modules/deploy/BuiltinSteps/PSCIIISConfig.ps1

<#
The MIT License (MIT)
 
Copyright (c) 2015 Objectivity Bespoke Software Specialists
 
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
 
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
 
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
#>


Configuration PSCIIISConfig {

    <#
    .SYNOPSIS
    Configures IIS - creates application pools / websites / virtual directories / web applications.
 
    .DESCRIPTION
    This is DSC configuration, so it should be invoked locally (but can also be invoked with -RunRemotely).
    It uses token `IISConfig`, which should be a hashtable (or array of hashtables) with following keys:
    - **ApplicationPool** - hashtable (or array of hashtables) describing configuration of Application Pools, each entry should contain following keys:
      - **Name** (required)
      - **Identity** - one of ApplicationPoolIdentity, LocalSystem, LocalService, NetworkService, SpecificUser (default: ApplicationPoolIdentity)
      - **Credential** - PSCredential, used only if Identity = SpecificUser
 
    - **Website** - hashtable (or array of hashtables) describing configuration of Websites, each entry should contain following keys:
      - **Name** (required)
      - **Binding** (required) - hashtable (or array of hashtables) describing binding:
        - **Port** (required)
        - **Protocol** - http (default) or https
        - **HostName**
        - **IPAddress**
        - **CertificateStoreName** - for https only - allowed values: My (default), WebHosting
        - **CertificateThumbprint** - for https only
        - **CertificateSelfSigned** - if $true, self-signed certificate will be created (if doesn't exist) and bound to https (this should NOT be used together with CertificateStoreName or CertificateThumbprint)
      - **PhysicalPath** (required)
      - **ApplicationPool** (default: DefaultAppPool) - note if application pool is configured in the same step, also proper ACLs to PhysicalPath will be added.
      - **AuthenticationMethodsToEnable** - list of authentication methods to enable (e.g. Windows) - note it should not be normally used (you should put it into Web.config of your web application)
      - **AuthenticationMethodsToDisable** - list of authentication methods to disable (e.g. Anonymous) - note it should not be normally used (you should put it into Web.config of your web application)
     
    - **VirtualDirectory** - hashtable (or array of hashtables) describing configuration of Virtual Directories created under websites, each entry should contain following keys:
      - **Name** (required)
      - **PhysicalPath** (required)
      - **Website** (required)
 
    - **WebApplication** - hashtable (or array of hashtables) describing configuration of Web Applications, each entry should contain following keys:
      - **Name** (required)
      - **PhysicalPath** (required)
      - **Website** (required)
      - **ApplicationPool** (default: <inherited from site>) - note if application pool is configured in the same step, also proper ACLs to PhysicalPath will be added.
 
    See also [xWebAdministration](https://github.com/PowerShell/xWebAdministration).
 
    .EXAMPLE
    ```
    Import-Module "$PSScriptRoot\..\PSCI\PSCI.psd1" -Force
 
    # clear any old Environment definitions - required only for -NoConfigFiles deployments
    $Global:Environments = @{}
 
    Environment Local {
        ServerConnection WebServer -Nodes localhost
        ServerRole Web -Steps 'PSCIIISConfig' -ServerConnection WebServer
 
        Tokens Web @{
            IISConfig = @{
                ApplicationPool = @( @{ Name = 'MyWebAppPool'; Identity = 'ApplicationPoolIdentity' },
                                     @{ Name = 'MySecondAppPool'; Identity = 'ApplicationPoolIdentity' }
                                     #@{ Name = 'MyThirdAppPool'; Identity = 'SpecificUser'; Credential = { $Tokens.Credentials.MyCredential } }
                                  )
                Website = @( @{ Name = 'MyWebsite';
                                Binding = @{ Port = 801 };
                                PhysicalPath = 'c:\inetpub\wwwroot\MyWebsite';
                                ApplicationPool = 'MyWebAppPool'
                             },
                             @{ Name = 'MySecondWebsite';
                                Binding = @{ Port = 802; Protocol = 'https'; CertificateSelfSigned = $true };
                                PhysicalPath = 'c:\inetpub\wwwroot\MySecondWebsite';
                                ApplicationPool = 'MySecondAppPool'
                             }
                           )
                #VirtualDirectory = @{ Name = 'MyVirtualDir'; PhysicalPath = 'c:\inetpub\wwwroot\MyWebSite\VirtualDir'; Website = 'MyWebsite' }
                WebApplication = @{ Name = 'MyApp'; PhysicalPath = 'c:\inetpub\wwwroot\MyApp'; Website = 'MyWebsite'; ApplicationPool = 'MyWebAppPool' }
            }
        }
 
    }
 
    Install-DscResources -ModuleNames 'cIIS', 'cACL', 'cCertificate'
 
    try {
        Start-Deployment -Environment Local -NoConfigFiles
    } catch {
        Write-ErrorRecord
    }
    ```
    Configures IIS according to the settings specified in 'Web' tokens section.
 
