使用 DependsOn 的资源依赖项
编写配置时,会添加资源块以配置目标节点的各个方面。 随着继续添加资源块,配置可能会变得相当大,且难以管理。 这类难题之一是资源块的应用顺序。 通常按照在配置中定义资源的顺序来应用它们。 随着配置越来越大且越复杂,可以使用 DependsOn 键更改资源的应用顺序,具体方法是指定一个资源依赖于另一个资源。
DependsOn 键可以在任何资源块中使用。 其定义使用与其他资源键相同的键/值机制。 DependsOn 键需要具有以下语法的字符串数组。
DependsOn = '[<Resource Type>]<Resource Name>', '[<Resource Type>]<Resource Name'
下面的示例在启用和配置公用配置文件之后配置防火墙规则。
# Install the NetworkingDSC module to configure firewall rules and profiles.
Install-Module -Name NetworkingDSC
Configuration ConfigureFirewall
{
Import-DSCResource -Name Firewall, FirewallProfile
Node localhost
{
Firewall Firewall
{
Name = 'IIS-WebServerRole-HTTP-In-TCP'
Ensure = 'Present'
Enabled = 'True'
DependsOn = '[FirewallProfile]FirewallProfilePublic'
}
FirewallProfile FirewallProfilePublic
{
Name = 'Public'
Enabled = 'True'
DefaultInboundAction = 'Block'
DefaultOutboundAction = 'Allow'
AllowInboundRules = 'True'
AllowLocalFirewallRules = 'False'
AllowLocalIPsecRules = 'False'
NotifyOnListen = 'True'
LogFileName = '%systemroot%\system32\LogFiles\Firewall\pfirewall.log'
LogMaxSizeKilobytes = 16384
LogAllowed = 'False'
LogBlocked = 'True'
LogIgnored = 'NotConfigured'
}
}
}
ConfigureFirewall -OutputPath C:\Temp\
应用配置时,会始终首先配置防火墙配置文件,无论定义资源块的顺序如何。 如果应用配置,请务必注意目标节点现有配置,以便在需要时可以还原。
PS> Start-DSCConfiguration -Verbose -Wait -Path C:\Temp\ -ComputerName localhost
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SERVER01 with user sid S-1-5-21-181338-0189125723-1543119021-1282804.
VERBOSE: [SERVER01]: LCM: [ Start Set ]
VERBOSE: [SERVER01]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\NetworkingDsc\6.1.0.0\DscResources\MSFT_Firewall\MSFT_Firewall.psm1 in force mode.
VERBOSE: [SERVER01]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\NetworkingDsc\6.1.0.0\DscResources\MSFT_FirewallProfile\MSFT_FirewallProfile.psm1 in force mode.
VERBOSE: [SERVER01]: LCM: [ Start Resource ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: LCM: [ Start Test ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Importing the module MSFT_FirewallProfile in force mode.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Testing Firewall Public Profile.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowInboundRules" is "NotConfigured" but should be "True". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowLocalFirewallRules" is "NotConfigured" but should be "False". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "AllowLocalIPsecRules" is "NotConfigured" but should be "False". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "DefaultOutboundAction" is "NotConfigured" but should be "Allow". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "LogBlocked" is "False" but should be "True". Change required.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Test-TargetResource: Firewall Public Profile "LogMaxSizeKilobytes" is "4096" but should be "16384". Change required.
VERBOSE: [SERVER01]: LCM: [ End Test ] [[FirewallProfile]FirewallProfilePublic] in 1.6890 seconds.
VERBOSE: [SERVER01]: LCM: [ Start Set ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Importing the module MSFT_FirewallProfile in force mode.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile.
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowInboundRules to "AllowInboundRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowLocalFirewallRules to "AllowLocalFirewallRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter AllowLocalIPsecRules to "AllowLocalIPsecRules".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter DefaultOutboundAction to "DefaultOutboundAction".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter LogBlocked to "LogBlocked".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile parameter LogMaxSizeKilobytes to "LogMaxSizeKilobytes".
VERBOSE: [SERVER01]: [[FirewallProfile]FirewallProfilePublic] Set-TargetResource: Setting Firewall Public Profile updated.
VERBOSE: [SERVER01]: LCM: [ End Set ] [[FirewallProfile]FirewallProfilePublic] in 10.0360 seconds.
VERBOSE: [SERVER01]: LCM: [ End Resource ] [[FirewallProfile]FirewallProfilePublic]
VERBOSE: [SERVER01]: LCM: [ Start Resource ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: LCM: [ Start Test ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: [[Firewall]Firewall] Importing the module MSFT_Firewall in force mode.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Checking settings for firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Find firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Get-FirewallRule: No Firewall Rule found with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' does not exist.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Test-TargetResource: Check Firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' returning False.
VERBOSE: [SERVER01]: LCM: [ End Test ] [[Firewall]Firewall] in 1.1780 seconds.
VERBOSE: [SERVER01]: LCM: [ Start Set ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: [[Firewall]Firewall] Importing the module MSFT_Firewall in force mode.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: Applying settings for firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: Find firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Get-FirewallRule: No Firewall Rule found with Name 'IIS-WebServerRole-HTTP-In-TCP'.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: We want the firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' to exist since Ensure is set to Present.
VERBOSE: [SERVER01]: [[Firewall]Firewall] Set-TargetResource: We want the firewall rule with Name 'IIS-WebServerRole-HTTP-In-TCP' to exist, but it does not.
VERBOSE: [SERVER01]: [[Firewall]Firewall] New-NetFirewallRule DisplayName: IIS-WebServerRole-HTTP-In-TCP
VERBOSE: [SERVER01]: LCM: [ End Set ] [[Firewall]Firewall] in 1.0850 seconds.
VERBOSE: [SERVER01]: LCM: [ End Resource ] [[Firewall]Firewall]
VERBOSE: [SERVER01]: LCM: [ End Set ]
VERBOSE: [SERVER01]: LCM: [ End Set ] in 15.2880 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 15.385 seconds
这还可确保如果 FirewallProfile 资源因任何原因而失败,则 Firewall 块不会执行,即使是先定义它。 通过 DependsOn 键可以更灵活地对资源块进行分组,并确保在资源执行之前解析依赖关系。
在更高级的配置中,还可以使用跨节点依赖关系以便进行更精细的控制(例如,确保在将客户端加入域之前配置域控制器)。
清理
如果应用上面的配置,则可以反转键来撤消任何更改。 在上面的示例中,将 Enabled 键设置为 false 会禁用防火墙规则和配置文件。 应根据需要修改该示例以匹配目标节点以前的已配置状态。
Firewall Firewall
{
Name = 'IIS-WebServerRole-HTTP-In-TCP'
Enabled = 'False'
DependsOn = '[FirewallProfile]FirewallProfilePublic'
}
FirewallProfile FirewallProfilePublic
{
Name = 'Public'
Enabled = 'False'
}
