maybe it has some sub-tasks.

from dscresources.

@PlagueHO, I posted the GitHub MarkDown here: https://gist.github.com/TravisEz13/74ec024ae4cdac0ad165

from dscresources.

Awesome! Thanks @TravisEz13 - I'll get onto it this weekend.

from dscresources.

Doh! @TravisEz13 - the gist you posted contains the MarkDown for the DSC Single Instance blog post you created (I do need this for the other document I want to create though). But I need the md for this post.

from dscresources.

@TravisEz13 - any chance of getting the md for this post off you? 😄

from dscresources.

@PlagueHO It should be here: https://gist.githubusercontent.com/TravisEz13/74ec024ae4cdac0ad165/raw/ccdc47f6a6235a9d60fff30cc9aac068c8a48248/Want%2520to%2520write%2520a%2520DSC%2520resource%2520where%2520only%2520a%2520single%2520instance%2520can%2520be%2520configured%253F.md

from dscresources.

Thanks @TravisEz13, but that's the SingleInstance one 😄 I'm after the Secure Credentials post.

from dscresources.

@PlagueHO Sorry. I thought I wrote all my DSC blogs in markdown. Apparently not this one. I quickly converted it. The diagram isn't working, but I put the image url, and I'll leave that to you.
Here it is: https://gist.github.com/TravisEz13/dbaa0a915402360c5acc

from dscresources.

Awesome! Thanks @TravisEz13

from dscresources.

@TravisEz13 - I've submitted a PR containing the conversion of your DSC credential encryption blog post to the PowerShell-Docs repo. Thanks

from dscresources.

@TravisEz13 - @megamorf and I have done some work on the SecureMOF.md to clarify the Self-Signed certificate generation process, so I think that partially covers task number 4.

@megamorf has suggested we work on a document covering Securing DSC within a PKI environment (as a separate document) - which would complete coverage of task number 4.

Work this work for you?

from dscresources.

@megamorf @PlagueHO you should coordinate with @eslesar as we have been discussing this offline.

from dscresources.

@eslesar - what's the best way to chat with you about what should be done on this? Via a GitHub issue? Gitter?

from dscresources.

@eslesar - @megamorf has set up a gitter chatroom for us to discus what we think is required for this document. Would it suit you to jump into it and some point and outline what your requirements/thoughts on this is?
https://gitter.im/megamorf/psdsc-pki-encryption

from dscresources.

In this comments work item list I think the text in Securing the MOF File covers 1 and 4. That leaves 2 and 3 in the list, which doesn't seem to been worked on. I can't find anything at least.

2. Create a standardize credential example which warns that is not secure and references the documentation.

• We could create an Example template under Dsc Resource.Template folder.
• This example template should reference Securing the MOF File.

3. Update the Guidance to say that you should follow the pattern the standardized credential example

• The Quality Governance says that a resource module should follow the project structure so we could add a bullet point to the list pointing to the example template.

from dscresources.

PR PowerShell/DscResource.Tests#241 will resolve this, making it possible to have examples and integration test secure by default.

from dscresources.