[ServiceFabric]: Gallery item switched to pick up DSC nuget from Fabr… (

#219) * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. * [ServiceFabric]: Gallery item switched to pick up DSC nuget from FabricProvider repo needs to be published to public Azure. Co-authored-by: Larisa Borodina <[email protected]>
msazurestackworkloads · Aug 11, 2020 · b8b8ff7 · b8b8ff7
1 parent 13acea4
commit b8b8ff7
Show file tree

Hide file tree

Showing 39 changed files with 1,514 additions and 541 deletions.
diff --git a/servicefabric/DSC/DeploySFCluster.ps1 b/servicefabric/DSC/DeploySFCluster.ps1
diff --git a/servicefabric/DSC/xDisk/DSCResources/MSFT_xDisk/MSFT_xDisk.psm1 b/servicefabric/DSC/xDisk/DSCResources/MSFT_xDisk/MSFT_xDisk.psm1
@@ -21,6 +21,47 @@ function Get-TargetResource
     $returnValue
 }
 
+
+# This function is to set CD/DVD drive letter to a new one. The reason to use it in Disk DSC is that the CD/DVD drive letter and service fabric data drive letter will be 
+# swapped and changed after VMSS instance inplace upgrade or reimage. This function will be used before initializing the service fabric data disk, to keep the original drive 
+# letter order.
+function Set-DVDDriveLetter
+{
+    Param
+    (
+        [Parameter(Mandatory=$True,
+        Position=1)]
+        [string]
+        [ValidatePattern("^[A-Z]{1}:{1}`$")]$NewDrvLetter
+    )
+    # Get Available CD/DVD Drive - Drive Type 5
+    $DvdDrv = Get-WmiObject -Class Win32_Volume -Filter "DriveType=5"
+
+    # Check if CD/DVD Drive is Available
+    if ($DvdDrv -ne $null)
+    {
+        # Get Current Drive Letter for CD/DVD Drive
+        $DvdDrvLetter = $DvdDrv | Select-Object -ExpandProperty DriveLetter
+        Write-Verbose "Current CD/DVD Drive Letter is $DvdDrvLetter" -Verbose
+
+        # Confirm New Drive Letter is NOT used
+        if (-not (Test-Path -Path $NewDrvLetter))
+        {
+            # Change CD/DVD Drive Letter
+            $DvdDrv | Set-WmiInstance -Arguments @{DriveLetter="$NewDrvLetter"}
+            Write-Verbose "Updated CD/DVD Drive Letter as $NewDrvLetter" -Verbose
+        }
+        else
+        {
+           Write-Verbose "Drive Letter $NewDrvLetter Already In Use" -Verbose
+        }
+    }
+    else
+    {
+        Write-Verbose "No CD/DVD Drive Available !!" -Verbose
+    }
+}
+
 function Set-TargetResource
 {
     param
@@ -30,6 +71,8 @@ function Set-TargetResource
 
         [string] $DriveLetter
     )
+
+    Set-DVDDriveLetter -NewDrvLetter 'F:'
 
