Idempotent user creation

gabriel-samfira · gabriel-samfira · commit a2056d45ca68 · 2025-08-05T21:51:06.000Z
Check if the runner user exists before trying to add it. Also, check
group membership before trying to add it to the Administrators group.

Signed-off-by: Gabriel Adrian Samfira &lt;gsamfira@cloudbasesolutions.com&gt;
diff --git a/cloudconfig/templates.go b/cloudconfig/templates.go
@@ -604,14 +604,19 @@ function Install-Runner() {
 		# Create user with administrator rights to run service as
 		$userPasswd = Get-RandomString -Length 10
 		$secPasswd = ConvertTo-SecureString "$userPasswd" -AsPlainText -Force
-		New-LocalUser -Name "runner" -Password $secPasswd -PasswordNeverExpires -UserMayNotChangePassword
-		$pscreds = New-Object System.Management.Automation.PSCredential (".\runner", $secPasswd)
-		$adminGrpName = (Get-CimInstance win32_group -Filter 'SID = "S-1-5-32-544"').Name
-		if (!$adminGrpName) {
-			Throw "Could not find administrators group name"
+		$userName = "runner"
+		$user = Get-LocalUser -Name $userName -ErrorAction SilentlyContinue
+		if (-not $user) {
+			New-LocalUser -Name $userName -Password $secPasswd -PasswordNeverExpires -UserMayNotChangePassword
+		} else {
+			Set-LocalUser -PasswordNeverExpires $true -Name $userName -Password $secPasswd
+		}
+		$pscreds = New-Object System.Management.Automation.PSCredential (".\$userName", $secPasswd)
+		$hasUser = Get-LocalGroupMember -SID S-1-5-32-544 -Member $userName -ErrorAction SilentlyContinue
+		if (-not $hasUser){
+			Add-LocalGroupMember -SID S-1-5-32-544 -Member $userName
 		}
-		Add-LocalGroupMember -Group $adminGrpName -Member runner
-		$ntAcct = New-Object System.Security.Principal.NTAccount("runner")
+		$ntAcct = New-Object System.Security.Principal.NTAccount($userName)
 		$sid = $ntAcct.Translate([System.Security.Principal.SecurityIdentifier])
 		$sidBytes = New-Object byte[] ($sid.BinaryLength)
 		$sid.GetBinaryForm($sidBytes, 0)
@@ -658,7 +663,7 @@ function Install-Runner() {
 		# Ensure runner has full access to actions-runner folder
 		$runnerACL = Get-Acl $runnerDir
 		$runnerACL.SetAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule(
-		    "runner", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
+		    $userName, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
 		)))
 		Set-Acl -Path $runnerDir -AclObject $runnerAcl
 
@@ -691,9 +696,9 @@ function Install-Runner() {
 			Invoke-WebRequest -UseBasicParsing -Headers @{"Accept"="application/json"; "Authorization"="Bearer $Token"} -Uri $MetadataURL/runner-registration-token/
 		} -MaxRetryCount 5 -RetryInterval 5 -RetryMessage "Retrying download of GitHub registration token..."
 		{{- if .GitHubRunnerGroup }}
-		./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --runnergroup {{.GitHubRunnerGroup}} --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount runner --windowslogonpassword "$userPasswd"
+		./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --runnergroup {{.GitHubRunnerGroup}} --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount "$userName" --windowslogonpassword "$userPasswd"
 		{{- else}}
-		./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount runner --windowslogonpassword "$userPasswd"
+		./config.cmd --unattended --url "{{ .RepoURL }}" --token $GithubRegistrationToken --name "{{ .RunnerName }}" --labels "{{ .RunnerLabels }}" --no-default-labels --ephemeral --runasservice --windowslogonaccount "$userName" --windowslogonpassword "$userPasswd"
 		{{- end}}
 		if ($LASTEXITCODE) {
 			Throw "Failed to configure runner. Err code $LASTEXITCODE"
