Provides a set of Windows-specific resources to aid in the creation of cookbooks/recipes targeting the Windows platform.
This cookbook is no longer required for managing Windows nodes with Chef Infra. The necessary resources and helpers are now built into Chef Infra Client itself. These built-in resources are more feature rich and execute faster.
- Windows 7 (EOL)
- Windows Server 2008 R2 (EOL)
- Windows 8, 8.1
- Windows Server 2012 (R1, R2)
- Windows Server 2016
- Chef 14.7+
Binds a certificate to an HTTP port to enable TLS communication.
:create
- creates or updates a binding.:delete
- deletes a binding.
cert_name
- name attribute. The thumbprint(hash) or subject that identifies the certificate to be bound.name_kind
- indicates the type of cert_name. One of :subject (default) or :hash.address
- the address to bind against. Default is 0.0.0.0 (all IP addresses). One of:- IP v4 address
1.2.3.4
- IP v6 address
[::1]
- Host name
www.foo.com
- IP v4 address
port
- the port to bind against. Default is 443.app_id
- the GUID that defines the application that owns the binding. Default is the values used by IIS.store_name
- the store to locate the certificate in. One of:- MY (Personal)
- CA (Intermediate Certification Authorities)
- ROOT (Trusted Root Certification Authorities)
- TRUSTEDPUBLISHER (Trusted Publishers)
- CLIENTAUTHISSUER (Client Authentication Issuers)
- REMOTE DESKTOP (Remote Desktop)
- TRUSTEDDEVICES (Trusted Devices)
- WEBHOSTING (Web Hosting)
- AUTHROOT (Third-Party Root Certification Authorities)
- TRUSTEDPEOPLE (Trusted People)
- SMARTCARDROOT (Smart Card Trusted Roots)
- TRUST (Enterprise Trust)
# Bind the first certificate matching the subject to the default TLS port
windows_certificate_binding "me.acme.com" do
end
# Bind a cert from the CA store with the given hash to port 4334
windows_certificate_binding "me.acme.com" do
cert_name "d234567890a23f567c901e345bc8901d34567890"
name_kind :hash
store_name "CA"
port 4334
end
Note
: This resource is now included in Chef 15 and later. If you are using newer versions of windows then should use the core resource instead of windows_dns.
Configures A and CNAME records in Windows DNS. This requires the DNSCMD to be installed, which is done by adding the DNS role to the server or installing the Remote Server Admin Tools.
- :create: creates/updates the DNS entry
- :delete: deletes the DNS entry
- host_name: name attribute. FQDN of the entry to act on.
- dns_server: the DNS server to update. Default is local machine (.)
- record_type: the type of record to create. One of A (default) or CNAME
- target: for A records an array of IP addresses to associate with the host; for CNAME records the FQDN of the host to alias
- ttl: if > 0 then set the time to live of the record
# Create A record linked to 2 addresses with a 10 minute ttl
windows_dns "m1.chef.test" do
target ['10.9.8.7', '1.2.3.4']
ttl 600
end
# Delete records. target is mandatory although not used
windows_dns "m1.chef.test" do
action :delete
target []
end
# Set an alias against the node in a role
nodes = search( :node, "role:my_service" )
windows_dns "myservice.chef.test" do
record_type 'CNAME'
target nodes[0]['fqdn']
end
Sets the Access Control List for an http URL to grant non-admin accounts permission to open HTTP endpoints.
:create
- creates or updates the ACL for a URL.:delete
- deletes the ACL from a URL.
url
- the name of the url to be created/deleted.sddl
- the DACL string configuring all permissions to URL. Mandatory for create if user is not provided. Can't be use withuser
.user
- the name (domain\user) of the user or group to be granted permission to the URL. Mandatory for create if sddl is not provided. Can't be use withsddl
. Only one user or group can be granted permission so this replaces any previously defined entry. If you receive a parameter error your user may not exist.
windows_http_acl 'http://+:50051/' do
user 'pc\\fred'
end
# Grant access to users "NT SERVICE\WinRM" and "NT SERVICE\Wecsvc" via sddl
windows_http_acl 'http://+:5985/' do
sddl 'D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)'
end
windows_http_acl 'http://+:50051/' do
action :delete
end
Used to configure the schannel security settings in windows, this is used by dotnet apps and PowerShell to be able to speak to tls 1.2 endpoints
configure
: Configures the setting
property | type | default | description |
---|---|---|---|
use_strong_crypto |
True, False | true | Enables or disables the setting |
Adds the principal
(User/Group) to the specified privileges (such as Logon as a batch job
or Logon as a Service
).
:add
- add the specified privileges to theprincipal
:remove
- remove the specified privilege of theprincipal
principal
- Name attribute, Required, String. The user or group to be granted privileges.privilege
- Required, String/Array. The privilege(s) to be granted.