    #>


    Import-DSCResource -Module cIIS
    Import-DSCResource -Module cACL
    Import-DSCResource -Module cCertificate

    Node $AllNodes.NodeName {

        $iisConfigs = Get-TokenValue -Name 'IISConfig'

        if (!$iisConfigs) {
            Write-Log -Warn "No IISConfig defined in tokens."
            return
        }

        foreach ($iisConfig in $iisConfigs) { 
            $applicationPool = @($iisConfig.ApplicationPool | Where-Object { $_ })
            $website = @($iisConfig.Website | Where-Object { $_ })
            $virtualDirectory = @($iisConfig.VirtualDirectory | Where-Object { $_ })
            $webApplication = @($iisConfig.WebApplication | Where-Object { $_ })

            # we need to ensure each File resource has unique key
            $directoriesToCreate = @{}

            foreach ($webAppPool in $applicationPool) {
                if (!$webAppPool.Name) {
                    throw "Missing web application pool name - token 'ApplicationPool', key 'Name'"
                }
                $username = ''
                $password = ''
                if (!$webAppPool.Identity) {
                    $webAppPool.Identity = 'ApplicationPoolIdentity'
                } elseif ($webAppPool.Identity -eq 'SpecificUser') {
                    if (!$webAppPool.Credential) {
                        throw "Identity is set to 'SpecificUser' but Credential has not been provided - token 'ApplicationPool' (name '$($webAppPool.Name)'), key 'Credential'."
                    }
                    if ($webAppPool.Credential -isnot [PSCredential]) {
                        throw "Invalid credential type: $($webAppPool.Credential.GetType().ToString()) - token 'ApplicationPool' (name '$($webAppPool.Name)'), key 'Credential'."
                    }
                    $username = $webAppPool.Credential.UserName
                    $password = $webAppPool.Credential.GetNetworkCredential().Password
                }

                Write-Log -Info "Preparing application pool '$($webAppPool.Name)', IdentityType '$($webAppPool.Identity)', Username '$username'"

                if ($username) { 
                    cAppPool "AppPool_$($webappPool.Name)" { 
                        Name = $webAppPool.Name
                        Ensure = 'Present'
                        ManagedRuntimeVersion = 'v4.0'
                        ManagedPipelineMode = 'Integrated'
                        StartMode = 'AlwaysRunning'
                        IdentityType = $webAppPool.Identity
                        UserName = $username
                        Password = $password
                    }
                } else {
                    cAppPool "AppPool_$($webappPool.Name)" { 
                        Name = $webAppPool.Name
                        Ensure = 'Present'
                        ManagedRuntimeVersion = 'v4.0'
                        ManagedPipelineMode = 'Integrated'
                        StartMode = 'AlwaysRunning'
                        IdentityType = $webAppPool.Identity
                    }
                }
            }

            $addSelfSignedCert = $false
            foreach ($site in $Website) {
                if (@($site.Binding).Where({ $_.CertificateSelfSigned -eq $true})) {
                    $addSelfSignedCert = $true
                }
            }

            if ($addSelfSignedCert) {
                Write-Log -Info 'Preparing self-signed certificate'
                cSelfSignedCert MyCert {
                    StoreLocation = 'My'
                    AutoRenew = $true
                }
            }

            foreach ($site in $Website) {
                if (!$site.Name) {
                    throw "Missing site name - token 'Website', key 'Name'"
                }
                if (!$site.PhysicalPath) {
                    throw "Missing site physical path - token 'Website' (name '$($site.Name)'), key 'PhysicalPath'"
                }
                if (!$site.Binding -or $site.Binding -isnot [hashtable]) {
                    throw "Missing / invalid binding information - token 'Website' (name '$($site.Name)'), key 'Binding'"
                }
                if (!$site.ApplicationPool) {
                    $site.ApplicationPool = 'DefaultAppPool'
                }

                $matchingWebAppPool = $applicationPool.Where({ $_.Name -ieq $site.ApplicationPool })

                Write-Log -Info "Preparing website '$($site.Name)', Port '$($site.Port)', PhysicalPath '$($site.PhysicalPath)', ApplicationPool '$($site.ApplicationPool)'"

