xCluster: Make DomainAdministratorCredential optional (#249)

jrdbarnes · web-flow · commit 9504c08c4a74 · 2021-02-19T18:45:17.000+01:00
- xCluster - Made DomainAdministratorCredential optional (issue #164).
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -87,6 +87,7 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
 - xCluster
   - Added script file information to the example `1-CreateFirstNodeOfAFailoverCluster.ps1`.
   - Fixed Describe-block descriptions ([issue #234](https://github.com/dsccommunity/xFailOverCluster/issues/234)).
+  - Made DomainAdministratorCredential optional ([issue #164](https://github.com/dsccommunity/xFailOverCluster/issues/164))
 
 ### Removed
 
diff --git a/README.md b/README.md
@@ -66,8 +66,15 @@ the target node ($env:COMPUTERNAME) to the cluster.
   for cluster communication. To remove networks assigned an IP address through DHCP
   use the resource xClusterNetwork to change the role of the network. This parameter
   is only used during the creation of the cluster and is not monitored after.
-* **`[String]` DomainAdministratorCredential** _(Required)_: Credential used to
-  create the failover cluster in Active Directory.
+* **`[PSCredential]` DomainAdministratorCredential** _(Write)_: Credential used to
+  create the failover cluster in Active Directory. If this is not specified then 
+  the cluster computer object must have been prestaged as per the
+  [documentation](https://docs.microsoft.com/en-us/windows-server/failover-clustering/prestage-cluster-adds).
+    * If `PsDscRunAsCredential` is used, then that account must have been granted 
+    Full Control over the Cluster Name Object in Active Directory.
+    * Otherwise the Computer Account must have been granted Full Control 
+    over the Cluster Name Object in Active Directory.
+
 
 #### Examples for xCluster
 
diff --git a/source/DSCResources/MSFT_xCluster/MSFT_xCluster.psm1 b/source/DSCResources/MSFT_xCluster/MSFT_xCluster.psm1
@@ -43,7 +43,7 @@ function Get-TargetResource
         [System.String[]]
         $IgnoreNetwork,
 
-        [Parameter(Mandatory = $true)]
+        [Parameter()]
         [System.Management.Automation.PSCredential]
         $DomainAdministratorCredential
     )
@@ -56,10 +56,13 @@ function Get-TargetResource
         $errorMessage = $script:localizedData.TargetNodeDomainMissing
         New-InvalidOperationException -Message $errorMessage
     }
-
+    $context = $null
     try
     {
-        ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        if ($PSBoundParameters.ContainsKey('DomainAdministratorCredential'))
+        {
+            ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        }
 
         $cluster = Get-Cluster -Name $Name -Domain $computerInformation.Domain
         if ($null -eq $cluster)
@@ -87,6 +90,7 @@ function Get-TargetResource
         IgnoreNetwork                 = $IgnoreNetwork
         DomainAdministratorCredential = $DomainAdministratorCredential
     }
+
 }
 
 <#
@@ -136,7 +140,7 @@ function Set-TargetResource
         [System.String[]]
         $IgnoreNetwork,
 
-        [Parameter(Mandatory = $true)]
+        [Parameter()]
         [System.Management.Automation.PSCredential]
         $DomainAdministratorCredential
     )
@@ -168,7 +172,11 @@ function Set-TargetResource
 
     try
     {
-        ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        $context = $null
+        if ($PSBoundParameters.ContainsKey('DomainAdministratorCredential'))
+        {
+            ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        }
 
         if ($bCreate)
         {
@@ -302,7 +310,7 @@ function Test-TargetResource
         [System.String[]]
         $IgnoreNetwork,
 
-        [Parameter(Mandatory = $true)]
+        [Parameter()]
         [System.Management.Automation.PSCredential]
         $DomainAdministratorCredential
     )
@@ -320,7 +328,11 @@ function Test-TargetResource
 
     try
     {
-        ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        $context = $null
+        if ($PSBoundParameters.ContainsKey('DomainAdministratorCredential'))
+        {
+            ($oldToken, $context, $newToken) = Set-ImpersonateAs -Credential $DomainAdministratorCredential
+        }
 
