DSCResources/MSFT_SPSecureStoreServiceApp/MSFT_SPSecureStoreServiceApp.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [parameter(Mandatory = $true)]  [System.String]  $Name,
        [parameter(Mandatory = $true)]  [System.String]  $ApplicationPool,
        [parameter(Mandatory = $true)]  [System.Boolean] $AuditingEnabled,
        [parameter(Mandatory = $false)] [System.UInt32]  $AuditlogMaxSize,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseName,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseServer,
        [parameter(Mandatory = $false)] [System.String]  $FailoverDatabaseServer,
        [parameter(Mandatory = $false)] [System.Boolean] $PartitionMode,
        [parameter(Mandatory = $false)] [System.Boolean] $Sharing,
        [parameter(Mandatory = $false)] [ValidateSet("Windows", "SQL")]   [System.String] $DatabaseAuthenticationType,
        [parameter(Mandatory = $false)] [ValidateSet("Present","Absent")] [System.String] $Ensure = "Present",
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $DatabaseCredentials,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    Write-Verbose -Message "Getting secure store service application '$Name'"

    $result = Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
        $params = $args[0]
        
        $nullReturn = @{
            Name = $params.Name
            ApplicationPool = $params.ApplicationPool
            AuditingEnabled = $false
            Ensure = "Absent"
        }

        $serviceApps = Get-SPServiceApplication -Name $params.Name -ErrorAction SilentlyContinue 
        if ($null -eq $serviceApps) { 
            return $nullReturn 
        }
        $serviceApp = $serviceApps | Where-Object { $_.TypeName -eq "Secure Store Service Application" }

        If ($null -eq $serviceApp) { 
            return $nullReturn 
        } else {
            return  @{
                Name = $serviceApp.DisplayName
                ApplicationPool = $serviceApp.ApplicationPool.Name
                DatabaseName = $serviceApp.Database.Name
                DatabaseServer = $serviceApp.Database.Server.Name
                InstallAccount = $params.InstallAccount
                Ensure = "Present"
            }
        }
    }
    return $result
}


function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [parameter(Mandatory = $true)]  [System.String]  $Name,
        [parameter(Mandatory = $true)]  [System.String]  $ApplicationPool,
        [parameter(Mandatory = $true)]  [System.Boolean] $AuditingEnabled,
        [parameter(Mandatory = $false)] [System.UInt32]  $AuditlogMaxSize,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseName,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseServer,
        [parameter(Mandatory = $false)] [System.String]  $FailoverDatabaseServer,
        [parameter(Mandatory = $false)] [System.Boolean] $PartitionMode,
        [parameter(Mandatory = $false)] [System.Boolean] $Sharing,
        [parameter(Mandatory = $false)] [ValidateSet("Windows", "SQL")]   [System.String] $DatabaseAuthenticationType,
        [parameter(Mandatory = $false)] [ValidateSet("Present","Absent")] [System.String] $Ensure = "Present",
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $DatabaseCredentials,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    $result = Get-TargetResource @PSBoundParameters
    $params = $PSBoundParameters

    if((($params.ContainsKey("DatabaseAuthenticationType") -eq $true) -and `
        ($params.ContainsKey("DatabaseCredentials") -eq $false)) -or `
        (($params.ContainsKey("DatabaseCredentials") -eq $true) -and `
        ($params.ContainsKey("DatabaseAuthenticationType") -eq $false))) {
        throw "Where DatabaseCredentials are specified you must also specify DatabaseAuthenticationType to identify the type of credentials being passed"
        return;
    }

    if ($result.Ensure -eq "Absent" -and $Ensure -eq "Present") { 
        Write-Verbose -Message "Creating Secure Store Service Application $Name"
        Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $params -ScriptBlock {
            $params = $args[0]
            
            if ($params.ContainsKey("Ensure")) { $params.Remove("Ensure") | Out-Null }
            if ($params.ContainsKey("InstallAccount")) { $params.Remove("InstallAccount") | Out-Null }

            if($params.ContainsKey("DatabaseAuthenticationType")) {
                if ($params.DatabaseAuthenticationType -eq "SQL") {
                    $params.Add("DatabaseUsername", $params.DatabaseCredentials.Username)
                    $params.Add("DatabasePassword", $params.DatabaseCredentials.Password)
                }
                $params.Remove("DatabaseAuthenticationType")
            }

            New-SPSecureStoreServiceApplication @params | New-SPSecureStoreServiceApplicationProxy -Name "$($params.Name) Proxy"
        }
    } 
    
    if ($result.Ensure -eq "Present" -and $Ensure -eq "Present") {
        if ([string]::IsNullOrEmpty($ApplicationPool) -eq $false -and $ApplicationPool -ne $result.ApplicationPool) {
            Write-Verbose -Message "Updating Secure Store Service Application $Name"
            Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
                $params = $args[0]

                $serviceApp = Get-SPServiceApplication -Name $params.Name | Where-Object { $_.TypeName -eq "Secure Store Service Application" }
                $appPool = Get-SPServiceApplicationPool -Identity $params.ApplicationPool 
                Set-SPSecureStoreServiceApplication -Identity $serviceApp -ApplicationPool $appPool
            }
        }
    }
    
    if ($Ensure -eq "Absent") {
        # The service app should not exit
        Write-Verbose -Message "Removing Secure Store Service Application $Name"
        Invoke-SPDSCCommand -Credential $InstallAccount -Arguments $PSBoundParameters -ScriptBlock {
            $params = $args[0]
            
            $serviceApp =  Get-SPServiceApplication -Name $params.Name | Where-Object { $_.TypeName -eq "Secure Store Service Application"  }
            Remove-SPServiceApplication $serviceApp -Confirm:$false
        }
    }    
}


function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [parameter(Mandatory = $true)]  [System.String]  $Name,
        [parameter(Mandatory = $true)]  [System.String]  $ApplicationPool,
        [parameter(Mandatory = $true)]  [System.Boolean] $AuditingEnabled,
        [parameter(Mandatory = $false)] [System.UInt32]  $AuditlogMaxSize,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseName,
        [parameter(Mandatory = $false)] [System.String]  $DatabaseServer,
        [parameter(Mandatory = $false)] [System.String]  $FailoverDatabaseServer,
        [parameter(Mandatory = $false)] [System.Boolean] $PartitionMode,
        [parameter(Mandatory = $false)] [System.Boolean] $Sharing,
        [parameter(Mandatory = $false)] [ValidateSet("Windows", "SQL")]   [System.String] $DatabaseAuthenticationType,
        [parameter(Mandatory = $false)] [ValidateSet("Present","Absent")] [System.String] $Ensure = "Present",
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $DatabaseCredentials,
        [parameter(Mandatory = $false)] [System.Management.Automation.PSCredential] $InstallAccount
    )

    $CurrentValues = Get-TargetResource @PSBoundParameters
    Write-Verbose -Message "Testing secure store service application $Name"
    $PSBoundParameters.Ensure = $Ensure
    return Test-SPDscParameterState -CurrentValues $CurrentValues -DesiredValues $PSBoundParameters -ValuesToCheck @("ApplicationPool", "Ensure")
}


Export-ModuleMember -Function *-TargetResource