     $disk = Get-Disk -Number $DiskNumber
 
@@ -116,5 +159,4 @@ function Test-TargetResource
     return $false
 }
 
-
-Export-ModuleMember -Function *-TargetResource
+Export-ModuleMember -Function *-TargetResource
diff --git a/servicefabric/DSC/xDisk/DSCResources/MSFT_xWaitForDisk/MSFT_xWaitForDisk.psm1 b/servicefabric/DSC/xDisk/DSCResources/MSFT_xWaitForDisk/MSFT_xWaitForDisk.psm1
diff --git a/servicefabric/DSC/xFirewallConfigure/DSCResources/xFirewallConfigure/xFirewallConfigure.psm1 b/servicefabric/DSC/xFirewallConfigure/DSCResources/xFirewallConfigure/xFirewallConfigure.psm1
diff --git a/...bric/DSC/xFirewallConfigure/DSCResources/xFirewallConfigure/xFirewallConfigure.schema.mof b/...bric/DSC/xFirewallConfigure/DSCResources/xFirewallConfigure/xFirewallConfigure.schema.mof
diff --git a/...eCluster/xServiceFabricSecureCluster.psd1 → ...FirewallConfigure/xFirewallConfigure.psd1 b/...eCluster/xServiceFabricSecureCluster.psd1 → ...FirewallConfigure/xFirewallConfigure.psd1
diff --git a/servicefabric/DSC/xHKLMSettings/DSCResources/xHKLMSettings/xHKLMSettings.psm1 b/servicefabric/DSC/xHKLMSettings/DSCResources/xHKLMSettings/xHKLMSettings.psm1
diff --git a/servicefabric/DSC/xHKLMSettings/DSCResources/xHKLMSettings/xHKLMSettings.schema.mof b/servicefabric/DSC/xHKLMSettings/DSCResources/xHKLMSettings/xHKLMSettings.schema.mof
diff --git a/servicefabric/DSC/xHKLMSettings/xHKLMSettings.psd1 b/servicefabric/DSC/xHKLMSettings/xHKLMSettings.psd1
diff --git a/servicefabric/DSC/xInputParamsLog/DSCResources/xInputParamsLog/xInputParamsLog.psm1 b/servicefabric/DSC/xInputParamsLog/DSCResources/xInputParamsLog/xInputParamsLog.psm1
diff --git a/servicefabric/DSC/xInputParamsLog/DSCResources/xInputParamsLog/xInputParamsLog.schema.mof b/servicefabric/DSC/xInputParamsLog/DSCResources/xInputParamsLog/xInputParamsLog.schema.mof
diff --git a/servicefabric/DSC/xInputParamsLog/xInputParamsLog.psd1 b/servicefabric/DSC/xInputParamsLog/xInputParamsLog.psd1
diff --git a/...bric/DSC/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettings.psm1 b/...bric/DSC/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettings.psm1
@@ -0,0 +1,292 @@
+function Get-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Collections.Hashtable])]
+    param
+    (
+        [parameter(Mandatory = $true)]
+        [System.UInt32]
+        $DeploymentNodeIndex
+    )
+}
+
+function Set-TargetResource
+{
+    [CmdletBinding()]
+    param
+    (
+        [parameter(Mandatory = $true)]
+        [System.UInt32]
+        $DeploymentNodeIndex
+    )
+
+    $ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop
+    $VerbosePreference = [System.Management.Automation.ActionPreference]::Continue
+
+    # V2: Assume GPO and security policy inf is in place in the image
+
+    # Validate GPO is in place
+    $gpoDestinationPath = "$env:windir\System32\GroupPolicy"
+    $testGPOIniPath = Join-Path $gpoDestinationPath "gpt.ini"
+
+    $gpoInPlace = Test-Path $testGPOIniPath
+
+    if (-not $gpoInPlace)
+    {
+        Write-Warning "Pre-existing group policy is not in place on the image."
+    }
+
+    # Validate SPO file is in place
+    $spoRootFolder = Join-Path $env:SystemDrive "VMSPO"
+    $spoFilePath = Join-Path $spoRootFolder "securitypolicy.inf"
+
+    $spoInPlace = Test-Path $spoFilePath
+
+    if (-not $spoInPlace)
+    {
+        Write-Warning "Pre-existing security policy is not in place on the image."
+    }
+
+    # Fall back into the back compat way of applying security settings from the DSC zip file
+    if ((-not $gpoInPlace) -or (-not $spoInPlace))
+    {
+        # Unpack the zip
+        # Assumptions: 1. Policies zip file is located in the same path as the module. 2. The module will be dropped by the DSC extension at C:\Program Files\WindowsPowerShell\Modules
+
+        $PSModulePath = $Env:PSModulePath -split ";" | Select-Object -Index 1
+        $ModuleName = "xLocalPolicySettings"
+        $ZipFileName = "xLocalPolicySettingsPolicies.zip"
+        $ZipFilePath = "$PSModulePath\$ModuleName\DSCResources\$ModuleName\$ZipFileName"
+
+        $zipFileExists = Test-Path -Path $ZipFilePath
+        if (-not $zipFileExists)
+        {
+            Write-Warning "Policies zip file not found at expected path: '$ZipFilePath'" -ErrorAction Continue
+        }
+        else
+        {
+            # Extract the zip
+            Write-Verbose "Policies zip file found at expected path: '$ZipFilePath' begining processing." -Verbose
+            $driveLetter = (Get-Item $PSModulePath).PSDrive.Name
+            $workingDir = "$driveLetter`:\secdb"
+
+            # Create working directory if path does not exist
+            if (-not (Test-Path -Path $workingDir))
+            {
+                Write-Verbose "Creating working directory '$workingDir'" -Verbose
+                New-Item -Path $workingDir -ItemType Directory
+            }
+
+            # Extract the zip file to the working directory
+            Expand-Archive -Path $ZipFilePath -DestinationPath $workingDir -Force
+            Write-Verbose "Extracted policies zip file to '$workingDir'" -Verbose
+
+            # apply group policies from zip file
+            if (-not $gpoInPlace)
+            {
+                # Copy the group policy files
+                $gpoFilesPath = "$workingDir\GPO\GroupPolicy"
+                if (Test-Path -Path $gpoFilesPath)
+                {
+                    $gpoDestinationPath = "$env:windir\System32\GroupPolicy"
+                    Copy-Item -Path "$gpoFilesPath\*" -Destination $gpoDestinationPath -recurse -Force
+                    Write-Verbose "Applied group policy files"
+                }
+                else
+                {
+                    Write-Warning "Could not apply group policy on machine, source files not found at: '$gpoFilesPath'" -ErrorAction Continue
+                }
+            }
+
+            # apply security policies from zip file
+            if (-not $spoInPlace)
+            {
+                # Apply the security policy
+                $secPolicyFilePath = "$workingDir\SPO\securitypolicy.inf"
+                if (Test-Path -Path $secPolicyFilePath)
+                {
+                    $secDBPath = "$workingDir\secdb.sdb"
+                    $logFilePath = "$workingDir\secdb.log"
+                    & Secedit /configure /db $secDBPath /cfg $secPolicyFilePath /log $logFilePath /quiet
+                    Write-Verbose "Applied security policy file" -Verbose
+                }
+                else
+                {
+                    Write-Warning "Could not apply security policy on machine, source file not found at: '$secPolicyFilePath'" -ErrorAction Continue
+                }
+            }
+
+        }
+
+    }
+    else
+    {
+        # apply sec policy from the image
+        $imageSecDBPath = Join-Path $spoRootFolder "secdb.sdb"
+        $imageLogFilePath = Join-Path $spoRootFolder "secdb.log"
+        & Secedit /configure /db $imageSecDBPath /cfg $spoFilePath /log $imageLogFilePath /quiet
+        Write-Verbose "Applied security policy file from image" -Verbose
+    }
+
+    # Defender Updates
+    $defenderUpdatesRootFolder = Join-Path $env:SystemDrive "DefenderUpdates"
+    $defenderUpdatesRootFolderTest = Test-Path $defenderUpdatesRootFolder
+
+    if ($defenderUpdatesRootFolderTest)
+    {
+        $updatePlatformAppliedPath = Join-Path $defenderUpdatesRootFolder "PlatformUpdated.txt"
+        $platformUpdatedTest = Test-Path $updatePlatformAppliedPath
+
+        # Defender platform has not been updated, apply update
+        if (-not $platformUpdatedTest)
+        {
+            $platformUpdateFilePath = Join-Path $defenderUpdatesRootFolder "UpdatePlatform.exe"
+            $platfrormUpdateFilePathTest = Test-Path $platformUpdateFilePath
+
+            if ($platfrormUpdateFilePathTest)
+            {
+                # Platform update code based on Defender update code in Azure Stack Deploy repo
+                try
+                {
+                    $process = [System.Diagnostics.Process]::new()
+                    $process.StartInfo.FileName = $platformUpdateFilePath
+                    $timeout = New-TimeSpan -Minutes 10
+
+                    Write-Verbose "Updating Defender platform from file: '$platformUpdateFilePath'" -Verbose
+
+                    $process.Start() | Out-Null
+                    if (-not $process.WaitForExit($timeout.TotalMilliseconds))
+                    {
+                       Write-Warning "MoCAMP update process didn't finish within the time allocated ({0} seconds).`r`n" -f $timeout.TotalSeconds
+                    }
+                    else
+                    {
+                        Write-Verbose "Finished Updating Defender platform from file: '$platformUpdateFilePath'" -Verbose
+                        New-Item -Path $updatePlatformAppliedPath -ItemType File -Force
+                    }
+                }
+                catch
+                {
+                    Write-Warning "Failed to update Defender platform."
+                    Write-Warning $_.Exception
+                }
+                finally 
+                {
+                    $process.Close()
+                    $process = $null
+
+                    $service = Get-Service -Name "windefend" -ErrorAction SilentlyContinue
+                    if ($null -ne $service -and $service.Status -ine "Running")
+                    {
