How to get an Azure DSC configuration to read an Automation Account variable whose name is a parameter?

1
votes

I'm trying to automate building Windows VMs in Azure, using a template and DSC. My colleagues are familiar with templates but not with PowerShell, and I want as little interaction with DSC or running cmdlets as possible. If I can't do everything with the template, I want to use the Azure Portal.

I'm struggling to find a non-PowerShell way to add users and groups to the local Administrators group. What I think will be the simplest process, is:

  1. The template has a parameter called membersOfLocalAdmins. Its value will be a single string like mydomain\username,mydomain\groupname....

  2. The template creates a variable in the Automation Account, called membersOfLocalAdmins-*New VM Name*. Its value is the string of admins.

  3. The DSC configuration needs to read this variable. It currently has a parameter for the VM name. In the Azure portal we would go to the Automation account, select the configuration and click Compile. We see the prompt for the VM name and type it, click OK.

The DSC configuration will have to read the Automation Account variable called membersOfLocalAdmins-*New VM Name*. Then split the variable's value into an array, and get it to its Group resource. I've tried something like this code below but it won't compile, I'm thinking that the only place in the configuration where I can use PowerShell is in the script resource. Is there any way to do this, or any better way?

I've also run into the problem where the compile DSC configuration form in the Azure Portal can't accept arrays. It reads mydomain\username,mydomain\groupname... as a single string. Which is ok if I can use PowerShell to split it before it gets to the Group resource. But where would I put this PowerShell in the configuration?

I think I'm going to have to use a Script resource, split the string into an array and add it to Administrators myself. Messy.

$DomainUserName = Get-AutomationVariable -Name 'Internal_Domain_Username'
$DomainUserPassword = Get-AutomationVariable -Name 'Internal_Domain_Password'
$DomainCredential = New-Object -TypeName System.Management.Automation.PSCredential($DomainUserName, (ConvertTo-SecureString $DomainUserPassword -AsPlainText -Force))

Configuration TestConfiguration1Win10 {
    param(
        [string[]]$ComputerName = "localhost"
        ,
        [string[]]$membersOfLocalAdmins
    )

    # This if statement here causes the compile to fail. Is there anywhere else in the configuration I could put it?
    if (!$membersOfLocalAdmins){
        $membersOfLocalAdmins = $(Get-AutomationVariable -Name "membersOfLocalAdmins-@($ComputerName)[0]").Split(',')
    }

    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DSCResource -Module xNetworking -Name xFirewallProfile
    Import-DSCResource -Module xSystemSecurity -Name xIEEsc
    Import-DscResource -ModuleName DeleteDscTmpFile

    Node $ComputerName {
        Group AddToLocalAdmins {
            GroupName ='Administrators'
            Ensure = 'Present'
            MembersToInclude = $membersOfLocalAdmins
            Credential = $DomainCredential
        }
1
powershellazuredscpowershell-dsc

1 Answers

1
votes

Removing the $membersOfLocalAdmins parameter and changing the group resource as below worked. 

     Group AddToLocalAdmins {
        GroupName ='Administrators'
        Ensure = 'Present'
        MembersToInclude = $((Get-AutomationVariable -Name "membersOfLocalAdmins-$ComputerName").Split(',').Trim())
        Credential = $DomainCredential
    }