Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Idempotent method for installing RSA key containers (IIS) by Matt Borja
define iis::rsa_install (
$key_container,
$key_container_filename,
$key_container_content,
$grantee = undef,
$machine_keys_search_path = "C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*"
) {
$aspnet_regiis_bin = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\aspnet_regiis.exe"
$key_container_filename_ps = regsubst($key_container_filename, '"', '""', 'G')
$container_label = basename($key_container_filename)
$create_key_container_task = "Create key container (${container_label})"
$import_key_container_task = "Import key container (${container_label})"
$grant_key_container_task = "Grant key container (${container_label})"
$cleanup_key_container_task = "Cleanup key container (${container_label})"
$key_container_ps = regsubst($key_container, '"', '""', 'G')
$key_container_content_ps = regsubst($key_container_content, '"', '""', 'G')
$grantee_ps = regsubst($grantee, '"', '""', 'G')
$machine_keys_search_path_ps = regsubst($machine_keys_search_path, '"', '""', 'G')
# Enforce empty file with explicit permissions before writing content
# TODO: Pair with file scrubbing?
file { $key_container_filename:
ensure => file,
owner => "Administrator",
group => "Administrators",
mode => "0660", # 0660 enables manual Puppet runs
content => "",
# checksum => "sha256",
# checksum_value => "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", # empty file
}
exec { $create_key_container_task:
provider => "powershell",
command => Sensitive.new("Set-Content -Force -Path \"${key_container_filename_ps}\" -Value \"${key_container_content_ps}\""),
unless => "if ((Select-String -Path \"${machine_keys_search_path_ps}\" -Pattern \"${key_container_ps}\") -ne \$null) { Exit 0 } else { Exit 1 }",
require => File[$key_container_filename],
}
exec { $import_key_container_task:
provider => "powershell",
command => "${aspnet_regiis_bin} -pi \"${key_container_ps}\" \"${key_container_filename_ps}\"",
refreshonly => true,
subscribe => Exec[$create_key_container_task],
}
# TODO: Refactor with secure file overwrite (https://gallery.technet.microsoft.com/scriptcenter/Secure-File-Remove-by-110adb68)
exec { $cleanup_key_container_task:
provider => "powershell",
command => "Clear-Content -Force \"${key_container_filename_ps}\"",
refreshonly => true,
subscribe => Exec[$import_key_container_task],
}
if $grantee != undef {
exec { $grant_key_container_task:
provider => "powershell",
command => "${aspnet_regiis_bin} -pa \"${key_container_ps}\" \"${grantee_ps}\"",
refreshonly => true,
subscribe => Exec[$import_key_container_task],
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment