rdev5/iis_rsa-key-container.pp Secret

## iis_rsa-key-container.pp
# Idempotent method for installing RSA key containers (IIS) by Matt Borja
define iis::rsa_install (
  $key_container,
  $key_container_filename,
  $key_container_content,
  $grantee = undef,

  $machine_keys_search_path = "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*"
) {
  $aspnet_regiis_bin = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regiis.exe"

  $key_container_filename_ps = regsubst($key_container_filename, '"', '""', 'G')

  $container_label = basename($key_container_filename)
  $create_key_container_task = "Create key container (${container_label})"
  $import_key_container_task = "Import key container (${container_label})"
  $grant_key_container_task = "Grant key container (${container_label})"
  $cleanup_key_container_task = "Cleanup key container (${container_label})"

  $key_container_ps = regsubst($key_container, '"', '""', 'G')
  $key_container_content_ps = regsubst($key_container_content, '"', '""', 'G')
  $grantee_ps = regsubst($grantee, '"', '""', 'G')

  $machine_keys_search_path_ps = regsubst($machine_keys_search_path, '"', '""', 'G')

  # Enforce empty file with explicit permissions before writing content
  # TODO: Pair with file scrubbing?
  file { $key_container_filename:
    ensure => file,
    owner => "Administrator",
    group => "Administrators",
    mode => "0660", # 0660 enables manual Puppet runs

    content => "",
    # checksum => "sha256",
    # checksum_value => "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", # empty file
  }

  exec { $create_key_container_task:
    provider => "powershell",
    command => Sensitive.new("Set-Content -Force -Path \"${key_container_filename_ps}\" -Value \"${key_container_content_ps}\""),

    unless => "if ((Select-String -Path \"${machine_keys_search_path_ps}\" -Pattern \"${key_container_ps}\") -ne \$null) { Exit 0 } else { Exit 1 }",
    require => File[$key_container_filename],
  }

  exec { $import_key_container_task:
    provider => "powershell",
    command => "${aspnet_regiis_bin} -pi \"${key_container_ps}\" \"${key_container_filename_ps}\"",

    refreshonly => true,
    subscribe => Exec[$create_key_container_task],
  }

  # TODO: Refactor with secure file overwrite (https://gallery.technet.microsoft.com/scriptcenter/Secure-File-Remove-by-110adb68)
  exec { $cleanup_key_container_task:
    provider => "powershell",
    command => "Clear-Content -Force \"${key_container_filename_ps}\"",

    refreshonly => true,
    subscribe => Exec[$import_key_container_task],
  }

  if $grantee != undef {
    exec { $grant_key_container_task:
      provider => "powershell",
      command => "${aspnet_regiis_bin} -pa \"${key_container_ps}\" \"${grantee_ps}\"",

      refreshonly => true,
      subscribe => Exec[$import_key_container_task],
    }
  }
}
	# Idempotent method for installing RSA key containers (IIS) by Matt Borja
	define iis::rsa_install (
	$key_container,
	$key_container_filename,
	$key_container_content,
	$grantee = undef,

	$machine_keys_search_path = "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*"
	) {
	$aspnet_regiis_bin = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regiis.exe"

	$key_container_filename_ps = regsubst($key_container_filename, '"', '""', 'G')

	$container_label = basename($key_container_filename)
	$create_key_container_task = "Create key container (${container_label})"
	$import_key_container_task = "Import key container (${container_label})"
	$grant_key_container_task = "Grant key container (${container_label})"
	$cleanup_key_container_task = "Cleanup key container (${container_label})"

	$key_container_ps = regsubst($key_container, '"', '""', 'G')
	$key_container_content_ps = regsubst($key_container_content, '"', '""', 'G')
	$grantee_ps = regsubst($grantee, '"', '""', 'G')

	$machine_keys_search_path_ps = regsubst($machine_keys_search_path, '"', '""', 'G')

	# Enforce empty file with explicit permissions before writing content
	# TODO: Pair with file scrubbing?
	file { $key_container_filename:
	ensure => file,
	owner => "Administrator",
	group => "Administrators",
	mode => "0660", # 0660 enables manual Puppet runs

	content => "",
	# checksum => "sha256",
	# checksum_value => "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", # empty file
	}

	exec { $create_key_container_task:
	provider => "powershell",
	command => Sensitive.new("Set-Content -Force -Path \"${key_container_filename_ps}\" -Value \"${key_container_content_ps}\""),

	unless => "if ((Select-String -Path \"${machine_keys_search_path_ps}\" -Pattern \"${key_container_ps}\") -ne \$null) { Exit 0 } else { Exit 1 }",
	require => File[$key_container_filename],
	}

	exec { $import_key_container_task:
	provider => "powershell",
	command => "${aspnet_regiis_bin} -pi \"${key_container_ps}\" \"${key_container_filename_ps}\"",

	refreshonly => true,
	subscribe => Exec[$create_key_container_task],
	}

	# TODO: Refactor with secure file overwrite (https://gallery.technet.microsoft.com/scriptcenter/Secure-File-Remove-by-110adb68)
	exec { $cleanup_key_container_task:
	provider => "powershell",
	command => "Clear-Content -Force \"${key_container_filename_ps}\"",

	refreshonly => true,
	subscribe => Exec[$import_key_container_task],
	}

	if $grantee != undef {
	exec { $grant_key_container_task:
	provider => "powershell",
	command => "${aspnet_regiis_bin} -pa \"${key_container_ps}\" \"${grantee_ps}\"",

	refreshonly => true,
	subscribe => Exec[$import_key_container_task],
	}
	}
	}