Getting the corrective action for exec while using Powershell to ADD usersand groups to local admin group. Please note I am not a scripting guy, not sure what wrong I am doing.
Notice: /Stage[main]/Cc_hieratest::Policy::Securitypolicy/Exec[Add-LocalGroupMember Administrators built-in]/returns: executed successfully (corrective)
Below is the Script I am trying tried in multiple ways still not getting what's wrong with my script.
exec { 'Add-LocalGroupMember Administrators built-in':
command => '$(Add-LocalGroupMember -Group "Administrators" -Member "lcladmsystem", "$DN\Domain Admins", "$DN\Rg_Svr GBL Servers - Administrators", "$DN\Rg_Svr $env:envCode Servers - Administrators", "$DN\Rg_Svr $env:envCode $env:COMPUTERNAME - Administrators" -ErrorAction SilentlyContinue)',
provider => powershell,
}
or
exec { 'Add-LocalGroupMember Administrators built-in':
command => '$(Add-LocalGroupMember -Group "Administrators" -Member "lcladmsystem", "$DN\Domain Admins", "$DN\Rg_Svr GBL Servers - Administrators", "$DN\Rg_Svr $env:envCode Servers - Administrators", "$DN\Rg_Svr $env:envCode $env:COMPUTERNAME - Administrators" -ErrorAction SilentlyContinue)',
or
exec { 'Add-LocalGroupMember Administrators built-in':
command => 'Add-LocalGroupMember -Group "Administrators" -Member "lcladmsystem", "$DN\Domain Admins", "$DN\Rg_Svr GBL Servers - Administrators", "$DN\Rg_Svr $env:envCode Servers - Administrators", "$DN\Rg_Svr $env:envCode $env:COMPUTERNAME - Administrators" -ErrorAction SilentlyContinue',
}
or
exec { 'Add-LocalGroupMember Administrators built-in':
command => 'Add-LocalGroupMember -Group "Administrators" -Member "lcladmsystem", "$DN\Domain Admins", "$DN\Rg_Svr GBL Servers - Administrators", "$DN\Rg_Svr $env:envCode Servers - Administrators", "$DN\Rg_Svr $env:envCode $env:COMPUTERNAME - Administrators"',
}
Below is the last_run_summary.yaml report for the same.
Exec[Add-LocalGroupMember Administrators built-in]:
title: Add-LocalGroupMember Administrators built-in
file: "/etc/puppetlabs/code/environments/cc_master/modules/cc_hieratest/manifests/policy/securitypolicy.pp"
line: 58
resource: Exec[Add-LocalGroupMember Administrators built-in]
resource_type: Exec
provider_used: powershell
containment_path:
- Stage[main]
- Cc_hieratest::Policy::Securitypolicy
- Exec[Add-LocalGroupMember Administrators built-in]
evaluation_time: 2.274372
tags:
- exec
- class
- cc_hieratest::policy::securitypolicy
- cc_hieratest
- policy
- securitypolicy
- node
- default
time: '2022-01-27T02:36:30.074270000 11:00'
failed: false
failed_to_restart: false
changed: true
out_of_sync: true
skipped: false
change_count: 1
out_of_sync_count: 1
events:
- audited: false
property: returns
previous_value: notrun
desired_value:
- '0'
historical_value:
message: executed successfully (corrective)
name: executed_command
status: success
time: '2022-01-27T02:36:31.502105000 11:00'
redacted:
corrective_change: true
corrective_change: true
CodePudding user response:
By default, an Exec resource is applied on every run. That is mediated, where desired, by the resource's unless, onlyif, and / or creates parameters, as described in that resource type's documentation.
The creates parameter is probably not appropriate for this particular case, so choose one of unless or onlyif. Each one is expected to specify a command for Puppet to run, whose success or failure (as judged by its exit status) determines whether the Exec should be applied. These two parameters differ primarily in how they interpret the exit status:
unlessinterprets exit status 0 (success) as indicating that theExec's main command should not be runonlyifinterprets exit statuses other than 0 (success) as indicating that theExec's main command should not be run
I cannot advise you about the specific command to use here, but the general form of the resource declaration would be:
exec { 'Add-LocalGroupMember Administrators built-in':
command => '... PowerShell command to do the work ...',
unless => '... PowerShell command that exits with status 0 if the work is already done ...',
provider => 'powershell',
}
(That assumes that the puppetlabs-powershell module is installed, which I take to be the case for you based on details presented in the question.)
I see your comment on the question claiming that you tried this approach without success, but this is the answer. If your attempts to implement this were unsuccessful then you'll need to look more deeply into what went wrong with those. You haven't presented any of those details, and I'm anyway not fluent in PowerShell, but my first guess would be that the exit status of your unless or onlyif script was computed wrongly.
Additionally, you probably should set the Exec's refresh property to a command that succeeds without doing anything. I'm not sure what the would be on Windows, but on most other systems that Puppet supports, /bin/true would be idiomatic. (That's not correct for Windows; I give it only as an example of the kind of thing I mean.) This will prevent running the main command twice in the same Puppet run in the event that the Exec receives an event.
CodePudding user response:
Got the issue fixed by removing the command part it self and just adding the onlyif part while using exec, now the correction part is not happening and doing the changes as per our requirement. Thanks a lot to @John Bollinger for his kind Guidence and input.
exec { 'Add-LocalGroupMember Administrators built-in':
onlyif => '$DN = $env:USERDOMAIN;$mem = Get-LocalGroupMember -Group "Administrators";$mem1 = "$env:COMPUTERNAME\lcladmsystem", "$DN\Domain Admins", "$DN\Rg_Svr GBL Servers - Administrators", "$DN\Rg_Svr $env:envCode Servers - Administrators", "$DN\Rg_Svr $env:envCode $env:COMPUTERNAME - Administrators";$rem = Compare-Object -ReferenceObject $mem.Name $mem1;if($($rem)){foreach($me in $rem){if($me.SideIndicator -eq "=>"){Add-LocalGroupMember -Group "Administrators" -Member $me.InputObject -ErrorAction SilentlyContinue}elseif($me.SideIndicator -eq "<="){Remove-LocalGroupMember -Group "Administrators" -Member $me.InputObject -ErrorAction SilentlyContinue}}}else{Exit 1}',
provider => powershell,
logoutput => true,