PowerShell DSC on the AWS Cloud
PowerShell DSC Quick Start

How We'll Use Windows PowerShell DSC on AWS

PowerShell DSC clients can pull their configurations from a server or have their configurations pushed to them either locally or from a remote system. In this guide, we've provided two AWS CloudFormation templates that deploy the reference environment using both the pull and push models. In this section, we'll discuss the differences between these two methods and how they will be used to deploy our stack on AWS.

DSC in Pull Mode

To deploy our reference architecture using DSC in pull mode, we'll use AWS CloudFormation to create the Amazon VPC and required network elements. Then we'll launch servers to act as DSC pull servers. On these servers we'll install a web service which will allow the Local Configuration Manager on client nodes to pull their configuration via HTTPS. To do this, we'll use a master configuration script to generate MOF files for each node in our deployment. As each server is bootstrapped by AWS CloudFormation, we'll configure the Local Configuration Manager to retrieve its configuration from the pull server and the desired state will be applied.

Once the stack is built successfully, we'll have a distributed enterprise application deployment that maintains its desired state and is resistant to configuration drift.

DSC in Push Mode

Our second example will deploy the same reference architecture in DSC push mode. In this scenario, there will be no requirement for DSC pull servers, and each server in the environment will "push" a configuration document to itself.

Again, we'll utilize AWS CloudFormation to orchestrate the build process. After creating the Amazon VPC and required network elements, each server instance will be launched and bootstrapped. Since there will be no pull servers in this scenario, each instance will download its own configuration script, generate the MOF document, and apply the desired state using the Start-DSCConfiguration cmdlet.

Things That Won't Be Handled by DSC

Most Windows-specific tasks will be handled by PowerShell DSC. However, there are a few things that we'll do using helper scripts called from AWS CloudFormation cfn-init in order to start the bootstrapping process.

  • Renaming the Computer – We'll simply use the Rename-Computer cmdlet before invoking a DSC push or pull operation. This allows us to use each server's hostname when using the node keyword in the DSC configuration scripts.

  • Installing Certificates – For the sake of demonstration, we'll utilize self-signed certificates to secure the DSC pull server's HTTPS endpoint and to encrypt credentials when using DSC resources that require authentication. Self-signed certificates will be installed on each instance in the environment to support these scenarios. For production environments, we recommend utilizing an internal PKI or commercial SSL certificate provider.

  • Downloading Configurations and Modules – Configuration scripts and DSC resource modules will be downloaded from a public Amazon S3 bucket. The MOF files will be generated on the fly during the bootstrapping process. This does not apply to servers configured in pull mode, which will obtain their configurations and any required modules from the pull server.