I'm currently using the CertificateDSC CertReq resource to generate a certificate request within a DSC configuration. I'm pretty new to DSC, I'm checking it out using a push approach and my workflow consists of generating the mof and either running Start-DscConfiguration
or Update-DscConfiguration
afterwards.
Whenever I run the DSC configuration or update it a new certificate is being requested from the CA. Obviously that's not really what my intention is. How would you add a PowerShell DSC block that's evaluated on the node and dynamically check whenever a resource block needs to be applied?
The idea is to have block that checks for a suitable certificate and generates some kind of flag that's evaluated before the CertReq block.
In pseudo code it would be similar to the following. Doing that in a DSC doesn't seem to work.
Configration X {
Import-DscResource -ModuleName CertificateDSC
if((Get-ChildItem Cert:\LocalMachine\My | Where $condition).count -gt 0){
CertReq psCert {
# Data
}
}
}
So first, the idea that you want to do a conditional check before executing the resource is counter to the idea of using DSC idempotently. That code executes during compliation time to generate the MOF but it's frozen at that point (as you've found out).
I've looked at the code for this DSC module and from that I can tell that it's already doing this check for whether or not should be making a new request.
What you should be doing then is just use
CertReq
with the parameters needed, and the module should handle all of the conditionals.If it's still generating duplicate requests at that point then edit your question to include those details, and/or debug the DSC execution yourself.