Dependências de recursos com a chave DependsOn
Quando escreve Configurações, adiciona Blocos de recursos para configurar aspetos de um Nó de destino. À medida que continua a adicionar Blocos de recursos, as configurações podem tornar-se bastante grandes e complicadas de gerir. Um desses desafios é a ordem aplicada dos seus blocos de recursos. Normalmente, os recursos são aplicados pela ordem em que são definidos na Configuração. À medida que a configuração se torna maior e mais complexa, pode utilizar a DependsOn chave para alterar a ordem aplicada dos seus recursos ao especificar que um recurso depende de outro recurso.
A DependsOn chave pode ser utilizada em qualquer Bloco de recursos. É definido com o mesmo mecanismo chave/valor que outras Chaves de recurso. A DependsOn chave espera uma matriz de cadeias com a seguinte sintaxe.
DependsOn = '[<Resource Type>]<Resource Name>', '[<Resource Type>]<Resource Name'
O exemplo seguinte configura uma regra de firewall depois de ativar e configurar o perfil público.
# Install the NetworkingDSC module to configure firewall rules and profiles.
Install-Module -Name NetworkingDSC
Configuration ConfigureFirewall
{
Import-DSCResource -Name Firewall, FirewallProfile
Node localhost
{
Firewall Firewall
{
Name = 'IIS-WebServerRole-HTTP-In-TCP'
Ensure = 'Present'
Enabled = 'True'
DependsOn = '[FirewallProfile]FirewallProfilePublic'
}
FirewallProfile FirewallProfilePublic
{
Name = 'Public'
Enabled = 'True'
DefaultInboundAction = 'Block'
DefaultOutboundAction = 'Allow'
AllowInboundRules = 'True'
AllowLocalFirewallRules = 'False'
AllowLocalIPsecRules = 'False'
NotifyOnListen = 'True'
LogFileName = '%systemroot%\system32\LogFiles\Firewall\pfirewall.log'
LogMaxSizeKilobytes = 16384
LogAllowed = 'False'
LogBlocked = 'True'
LogIgnored = 'NotConfigured'
}
}
}
ConfigureFirewall -OutputPath C:\Temp\
Quando aplicar a Configuração, o perfil de firewall será sempre configurado primeiro, independentemente da ordem em que os Blocos de recursos são definidos. Se aplicar a Configuração, certifique-se de que anota a Configuração existente dos Nós de destino para que possa reverter, se assim o desejar.
PS> Start-DSCConfiguration -Verbose -Wait -Path C:\Temp\ -ComputerName localhost
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SERVER01 with user sid S-1-5-21-181338-0189125723-1543119021-1282804.
VERBOSE: [SERVER01]: LCM: [ Start Set ]
VERBOSE: [SERVER01]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\NetworkingDsc\6.1.0.0\DscResources\MSFT_Firewall\MSFT_Firewall.psm1 in force mode.
VERBOSE: [SERVER01]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\NetworkingDsc\6.1.0.0\DscResources\MSFT_FirewallProfile\MSFT_FirewallProfile.psm1 in force mode.
VERBOSE: [SERVER01]: LCM: [ Start Resource ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: LCM: [ Start Test ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Importing the module MSFT_FirewallProfile in force mode.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Testing Firewall Public Profile.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowInboundRules" is "NotConfigured" but should be "True". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowLocalFirewallRules" is "NotConfigured" but should be "False". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowLocalIPsecRules" is "NotConfigured" but should be "False". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "DefaultOutboundAction" is "NotConfigured" but should be "Allow". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "LogBlocked" is "False" but should be "True". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "LogMaxSizeKilobytes" is "4096" but should be "16384". Change required.
VERBOSE: [SERVER01]: LCM: [ End Test ] [[FirewallProfile]FirewallProfilePublic] in 1.6890 seconds.
VERBOSE: [SERVER01]: LCM: [ Start Set ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Importing the module MSFT_FirewallProfile in force mode.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowInboundRules to "AllowInboundRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowLocalFirewallRules to "AllowLocalFirewallRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowLocalIPsecRules to "AllowLocalIPsecRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter DefaultOutboundAction to "DefaultOutboundAction".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter LogBlocked to "LogBlocked".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter LogMaxSizeKilobytes to "LogMaxSizeKilobytes".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile updated.
VERBOSE: [SERVER01]: LCM: [ End Set ] [[FirewallProfile]FirewallProfilePublic] in 10.0360 seconds.
VERBOSE: [SERVER01]: LCM: [ End Resource ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: LCM: [ Start Resource ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: LCM: [ Start Test ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: [[Firewall]Firewall] Importing the module MSFT_Firewall in force mode.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Checking settings for firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Find firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Get-FirewallRule: No Firewall Rule found with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' does not exist.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Check Firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' returning False.
VERBOSE: [SERVER01]: LCM: [ End Test ] [[Firewall]Firewall] in 1.1780 seconds.
VERBOSE: [SERVER01]: LCM: [ Start Set ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: [[Firewall]Firewall] Importing the module MSFT_Firewall in force mode.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: Applying settings for firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: Find firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Get-FirewallRule: No Firewall Rule found with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: We want the firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' to exist since Ensure is set to Present.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: We want the firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' to exist, but it does not.
VERBOSE: [SERVER01]: [[Firewall]Firewall] New-NetFirewallRule DisplayName: IIS-WebServerRole-HTTP-In-TCP
VERBOSE: [SERVER01]: LCM: [ End Set ] [[Firewall]Firewall] in 1.0850 seconds.
VERBOSE: [SERVER01]: LCM: [ End Resource ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: LCM: [ End Set ]
VERBOSE: [SERVER01]: LCM: [ End Set ] in 15.2880 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 15.385 seconds
Isto também garante que, se o recurso FirewallProfile falhar por qualquer motivo, o bloco Firewall não será executado mesmo que tenha sido definido primeiro. A DependsOn chave permite uma maior flexibilidade no agrupamento de blocos de recursos e garantir que as dependências são resolvidas antes da execução de um Recurso.
Em Configurações mais avançadas, também pode utilizar a Dependência entre Nós para permitir um controlo ainda mais granular (por exemplo, garantir que um controlador de domínio está configurado antes de associar um cliente ao domínio).
Limpeza
Se tiver aplicado a Configuração acima, pode reverter as chaves para anular quaisquer alterações. No exemplo acima, definir a chave Ativada como falso irá desativar a regra e o perfil da firewall. Deve modificar o exemplo conforme necessário para corresponder ao estado configurado anterior do Nó de destino.
Firewall Firewall
{
Name = 'IIS-WebServerRole-HTTP-In-TCP'
Enabled = 'False'
DependsOn = '[FirewallProfile]FirewallProfilePublic'
}
FirewallProfile FirewallProfilePublic
{
Name = 'Public'
Enabled = 'False'
}
