From 6b0acab8a5971704ca22c4b04850a3871c78e2ec Mon Sep 17 00:00:00 2001
From: jordanbreen28 <jordan.breen@perforce.com>
Date: Thu, 15 Aug 2024 09:54:14 +0100
Subject: [PATCH] (maint) - Add disclaimer for script block logging

This commit adds a warning to each generated modules readme about the
use of sensitive data with script block logging enabled.
As per microsoft's own recommendation, protected event logging should
also be enabled to encyrpt this data.
---
 src/Puppet.Dsc/internal/functions/Get-ReadmeContent.ps1 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Puppet.Dsc/internal/functions/Get-ReadmeContent.ps1 b/src/Puppet.Dsc/internal/functions/Get-ReadmeContent.ps1
index 96beece0..720b7801 100644
--- a/src/Puppet.Dsc/internal/functions/Get-ReadmeContent.ps1
+++ b/src/Puppet.Dsc/internal/functions/Get-ReadmeContent.ps1
@@ -281,13 +281,15 @@ For specific information on troubleshooting a generated module, check the [troub
 
 ## Known Limitations
 
-Currently, because of the way Puppet caches files on agents, use of the legacy [``puppetlabs-dsc``]($LegacyDscForgePage) module is **not** compatible with this or any auto-generated DSC module.
+* Currently, because of the way Puppet caches files on agents, use of the legacy [``puppetlabs-dsc``]($LegacyDscForgePage) module is **not** compatible with this or any auto-generated DSC module.
 Inclusion of both will lead to pluginsync conflicts.
 
-Right now, if you have the same version of a PowerShell module with class-based DSC Resources in your PSModulePath as vendored in a Puppetized DSC Module,
+* Right now, if you have the same version of a PowerShell module with class-based DSC Resources in your PSModulePath as vendored in a Puppetized DSC Module,
 you cannot use those class-based DSC Resources from inside of Puppet due to a bug in DSC which prevents using a module by path reference instead of name.
 Instead, DSC will see that there are two DSC Resources for the same module and version and then error out.
 
+* When PowerShell [Script Block Logging](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.4#enabling-script-block-logging) is enabled, data marked as sensitive in your manifest may appear in these logs as plain text. It is **highly recommended**, by both Puppet and Microsoft, that you also enable [Protected Event Logging](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.4#protected-event-logging) alongside this to encrypt the logs to protect this information.
+
 ### Configuring the LCM
 
 In order for a Puppetized DSC module to function, the DSC Local Configuration Manager (LCM) ``RefreshMode`` must be set to either ``Push`` or ``Disabled``.