         $cluster = Get-Cluster -Name $Name -Domain $ComputerInfo.Domain
 
diff --git a/source/DSCResources/MSFT_xCluster/MSFT_xCluster.schema.mof b/source/DSCResources/MSFT_xCluster/MSFT_xCluster.schema.mof
@@ -5,6 +5,6 @@ class MSFT_xCluster : OMI_BaseResource
 {
     [Key, Description("Name of the Cluster")] String Name;
     [Write, Description("StaticIPAddress of the Cluster")] String StaticIPAddress;
-    [Required, EmbeddedInstance("MSFT_Credential"), Description("Credential to create the cluster")] String DomainAdministratorCredential;
+    [Write, EmbeddedInstance("MSFT_Credential"), Description("Credential to create the cluster")] String DomainAdministratorCredential;
     [Write, Description("One or more networks to ignore when creating the cluster. Only networks using Static IP can be ignored, networks that are assigned an IP address through DHCP cannot be ignored, and are added for cluster communication. To remove networks assigned an IP address through DHCP use the resource xClusterNetwork to change the role of the network. This parameter is only used during the creation of the cluster and is not monitored after.")] String IgnoreNetwork[];
 };
diff --git a/tests/Unit/MSFT_xCluster.Tests.ps1 b/tests/Unit/MSFT_xCluster.Tests.ps1
@@ -228,6 +228,25 @@ foreach ($moduleVersion in @('2012', '2016'))
                         }
                     }
 
+                    Context 'When no DomainAdministratorCredential is provided' {
+
+                        $withNoDomainAdministratorCredential = $mockDefaultParameters.Clone()
+                        $withNoDomainAdministratorCredential.Remove('DomainAdministratorCredential')
+
+                        It 'Should not call Set-ImpersonateAs' {
+                            Mock -CommandName Set-ImpersonateAs -MockWith {Return 0}
+
+                            $getTargetResourceResult = Get-TargetResource @withNoDomainAdministratorCredential
+
+                            Assert-MockCalled -CommandName Set-ImpersonateAs -Exactly -Times 0 -Scope It
+                        }
+                        It 'Should return empty DomainAdministratorCredential in the hash' {
+
+                            $getTargetResourceResult = Get-TargetResource @withNoDomainAdministratorCredential
+                            $getTargetResourceResult.DomainAdministratorCredential | Should -BeNullOrEmpty
+                        }
+                    }
+
                     Assert-VerifiableMock
                 }
             }
@@ -344,6 +363,21 @@ foreach ($moduleVersion in @('2012', '2016'))
                                     Assert-MockCalled -CommandName Add-ClusterNode -Exactly -Times 0 -Scope It
                                 }
                             }
+
+                            Context 'When no DomainAdministratorCredential is provided' {
+                                It 'Should not call Set-ImpersonateAs' {
+                                    $withNoDomainAdministratorCredential = $mockDefaultParameters.Clone()
+                                    $withNoDomainAdministratorCredential.Remove('DomainAdministratorCredential')
+                                    Mock -CommandName Set-ImpersonateAs -MockWith {Return 0}
+
+                                    {Set-TargetResource @withNoDomainAdministratorCredential} | Should Not Throw
+
+                                    Assert-MockCalled -CommandName Set-ImpersonateAs -Exactly -Times 0 -Scope It
+                                    Assert-MockCalled -CommandName New-Cluster -Exactly -Times 1 -Scope It
+                                    Assert-MockCalled -CommandName Remove-ClusterNode -Exactly -Times 0 -Scope It
+                                    Assert-MockCalled -CommandName Add-ClusterNode -Exactly -Times 0 -Scope It
+                                }
+                            }
                         }
 
                         Context 'When Get-Cluster throws an error' {
@@ -379,16 +413,32 @@ foreach ($moduleVersion in @('2012', '2016'))
                     }
 
                     Context 'When the cluster exist but the node is not part of the cluster' {
-                        It 'Should call Add-ClusterNode cmdlet' {
+                        BeforeAll {
                             Mock -CommandName Get-ClusterNode
                             Mock -CommandName Get-Cluster -MockWith $mockGetCluster -ParameterFilter $mockGetCluster_ParameterFilter
-
+                        }
+                        It 'Should call Add-ClusterNode cmdlet' {
                             { Set-TargetResource @mockDefaultParameters } | Should -Not -Throw
 
