SqlWindowsFirewall: Duplicate Browser Firewall Rule for AS feature creates Error in subsequent Test-TargetResource runs

[jerfried]

Problem description

Issue
Running the configuration (see below) for the first time works fine but subsequent runs throw an error message (see below).

Reason
Running the configuration for the first time:
The Set-TargetResource will create a firewall rule for the SQL Server Browser with a DisplayName of 'SQL Server Browser' for the feature 'SQLENGINE'. In the feature switch block for 'AS' it will create the same firewall rule again, since $getTargetResourceResult.BrowserFirewall is still false.

Running the configuration for the second (and subsequent) time:
Test-TargetResource calls Get-TargetResource which calls Test-IsFirewallRuleInDesiredState. When running Test-IsFirewallRuleInDesiredState with @browserFirewallRuleParameters, the following line will throw an error:
$firewallServiceFilter = Get-NetFirewallServiceFilter -AssociatedNetFirewallRule $firewallRule -ErrorAction 'SilentlyContinue'
since the parameter $firewallRule holds an array of two firewall rules with DisplayName 'SQL Server Browser'. Specifying the ErrorAction does not have an effect, however if one specifies $ErrorActionPreference = "SilentlyContinue" the error is not thrown. This is not a viable solution since one would like to know about other errors thrown by the configuration.

Verbose logs

Get-NetFirewallServiceFilter : Cannot process argument transformation on parameter 'AssociatedNetFirewallRule'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Management.Infrastructure.CimInstance".
At line:1 char:57
+ Get-NetFirewallServiceFilter -AssociatedNetFirewallRule $rule
+                                                         ~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-NetFirewallServiceFilter], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-NetFirewallServiceFilter

DSC configuration

SqlWindowsFirewall SqlFirewall
{
	Ensure = 'Present'
	Features = 'SQLENGINE,AS'
	InstanceName = 'MSSQLSERVER'
	SourcePath = 'K:'
	DependsOn = @(
	)
}

Suggested solution

Check for the existence of the 'SQL Server Browser' firewall rule before creating it in the Set-TargetResource in the 'SQLENGINE' switch block as well as in the 'AS' switch block:

if (-not (Get-NetFirewallRule -DisplayName $browserFirewallRuleDisplayName -ErrorAction SilentlyContinue))
{
	New-NetFirewallRule @browserFirewallRuleParameters
}

Happy to provide a tiny PR for this, do some testing, deliver more info, or do whatever helps.

SQL Server edition and version

Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)   Aug 22 2017 17:04:49   Copyright (C) 2017 Microsoft Corporation  Developer Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)

SQL Server PowerShell modules

Name      Version    Path                                                                                     
----      -------    ----                                                                                     
SqlServer 21.1.18147 C:\Program Files\WindowsPowerShell\Modules\SqlServer\21.1.18147\SqlServer.psd1           
SQLPS     14.0       C:\Program Files (x86)\Microsoft SQL Server\140\Tools\PowerShell\Modules\SQLPS\SQLPS.psd1

Operating system

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version

Name                           Value                                                                                                               
----                           -----                                                                                                               
PSVersion                      5.1.17763.592                                                                                                       
PSEdition                      Desktop                                                                                                             
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                             
BuildVersion                   10.0.17763.592                                                                                                      
CLRVersion                     4.0.30319.42000                                                                                                     
WSManStackVersion              3.0                                                                                                                 
PSRemotingProtocolVersion      2.3                                                                                                                 
SerializationVersion           1.1.0.1

SqlServerDsc version

Name         Version Path                                                                            
----         ------- ----                                                                            
SqlServerDsc 16.0.0  C:\Program Files\WindowsPowerShell\Modules\SqlServerDsc\16.0.0\SqlServerDsc.psd1

[johlju]

I suggest to set $getTargetResourceResult.BrowserFirewall to $true after these two lines:

SqlServerDsc/source/DSCResources/DSC_SqlWindowsFirewall/DSC_SqlWindowsFirewall.psm1

Line 477 in f9bde8a

New-NetFirewallRule @browserFirewallRuleParameters

SqlServerDsc/source/DSCResources/DSC_SqlWindowsFirewall/DSC_SqlWindowsFirewall.psm1

Line 546 in f9bde8a

New-NetFirewallRule @browserFirewallRuleParameters

That will make sure it won't try to add it twice on the first run.

[johlju]

Happy to review a PR that fixes this.

[jerfried]

Hi and thanks a lot for your immediate action on this issue and of course for maintaining this great project! Since I am new to this process it took me a moment to get familiar with it, I hope I managed to adhere to the guidelines. Feel free to correct me where I failed to do so.
I very much agree with your suggestion, it is more transparent that way. I forked the project and will submit a PR shortly.