I'm having a little bit of a hard to trying to decipher what the best approach is when creating configurations based off Powershell DSC.
It appears that partial configurations are meant to allow multiple people/teams create configurations for their own policies/configurations. This makes sense, but I have seen people taking this approach to create and essentially create modules to structure their code so it's not so monolithic. This is a valid approach?
As far as as composite resources and roles, it seems like maybe you would use these two implementation methods together. You could build a composite resource to say build a web server and then assign a role to a node to apply the web server resource. Would this be the correct approach?
Is there some kind of scaffolding that is common to build out something like this?
I've looked at https://github.com/Microsoft/DscScaffolding and https://github.com/gaelcolas/DscInfraSample, but as far as I can tell, the DSCScaffolding repo doesn't use roles and the DscInfraSample seems like it uses roles, but I couldn't really get it to build, so wasn't able to really to see what it's actually doing.
My main question is, what is the best way to approach Powershell DSC and how do you best organize your configurations for the real world so that it is maintainable?
I use it in my job to apply configurations to Linux (CentOS) and Windows Servers. I use the push configuration method and the 'ApplyAndMonitor' mode.
Basically I build a module called DSCTools, and a separate configuration function that has the actual configurations in it.
DSCTools does the following: -takes a Computer Name parameter -checks against Active Directory, or manual typing, to get the attributes of that computer. (ie, is it a Linux SFTP server, is it a Windows File Server) -checks if modules need to be installed on the remote computer before applying the configuration -creates the MOF file -pushes the configuration
the Config is basically a giant function that, in my work, is a PS1 file that is about 3000 lines long. I use Visual Studio Code and code folding to collapse it (Ctrl+K and Ctrl+0), and then at a high level I can see all the different types of servers.
By keeping it all in the same config, I can have statements like 'All Nodes that are not AD servers get this' and 'All Nodes that are AD servers get this'.
In the future, I plan to separate the Linux and Windows Configurations into two separate files because they don't share much in common. Also keep in mind Linux does not support partial configurations yet.
For Windows, multiple configurations can be helpful. Like you could have a 'baseline' config that all servers receive, and then a separate 'Security' config that has your CIS/DISA-STIG compliance configurations.
then I have a seperate logging tool that checks Powershell DSC Operational logs for failures. that will let me know exactly what setting I specified is not in compliance. For example, perhaps a developer went in and deleted a configuration file or a registry setting.
I also do versioning using a basic file share repository and I'm able to see how the configuration has changed over time.
I spent the last 2-3 years learning Powershell, and DSC, and it's super helpful in my job to manage everything and a lot faster.