My Failed Attempt with PowerShell DSC + VMware !

The Idea: 

  1. Have a DSC Configuration for vSphere which get status of  vSwitch Security Policies like Forged transmit, Promiscuous mode and MAC address change.
  2. All 3 security settings must be set to Reject.
  3. DSC Configuration should set above 3 settings to Reject if it is not.
  4. And finally apply this configuration to all ESXi host in vCenter. 

In recent days I am learning PowerShell DSC. No doubt it is a great tool but need more DSC resources for various technologies. I am sure that PowerShell community will rise above all and work toward making DSC more powerful.

My initial idea was to create a vSphere Security Configuration for vSwitch Security policies using PowerShell DSC. However, It didn’t work out for me as expected. Initially i struggled with Script resource and variable scope in GetScript, TestScript and SetScript block. Basically I was not able to pass variable in Script Block. This issue is documented here. Thankfully with the help of my colleague Rohit Sharma, We were able to resolve variable scope issue. Bottom line of that issue is, we have to use $using to pass the data in script block(Get,Set and Test).

It was a great relief for me to resolve above issue but…. Problems didn’t stop here. GetScript Block returns hash table values. So, If you try to return any PowerShell Object, Variable or any other object then this script block will throw an error. Ultimately you have to return hash table.

Well, That was sorted out. GetScript and TestScript looked to be working fine but another problem occurs at SetScript block. This time we figured out that session which was connected with Connect-VIServer is no longer available in SetScript block, which means that it will not execute any PowerCLI commands and will throw an error

DSC

“You are not currently connected to any servers. Please connect first using a Connect cmdlet.”

Why is it throwing this error? I figured out that DSC Script resource has 3 script block; GetScript, TestScript and SetScript. These script block does not execute anything but pass its value to Get-TargetResource(), Test-TargetResource() and Set-targetResource as a parameter respectively. These functions uses Invoke-command cmdlet on remote computer or localhost. That was the reason for sing $using: for local scope variables and also reason for not passing connected VMware sessions to SetScript block.

Below is the Code for reference. Feel free to test this in POC/Test environment. 

$Vmhost=Get-VMhost -name 'TestESX01'
$vSwitch=$vmhost|Get-VirtualSwitch -Name vSwitch0 
$vSwitchSecPolicy=$vSwitch |Get-SecurityPolicy

Configuration vSwitchSecPolicy 
{ 
 Script SecurityPolicy 
 { 
 GetScript = { 
 $hash=@{result=[string]$using:vSwitchSecPolicy}
 return $hash
 } 
 
 TestScript = { 
 write-verbose $using:vSwitchSecPolicy
 if($using:vSwitchSecpolicy.AllowPromiscuous -eq $true -or $using:vSwitchSecpolicy.ForgedTransmits -or $true -Or $using:vSwitchSecpolicy.MacChanges -or $true)
 {
 Write-verbose "Compliant: False"
 return $false
 }
 else 
 {
 write-verbose "Compliant: True"
 return $true
 }
 }
 
 SetScript = { 
 Write-Verbose "Started Seeting up Sec Policies on $using:vSwitch"
 Get-SecurityPolicy -VirtualSwitch "$using:vSwitch" |Set-SecurityPolicy -AllowPromiscuous $false -ForgedTransmits $false -MacChanges $false 
 } 
 } 
} 
vSwitchSecPolicy 
Start-DscConfiguration -path C:\windows\system32\vSwitchSecPolicy -wait -Verbose -Force

 

As of now i am still struggling to fix these issues. Looks like DSC Script resource has some limitations.

What Next?

  1. Will Understand “How to create custom DSC Resources using PowerShell Classes and Object?”
  2. Will try to build a custom resource by my own.

Hopefully I will be able to resolve this issue and will come out with a DSC Configuration for vSwitch Security policy.

Thanks

 

 

Leave a Reply