WinRM module for Puppet

Build Status Puppet Forge Version Puppet Forge Downloads Puppet Forge Score Puppet PDK Version puppetmodule.info docs

Table of Contents

  1. Description - What the module does and why it is useful
  2. Setup - The basics of getting started with winrm
  3. Usage - Configuration options and additional functionality
  4. Reference - Parameters and explanations

Module Description

This module configures and maintains the WinRM configurations on a Windows system.

Setup requirements

You need to be running powershell 4 or greater for this module to work correctly.

Usage

Basic usage:

class { 'winrm': }

Advanced configuration WinRM on Windows servers:

class { 'winrm':
  allow_unencrypted_enable                 => false,
  auth_basic_enable                        => false,
  auth_credssp_enable                      => false,
  auth_kerberos_enable                     => true,
  auth_negotiate_enable                    => true,
  cert_validity_days                       => 1095,
  execution_policy                         => 'RemoteSigned',
  http_listener_enable                     => false,
  https_listener_enable                    => true,
  local_account_token_filter_policy_enable => true,
  skip_network_profile_check               => false,
}

Firewall usage:

class { 'winrm::config::firewall':
  http_listener_enable  => false,
  https_listener_enable => true,
}

Reference

Parameters

allow_unencrypted_enable

Is unencrypted traffic allowed? Default is false.

class { 'winrm::config::allow_unencrypted':
  allow_unencrypted_enable => false,
}

Auth

auth_basic_enable

Is Basic Authentication allowed? Default is false

auth_credssp_enable

Is CredSSP Authentication allowed? Default is false

auth_kerberos_enable

Is Kerberos Authentication allowed? Default is true

auth_negotiate_enable

Is Negotiate Authentication allowed? Default is true

class { 'winrm::config::auth':
  auth_basic_enable     => false,
  auth_credssp_enable   => false,
  auth_kerberos_enable  => true,
  auth_negotiate_enable => true,
}

execution_policy

Server execution policy to follow. Available options are: 'AllSigned', 'Bypass', 'RemoteSigned', 'Restricted', 'Undefined', 'Unrestricted' Defualt is RemoteSigned

class { 'winrm::config::execution_policy':
  execution_policy => 'RemoteSigned',
}

http_listener_enable

Should winrm be listening for http connections. Defialt is false

class { 'winrm::config::listener::http':
  http_listener_enable => false,
}

https_listener_enable

Should winrm be listening for https connections. Defialt is true

certificate_hash

If not using a Self Signed Certificate then this hash can be passed in and used for the HTTPs/SSL listener. When specify a custom certificate, you must also specify cert_common_name that matches the subject/common name in the certificate.

class { 'winrm::config::listener::https':
  https_listener_enable => true,
  certificate_hash      => 'ABCDEF123456890',
  cert_common_name      => 'hostname.domain.tld',
}

cert_validity_days

Length of time in days the Self Signed certificate is good for. Default is 1095

class { 'winrm::config::listener::https':
  cert_validity_days    => 1095,
  certificate_hash      => 'test cert hash',
  https_listener_enable => true,
}

cert_common_name

Common name of the self-signed or custom bound certificate. If you specify a custom certificate_hash, the CN (Common Name) in that certificate MUST match this value, otherwise the cert binding will not work.

local_account_token_filter_policy_enable

If LocalAccountTokenFilterPolicy should be enabled? Default is true

class { 'winrm::config::localaccounttokenfilter':
  local_account_token_filter_policy_enable => true,
}

skip_network_profile_check

If Enable-PSRemoting should skip the network profile check. Default is false

class { 'winrm::config::ps_remoting':
  skip_network_profile_check => false,
}