                             Assert-MockCalled -CommandName New-Cluster -Exactly -Times 0 -Scope It
                             Assert-MockCalled -CommandName Remove-ClusterNode -Exactly -Times 0 -Scope It
                             Assert-MockCalled -CommandName Add-ClusterNode -Exactly -Times 1 -Scope It
                         }
+
+                        Context 'When no DomainAdministratorCredential is provided' {
+                            It 'Should not call Set-ImpersonateAs' {
+                                $withNoDomainAdministratorCredential = $mockDefaultParameters.Clone()
+                                $withNoDomainAdministratorCredential.Remove('DomainAdministratorCredential')
+                                Mock -CommandName Set-ImpersonateAs -MockWith {Return 0}
+
+                                {Set-TargetResource @withNoDomainAdministratorCredential} | Should Not Throw
+
+                                Assert-MockCalled -CommandName Set-ImpersonateAs -Exactly -Times 0 -Scope It
+                                Assert-MockCalled -CommandName New-Cluster -Exactly -Times 0 -Scope It
+                                Assert-MockCalled -CommandName Remove-ClusterNode -Exactly -Times 0 -Scope It
+                                Assert-MockCalled -CommandName Add-ClusterNode -Exactly -Times 1 -Scope It
+                            }
+                        }
                     }
 
                     Context 'When the cluster exist and the node is down' {
@@ -447,6 +497,18 @@ foreach ($moduleVersion in @('2012', '2016'))
 
                         Assert-VerifiableMock
                     }
+
+                    Context 'When no DomainAdministratorCredential is provided' {
+                        It 'Should not call Set-ImpersonateAs' {
+                            $withNoDomainAdministratorCredential = $mockDefaultParameters.Clone()
+                            $withNoDomainAdministratorCredential.Remove('DomainAdministratorCredential')
+                            Mock -CommandName Set-ImpersonateAs -MockWith {Return 0}
+
+                            {Set-TargetResource @withNoDomainAdministratorCredential} | Should Not Throw
+
+                            Assert-MockCalled -CommandName Set-ImpersonateAs -Exactly -Times 0 -Scope It
+                        }
+                    }
                 }
             }
 
@@ -471,6 +533,22 @@ foreach ($moduleVersion in @('2012', '2016'))
                     }
                 }
 
+                Context 'When no DomainAdministratorCredential is provided' {
+                    $mockDynamicDomainName = $mockDomainName
+                    $mockDynamicServerName = $mockServerName
+
+                    It 'Should not call Set-ImpersonateAs' {
+                        Mock -CommandName Get-Cluster -MockWith $mockGetCluster -ParameterFilter $mockGetCluster_ParameterFilter -Verifiable
+
+                        $withNoDomainAdministratorCredential = $mockDefaultParameters.Clone()
+                        $withNoDomainAdministratorCredential.Remove('DomainAdministratorCredential')
+                        Mock -CommandName Set-ImpersonateAs -MockWith {Return 0}
+
+                        $testTargetResourceResult = Test-TargetResource @withNoDomainAdministratorCredential
+                        Assert-MockCalled -CommandName Set-ImpersonateAs -Exactly -Times 0 -Scope It
+                    }
+                }
+
                 Context 'When the system is not in the desired state' {
                     BeforeEach {
                         Mock -CommandName Get-CimInstance -MockWith $mockGetCimInstance -ParameterFilter $mockGetCimInstance_ParameterFilter -Verifiable

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,6 @@ class MSFT_xCluster : OMI_BaseResource`
`5`	`5`	`{`
`6`	`6`	`[Key, Description("Name of the Cluster")] String Name;`
`7`	`7`	`[Write, Description("StaticIPAddress of the Cluster")] String StaticIPAddress;`
`8`		`- [Required, EmbeddedInstance("MSFT_Credential"), Description("Credential to create the cluster")] String DomainAdministratorCredential;`
	`8`	`+ [Write, EmbeddedInstance("MSFT_Credential"), Description("Credential to create the cluster")] String DomainAdministratorCredential;`
`9`	`9`	`[Write, Description("One or more networks to ignore when creating the cluster. Only networks using Static IP can be ignored, networks that are assigned an IP address through DHCP cannot be ignored, and are added for cluster communication. To remove networks assigned an IP address through DHCP use the resource xClusterNetwork to change the role of the network. This parameter is only used during the creation of the cluster and is not monitored after.")] String IgnoreNetwork[];`
`10`	`10`	`};`