                $depends = @()
                if (!$directoriesToCreate.ContainsKey($site.PhysicalPath)) { 
                    File "WebsiteDir_$($site.Name)" {
                        DestinationPath = $site.PhysicalPath
                        Ensure = 'Present'
                        Type = 'Directory'
                    }
                    $directoriesToCreate[$site.PhysicalPath] = $true
                    $depends += "[File]WebsiteDir_$($site.Name)"
                }

                if ($matchingWebAppPool) {
                    $depends += "[cAppPool]AppPool_$($matchingWebAppPool.Name)"
                }

                if ($binding.CertificateSelfSigned) {
                    $depends += "[cSelfSignedCert]MyCert"
                }

                cWebsite "Website_$($site.Name)" { 
                    Name   = $site.Name
                    Ensure = 'Present'
                    State  = 'Started'
                    BindingInfo = foreach ($binding in $site.Binding) {
                        if (!$binding.Port) {
                            throw "Missing binding port - token 'Website' (name '$($site.Name)'), key 'Binding'"
                        }
                        if ($binding.Protocol -ne 'https' -and ($binding.CertificateSelfSigned -or $binding.CertificateStoreName -or $binding.CertificateThumbprint)) {
                            throw "Binding protocol is not https but has certificate settings, please set protocol to https or remove certificate settings - token 'Website' (name '$($site.Name)'), key 'Binding'"
                        }
                        if ($binding.CertificateSelfSigned) { 
                            OBJ_cWebBindingInformation {
                                Port = $binding.Port
                                Protocol = if ($binding.ContainsKey('Protocol')) { $binding.Protocol } else { 'http' }
                                HostName = $binding.HostName
                                IPAddress = $binding.IPAddress
                                SelfSignedCertificate = $true
                            }
                        } else {
                            OBJ_cWebBindingInformation {
                                Port = $binding.Port
                                Protocol = if ($binding.ContainsKey('Protocol')) { $binding.Protocol } else { 'http' }
                                HostName = $binding.HostName
                                IPAddress = $binding.IPAddress
                                CertificateStoreName = if ($binding.ContainsKey('CertificateStoreName')) { $binding.CertificateStoreName } else { 'My' }
                                CertificateThumbprint = $binding.CertificateThumbprint
                            }
                        }
                    }
                    PhysicalPath = $site.PhysicalPath
                    ApplicationPool = $site.ApplicationPool
                    DependsOn = $depends
                }

                if (!$matchingWebAppPool) { 
                    Write-Log -Warn "Web application pool ('$($site.ApplicationPool)') is not configured (website '$($site.Name)') - ACL will not be set. Please add this pool to 'ApplicationPool' token."
                } else {
                    $aclUserName = $null
                    if ($matchingWebAppPool.Identity -eq 'ApplicationPoolIdentity') {
                        $aclUserName = "IIS AppPool\$($matchingWebAppPool.Name)"
                    } elseif ($matchingWebAppPool.Identity -eq 'SpecificUser') {
                        $aclUserName = $matchingWebAppPool.Credential.UserName
                    } 

                    if ($aclUserName) { 
                        Write-Log -Info "Preparing ACL - R for directory '$($site.PhysicalPath)' to user '$aclUserName'"

                        cSimpleAcl "WebsiteAcl_$($site.Name)" {
                            Path = $site.PhysicalPath
                            Ensure = 'Present'
                            Username = $aclUserName
                            Permission = 'Read'
                            Type = 'Allow'
                            Inherit = $true
                            DependsOn = "[cWebsite]Website_$($site.Name)"
                        }
                    }
                }

                if ($site.AuthenticationMethodsToEnable) {
                    Write-Log -Info "Enabling following authentication methods: $($site.AuthenticationMethodsToEnable -join ', ') on site '$($site.Name)'"
                    foreach ($authMethodToEnable in $site.AuthenticationMethodsToEnable) {
                        cIISWebsiteAuthentication "$($site.Name)_Auth$authMethodToEnable" {
                            WebsiteName = $site.Name
                            Ensure = 'Present'
                            AuthenticationMethod = $authMethodToEnable
                        }
                    }
                }

                if ($site.AuthenticationMethodsToDisable) {
                    Write-Log -Info "Enabling following authentication methods: $($site.AuthenticationMethodsToDisable -join ', ') on site '$($site.Name)'"
                    foreach ($authMethodToDisable in $site.AuthenticationMethodsToDisable) {
                        cIISWebsiteAuthentication "$($site.Name)_Auth$authMethodToDisable" {
                            WebsiteName = $site.Name
                            Ensure = 'Absent'
                            AuthenticationMethod = $authMethodToDisable
                        }
                    }
                }
            
