Is possible to encrypt password in manifest file Windows-dsc module-SOLVED

asked 2018-10-31 13:06:16 -0600

dragan979 gravatar image

updated 2018-11-05 03:08:45 -0600

I installed dsc module and added AD user to Domain controller using puppet. Code below works fine when hard-coding password as plain text. Is it possible somehow to encrypt those passwords.

I read that hiera-eyaml is solution for this so i encrypted password

[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml
 encrypt -p Enter password: **********
string:
 ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]

Then stored that encrypted pass in /etc/common.eyaml file (specified in hiera config file)

/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml

I can decrypt the file successfully:

 /opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml

Then i specified encrypted pass to manifest file

/etc/puppetlabs/code/environments/production/manifests/site.pp:

 dsc_xADUser {'FirstUser':

            dsc_ensure => 'present',
            dsc_domainname => 'ad.contoso.com',
            dsc_username   => 'tfl',
            dsc_userprincipalname => 'tfl@ad.contoso.com',
            dsc_password   => {
            'user' => 'Administrator@ad.contoso.com',
            'password' => Sensitive('pass')
            },
            dsc_passwordneverexpires => true,
            dsc_domainadministratorcredential => {
            'user'  => 'Administrator@ad.contoso.com',
            'password' => ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
            },



        }

On windows node i got error

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not parse for environment production: Syntax error at '+' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 69, column: 123) on node windows.example.com when putting quote around the pass then getting:Password doesn't meet complexity....

Hiera config file:

cat /etc/puppetlabs/puppet/hiera.yaml

---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data
hierarchy:
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
    paths:
       - "/etc/common.yaml"
 options:
       pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
      pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

How to map this password from hiera to site.pp file ?

edit retag flag offensive close merge delete

Comments

The encrypted value needs to go in an eyaml file in your hieracy, not directly in your manifest.

DarylW gravatar imageDarylW ( 2018-11-01 08:44:14 -0600 )edit

Thanks it works!!

dragan979 gravatar imagedragan979 ( 2018-11-05 03:08:26 -0600 )edit