Machine Policy Check Roles

Chris_Blyth · 29 August 2017 17:47

We have created a machine policy to verify that all tentacles are installed correctly and have correct user permissions.

But we also want to add ability to query if “standard” roles exist on the machine.
E.g. we have a role which is required on every machine.
Is it possible to add into the check if the machine has got a role? If so, how?

Dalmiro · 29 August 2017 21:36

Hi Chris,

Thanks for reaching out! By “Standard Roles” you mean machine roles like the ones shown in the attached screenshot? Or are you talking about some config/setting in windows that also goes by the name of “role”?

If you are talking about a windows setting, then you’ll have to script that yourself.

If you are talking about a machine role as shown in the attached screenshot, then this script should do the trick: https://github.com/OctopusDeploy/OctopusDeploy-Api/blob/master/Machine-Policy-Scripts/ValidateRolesInMachine.ps1

Let me know if that helps,
Dalmiro

Chris_Blyth · 30 August 2017 06:12

Hi,

I am talking about machine roles.

We have one to deploy our tooling to all machines through octopus called “shared” I wanted to make the health check warning if a machine was missing this octopus role.

Dalmiro · 30 August 2017 11:44

Hi Chris,

If you add the below script to your Machine Policy and put the role “shared” in the $MandatoryRolesList collection, it should error out if the target machine doesn’t have that role.

github.com

OctopusDeploy/OctopusDeploy-Api/blob/master/Machine-Policy-Scripts/ValidateRolesInMachine.ps1#L3


#This script will throw an error if at least 1 of the roles in $MandatoryRoles is missing on the machine


$MandatoryRolesList = "MandatoryRole1","MandatoryRole2" #List of roles that the Machine should have


function Validate-MandatoryMachineRoles ($MandatoryRoles){


$RolesInMachineSplit = $OctopusParameters['Octopus.Machine.Roles'].Split(',')
$MachineName = $($OctopusParameters['Octopus.Machine.Name'])


$MissingRoles = @()


foreach($MandatoryRole in $MandatoryRoles){
    If($MandatoryRole -notin $RolesInMachineSplit){

Let me know if it works,
Dalmiro

Chris_Blyth · 30 August 2017 15:11

Perfect!

$OctopusParameters[‘Octopus.Machine.Roles’] is the bit i was looking for

We have some other Octopus roles which are put in in certain conditions i also wanted to check for, but thanks for your help!

Dalmiro · 31 August 2017 19:07

Glad to hear that helped

Chris_Blyth · 31 August 2017 19:26

Hey,

I do have one extra question.

Is it possible to get the environment out.
I wanted to check if the machine is a part of certain environments and if so, perform an extra check with the roles

Dalmiro · 31 August 2017 22:16

Hi Chris,

That one is going to be a bit tougher. The environment name/id is not available in the context of the machine policy script, so you’ll have to get your hands into the API to get that information.

You’ll need to do something like this:

Do a GET call to http://YourOctopusServer/api/machines/[Current Machine ID]. This will return a JSON which will have an Environments collection with the IDs of all the environment this machine is part of.

{
    "Id": "Machines-2",
    "Name": "Listening1",
    "Thumbprint": "95CCA5DE51CB6475729CFA65655968552C2DA8B5",
    "Uri": "https://localhost:10933/",
    "IsDisabled": false,
    "EnvironmentIds": [
      "Environments-1"
    ],
    "Roles": [
      "WebServer"
    ]
}

Do a GET to /api/environments/all to get a collection of all the available environments(+). This will help you know which environment ID corresponds with which Environment Name.

[
  {
    "Id": "Environments-1",
    "Name": "Development",
    "Description": "",
    "SortOrder": 0,
    "UseGuidedFailure": false,
    "Links": {
      "Self": "/api/environments/Environments-1",
      "Machines": "/api/environments/Environments-1/machines",
      "SinglyScopedVariableDetails": "/api/environments/Environments-1/singlyScopedVariableDetails"
    }
  }
]

With the information of (1) and (2), cross reference the info to check on which environments the machine is on.

(+) Keep in mind that all these actions will implicate hitting the API by authenticating with a specific APIKey that belongs to a user. This user needs to have view access to all the machines and environments in order for this to succeed. I.e if the user can’t see the Production environment, when it runs a GET against /api/environments/all, the environment production won’t be on that list

Hope that helps,
Dalmiro

Chris_Blyth · 1 September 2017 06:47

Is it possible to get the parameters in the policy script updated in a future release to include environment names comma separated in the same way roles are?

Dalmiro · 1 September 2017 17:16

Hi Chris,

The best way to make this happen would be to log a Uservoice request and have the community vote for it. We use this tool to prioritize the features we work on, and if enough users back this idea I don’t see why it couldn’t be implemented.

http://octopusdeploy.uservoice.com/

On a similar note, not sure if you heard about Octoposh, but it is an open source PS module that has a cmdlet called Get-OctopusMachine which will return an object with the list of environment names of your machine. Of course the caveat is that you’d need to have the module installed in each Tentacle.

Regards,
Dalmiro