            }

            foreach ($virtualDir in $virtualDirectory) {
                if (!$virtualDir.Name) {
                    throw "Missing virtual directory name - token 'VirtualDirectory', key 'Name'"
                }
                if (!$virtualDir.PhysicalPath) {
                    throw "Missing virtual directory physical path - token 'VirtualDirectory' (name '$($virtualDir.Name)'), key 'PhysicalPath'"
                }
                if (!$virtualDir.Website) {
                    throw "Missing virtual directory website - token 'VirtualDirectory' (name '$($virtualDir.Name)'), key 'Website'"
                }

                $depends = @()
                $matchingWebsite = $website.Where({ $_.Name -ieq $virtualDir.Website })

                if ($matchingWebsite) {
                    $depends += "[cWebsite]Website_$($matchingWebsite.Name)"
                }

                if (!$directoriesToCreate.ContainsKey($virtualDir.PhysicalPath)) { 
                    File "VirtualDirectoryDir_$($virtualDir.Name)" {
                        DestinationPath = $virtualDir.PhysicalPath
                        Ensure = 'Present'
                        Type = 'Directory'
                    }
                    $directoriesToCreate[$virtualDir.PhysicalPath] = $true
                    $depends += "[File]VirtualDirectoryDir_$($virtualDir.Name)"
                }

                cWebVirtualDirectory "VirtualDirectory_$($virtualDir.Name)" {
                    Name = $virtualDir.Name
                    Website = $virtualDir.Website
                    WebApplication = ''
                    PhysicalPath = $virtualDir.PhysicalPath
                    Ensure = 'Present'
                    DependsOn = $depends
                }

            }
      
            foreach ($webApp in $webApplication) {
                if (!$webApp.Name) {
                    throw "Missing web application name - token 'WebApplication', key 'Name'"
                }
                if (!$webApp.PhysicalPath) {
                    throw "Missing web application physical path - token 'WebApplication' (name '$($webApp.Name)'), key 'PhysicalPath'"
                }
                if (!$webApp.Website) {
                    throw "Missing web application website - token 'WebApplication' (name '$($webApp.Name)'), key 'Website'"
                }
            
                $matchingWebsite = $website.Where({ $_.Name -ieq $webApp.Website })
                $matchingWebAppPool = $applicationPool.Where({ $_.Name -ieq $webApp.ApplicationPool })

                Write-Log -Info "Preparing web application '$($webApp.Name)', PhysicalPath '$($webApp.PhysicalPath)', Website '$($webApp.Website)', ApplicationPool '$($webApp.ApplicationPool)'"

                $depends = @()

                if ($matchingWebsite) {
                    $depends += "[cWebsite]Website_$($matchingWebsite.Name)"
                }

                if ($matchingWebAppPool) {
                    $depends += "[cAppPool]AppPool_$($matchingWebAppPool.Name)"
                }

                if (!$directoriesToCreate.ContainsKey($webApp.PhysicalPath)) { 
                    File "WebApplicationDir_$($webApp.Name)" {
                        DestinationPath = $webApp.PhysicalPath
                        Ensure = 'Present'
                        Type = 'Directory'
                    }
                    $directoriesToCreate[$webApp.PhysicalPath] = $true
                    $depends += "[File]WebApplicationDir_$($webApp.Name)"
                }
                cWebApplication "WebApplication_$($webApp.Name)" {
                    Name = $webApp.Name
                    Ensure = 'Present'
                    Website = $webApp.Website
                    WebAppPool = $webApp.ApplicationPool
                    PhysicalPath = $webApp.PhysicalPath
                    DependsOn = $depends
                }

                if (!$matchingWebAppPool) { 
                    Write-Log -Warn "Web application pool ('$($webAppPool.ApplicationPool)') is not configured (web application '$($webApp.Name)') - ACL will not be set. Please add this pool to 'ApplicationPool' token."
                } else {
                    $aclUserName = $null
                    if ($matchingWebAppPool.Identity -eq 'ApplicationPoolIdentity') {
                        $aclUserName = "IIS AppPool\$($matchingWebAppPool.Name)"
                    } elseif ($matchingWebAppPool.Identity -eq 'SpecificUser') {
                        $aclUserName = $matchingWebAppPool.Credential.UserName
                    } 

                    if ($aclUserName) { 
                        Write-Log -Info "Preparing ACL - R for directory '$($site.PhysicalPath)' to user '$aclUserName'"

                        cSimpleAcl "WebApplicationAcl_$($webApp.Name)" {
                            Path = $webApp.PhysicalPath
                            Ensure = 'Present'
                            Username = $aclUserName
                            Permission = 'Read'
                            Type = 'Allow'
                            Inherit = $true
                            DependsOn = "[cWebApplication]WebApplication_$($webApp.Name)"
                        }
                    }
                }
            }
        }
    }
}