Use Puppet for Windows ops automation with dsc_lite
With DSC and dsc_lite, as well as a native option, users operate in Puppet within the familiarity of PowerShell settings. Here's how each approach works.
Puppet configuration management users have several options to manage Windows boxes. The best one depends on the IT deployment and admin skills.
Configuration management tools largely started in the Linux space, but Windows admins also want consistent deployments, easy policy enforcement and agile IT infrastructure changes. Puppet is an established, mature tool with support for the Windows OS. Likewise, Microsoft offers PowerShell Desired State Configuration (DSC) to handle configuration management and automation tasks.
DevOps and IT admins who evaluate Puppet for Windows management have three choices:
- Admins can manage Windows systems without PowerShell DSC at all, relying on native resources written and built with Puppet.
- Users familiar with Puppet can deploy the Puppet DSC module for PowerShell, which has many built-in DSC resources that Puppet, the eponymous maker of the config tool, manages. Admins do not need to think about how DSC resources get onto nodes managed by Puppet; it does that automatically.
- Puppet's dsc_lite module enables users to run practically any DSC module on a node, even if they are class-based. The dsc_lite resources are completely independent of Puppet, unlike the Puppet DSC module, which is DSC resources translated into Ruby, to speak the same language as Puppet.
PowerShell DSC pros and cons
As an experienced systems engineer, I am of the opinion that Microsoft has not worked enough to make PowerShell DSC a legitimate stand-alone configuration management platform. Admins have a bevy of DSC resources available to configure Windows systems, but PowerShell DSC itself lacks tooling to make it a truly viable option for many enterprise IT organizations. For example, there is no native GUI monitoring built into DSC. Admins must turn to third-party tools or PowerShell itself for monitoring.
Puppet and Chef are more mature configuration management products. Windows administrators can use DSC resources with these tools to take advantage of more features while still creating Windows resources in the familiar confines of PowerShell.
When to use Puppet DSC vs. dsc_lite
Shops that mostly run Linux OSes with some Windows systems sprinkled in can try the ordinary Puppet DSC module to fit their needs. It has many modules, which users can write into Puppet in the same way as any Linux-based one. This setup doesn't require a deep understanding of PowerShell DSC to use Puppet for Windows automation. Puppet experts can also add custom DSC resources into the configuration management tool and use it with the Puppet DSC module as well, with some additional build steps.
The dsc_lite module suits IT organizations that mostly run Windows systems, use Puppet and want to manage systems via PowerShell DSC in a more direct way. The approach is similar to how you write a DSC configuration in Windows, and it's a bit easier for Puppet newcomers. Users can create DSC resources in PowerShell, just as they would if they were only using DSC for configuration management, and combine it with Puppet to glean benefits of a more mature platform.
If you are a PowerShell DSC user who wants to try Puppet for Windows configuration management, evaluate dsc_lite. The short tutorial below offers a look into how dsc_lite works, including its parameters.
Create a manifest with dsc_lite
The Puppet DSC module and dsc_lite disperse DSC resources to nodes differently. The Puppet DSC module contains all of the DSC resources, so Puppet nodes download the DSC modules in a similar way to how they download native Puppet module resources. With dsc_lite, the user needs to write into the Puppet manifest how resources should get to the node, such as via PowerShell in Puppet to install the module.
The dsc_lite module uses a small group of parameters: Name, Ensure, The DSC resource name, The DSC module and Properties. The Properties Puppet parameter is where you can make mappings of a DSC resource into Puppet, similar to how a DSC configuration gets set up.
In this example of Puppet for Windows, we use a DSC community module named DSCR_Autologon that enables the use of the automatic login feature in Windows. The resource cAutoLogon in this module sets the registry keys DefaultUserName and DefaultPassword so that Windows automatically logs into the node with these credentials.
In the Puppet manifest, state the DSC module name, version and resource name to configure.
Next, use the Puppet Properties parameter to map the DSC properties into Puppet. To use a PSCredential object in dsc_lite, the dsc_type and dsc_properties parameters go inside of the autologoncredential DSC property.
Puppet runs the manifest and DSC is invoked, as seen in the following output:
/Stage[main]/Main/Dsc[Autologon]/ensure: invoked {"name"=>"DSCR_AutoLogon", "version"=>"2.1.0"}\cAutologon
Use PowerShell to check the registry for this change as well.