+                        $service | Start-Service -ErrorAction SilentlyContinue
+                    }
+                }
+            }
+            else
+            {
+                Write-Warning "Defender platform update file '$platformUpdateFilePath' not found, skipping Defender platform update."
+            }
+        }
+
+        $updateDefinitionsAppliedPath = Join-Path $defenderUpdatesRootFolder "DefinitionsUpdated.txt"
+        $definitionsUpdatedTest = Test-Path $updateDefinitionsAppliedPath
+
+        # Defender definitions have not been updated, apply update
+        if (-not $definitionsUpdatedTest)
+        {
+            # Defender definitions update 
+            $definitionsUpdatesPath = Join-Path $defenderUpdatesRootFolder "x64"
+            $definitionsUpdatesPathTest = Test-Path $definitionsUpdatesPath
+
+            if ($definitionsUpdatesPathTest)
+            {
+                try
+                {
+                    Write-Verbose "Updating Defender definitions from path: '$definitionsUpdatesPath'" -Verbose
+                    & "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate -UNC -Path $defenderUpdatesRootFolder 2>&1
+
+                    Write-Verbose "Finished Updating definitions from path: '$definitionsUpdatesPath'" -Verbose
+                    New-Item -Path $updateDefinitionsAppliedPath -ItemType File -Force
+                }
+                catch
+                {
+                    Write-Warning "Fail to apply Microsoft Defender update at: $defenderSignatureFilePath."
+                    Write-Warning $_.Exception
+                }
+            }
+            else
+            {
+                Write-Warning "Defender definitions updates '$definitionsUpdatesPath' not found, skipping Defender definitions update."
+            }
+        }
+    }
+    else 
+    {
+        Write-Warning "'$defenderUpdatesRootFolder' path not found, skipping updating Defender."
+    }
+
+    # Defender scan exclusions for SF data drive paths.
+    $regPath = 'HKLM\Software\Policies\Microsoft\Windows Defender'
+    Set-Registry -Path $regPath -Name Exclusions -Value 1
+    Set-Registry -Path $regPath -Name Scan -Value 1
+
+    $regPath = 'HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions'
+    Set-Registry -Path $regPath -Name Exclusions_Paths -Value 1
+
+    $regPath = 'HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions\Paths'
+    Set-Registry -Path $regPath -Name "E:\SF" -Value 0 -Type REG_SZ
+    Set-Registry -Path $regPath -Name "E:\SFDiagnosticsStore" -Value 0 -Type REG_SZ
+    Set-Registry -Path $regPath -Name "E:\SFSetup" -Value 0 -Type REG_SZ
+    Set-Registry -Path $regPath -Name "E:\SFStandaloneLogs" -Value 0 -Type REG_SZ
+
+    # Enable remote PS firewall rule
+    $remotePSFirewallRule = Get-NetFirewallRule -DisplayName "TCP 5985 Public" -ErrorAction Ignore
+    if ($null -eq $remotePSFirewallRule)
+    {
+        Write-Verbose "Creating firewall rule for port 5985 public profile" -Verbose
+        New-NetFirewallRule -DisplayName "TCP 5985 Public" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985 -Profile Public
+    }
+    else
+    {
+        Write-Verbose "Firewall rule for port 5985 public profile already exists" -Verbose
+    }
+}
+
+function Test-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Boolean])]
+    param
+    (
+        [parameter(Mandatory = $true)]
+        [System.UInt32]
+        $DeploymentNodeIndex
+    )
+
+    # Creating the remote PS firewall rule is the last step, check if the rule exist. If it exists all policies have been applied
+    $remotePSFirewallRule = Get-NetFirewallRule -DisplayName "TCP 5985 Public" -ErrorAction Ignore
+    $result = $null -ne $remotePSFirewallRule
+
+    return $result
+}
+
+function Set-Registry([string] $Path, [string] $Name, [string] $Value, [string] $Type)
+{
+    if(-not $Type)
+    {
+        $Type = 'REG_DWORD'
+    }
+
+    reg add $Path /v $Name /d $Value /t $Type /f
+
+    if ($lastExitCode -ne 0)
+    {
+        throw  "Failed to update registry $Path/$Name"
+    }
+    else
+    {
+        Write-Output "Successfully updated registry $Path/$Name"
+    }
+}
+
+Export-ModuleMember -Function *-TargetResource
diff --git a/...SC/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettings.schema.mof b/...SC/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettings.schema.mof
@@ -0,0 +1,7 @@
+
+[ClassVersion("1.0.0.0"), FriendlyName("xLocalPolicySettings")]
+class xLocalPolicySettings : OMI_BaseResource
+{
+    [Key] Uint32 DeploymentNodeIndex;
+};
+
diff --git a/...C/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettingsPolicies.zip b/...C/xLocalPolicySettings/DSCResources/xLocalPolicySettings/xLocalPolicySettingsPolicies.zip