Grant the Administrator user the Logon as a batch job
and Logon as a service
privilege.
windows_user_privilege 'Administrator' do
privilege %w(SeBatchLogonRight SeServiceLogonRight)
end
Remove Logon as a batch job
privilege of Administrator.
windows_user_privilege 'Administrator' do
privilege %w(SeBatchLogonRight)
action :remove
end
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeNetworkLogonRight Access this computer from the network
SeTcbPrivilege Act as part of the operating system
SeMachineAccountPrivilege Add workstations to domain
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeInteractiveLogonRight Allow log on locally
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeBackupPrivilege Back up files and directories
SeChangeNotifyPrivilege Bypass traverse checking
SeSystemtimePrivilege Change the system time
SeTimeZonePrivilege Change the time zone
SeCreatePagefilePrivilege Create a pagefile
SeCreateTokenPrivilege Create a token object
SeCreateGlobalPrivilege Create global objects
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeDebugPrivilege Debug programs
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyServiceLogonRight Deny log on as a service
SeDenyInteractiveLogonRight Deny log on locally
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege Increase a process working set
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeSecurityPrivilege Manage auditing and security log
SeRelabelPrivilege Modify an object label
SeSystemEnvironmentPrivilege Modify firmware environment values
SeManageVolumePrivilege Perform volume maintenance tasks
SeProfileSingleProcessPrivilege Profile single process
SeSystemProfilePrivilege Profile system performance
SeUnsolicitedInputPrivilege "Read unsolicited input from a terminal device"
SeUndockPrivilege Remove computer from docking station
SeAssignPrimaryTokenPrivilege Replace a process level token
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeTakeOwnershipPrivilege Take ownership of files or other objects
Note
: This resource has been deprecated as Chef Infra Client 15.0 shipped with a new archive_file resource, which natively handles multiple archive formats. Please update any cookbooks using this resource to instead use the archive_file
resource: https://docs.chef.io/resource_archive_file.html
Most versions of Windows do not ship with native cli utility for managing compressed files. This resource provides a pure-ruby implementation for managing zip files. Be sure to use the not_if
or only_if
meta parameters to guard the resource for idempotence or action will be taken every Chef run.
:unzip
- unzip a compressed file:zip
- zip a directory (recursively)
path
- name attribute. The path where files will be (un)zipped to.source
- source of the zip file (either a URI or local path) for :unzip, or directory to be zipped for :zip.overwrite
- force an overwrite of the files if they already exist.checksum
- for :unzip, useful if source is remote, if the local file matches the SHA-256 checksum, Chef will not download it.
Unzip a remote zip file locally
windows_zipfile 'c:/bin' do
source 'http://download.sysinternals.com/Files/SysinternalsSuite.zip'
action :unzip
not_if {::File.exists?('c:/bin/PsExec.exe')}
end
Unzip a local zipfile
windows_zipfile 'c:/the_codez' do
source 'c:/foo/baz/the_codez.zip'
action :unzip
end
Create a local zipfile
windows_zipfile 'c:/foo/baz/the_codez.zip' do
source 'c:/the_codez'
action :zip
end
Helper that allows you to use helpful functions in windows
Returns a hash of all DisplayNames installed
# usage in a recipe
::Chef::DSL::Recipe.send(:include, Windows::Helper)
hash_of_installed_packages = installed_packages
package_name
- The name of the package you want to query to see if it is installedreturns
- true if the package is installed, false if it the package is not installed
Download a file if a package isn't installed
# usage in a recipe to not download a file if package is already installed
::Chef::DSL::Recipe.send(:include, Windows::Helper)
is_win_sdk_installed = is_package_installed?('Windows Software Development Kit')
remote_file 'C:\windows\temp\windows_sdk.zip' do
source 'http://url_to_download/windows_sdk.zip'
action :create_if_missing
not_if {is_win_sdk_installed}
end
Do something if a package is installed
# usage in a provider
include Windows::Helper
if is_package_installed?('Windows Software Development Kit')
# do something if package is installed
end
Helper that allows you to get information on the windows version running on your node. It leverages windows ohai from kernel.os_info, easy to mock and to use even on Linux.
Determines whether the given node is running on a Windows Core.
if ::Windows::VersionHelper.core_version? node
fail 'Windows Core is not supported'
end
Determines whether the given node is a windows workstation version (XP, Vista, 7, 8, 8.1, 10)
if ::Windows::VersionHelper.workstation_version? node
fail 'Only server version of windows are supported'
end
Determines whether the given node is a windows server version (Server 2003, Server 2008, Server 2012, Server 2016)
if ::Windows::VersionHelper.server_version? node
puts 'Server version of windows are cool'
end
Determines NT version of the given node
case ::Windows::VersionHelper.nt_version node
when '6.0' then 'Windows vista or Server 2008'
when '6.1' then 'Windows 7 or Server 2008R2'
when '6.2' then 'Windows 8 or Server 2012'
when '6.3' then 'Windows 8.1 or Server 2012R2'
when '10.0' then 'Windows 10'
end
Place an explicit dependency on this cookbook (using depends in the cookbook's metadata.rb) from any cookbook where you would like to use the Windows-specific resources/providers that ship with this cookbook.
depends 'windows'
- Author:: Seth Chisamore ([email protected])
- Author:: Doug MacEachern ([email protected])
- Author:: Paul Morton ([email protected])
- Author:: Doug Ireton ([email protected])
Copyright 2011-2018, Chef Software, Inc.
Copyright 2010, VMware, Inc.
Copyright 2011, Business Intelligence Associates, Inc
Copyright 2012, Nordstrom, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.