DSCResources/VE_XD7AccessPolicy/VE_XD7AccessPolicy.ps1
Import-LocalizedData -BindingVariable localizedData -FileName Resources.psd1; function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( # Delivery Group Name [Parameter(Mandatory)] [System.String] $DeliveryGroup, # NotViaAG | ViaAG [Parameter(Mandatory)] [ValidateSet('AccessGateway','Direct')] [System.String] $AccessType, [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $AllowRestart = $true, [Parameter()] [ValidateSet('HDX','RDP')] [System.String[]] $Protocol = @('HDX','RDP'), # Name example: <DeliveryGroupName>_Direct or <DeliveryGroupName>_AG [Parameter()] [System.String] $Name, [Parameter()] [AllowNull()] [System.String] $Description = $null, # IncludedUsersFilterEnabled/IncludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $IncludeUsers = @(), # ExcludedUserFilterEnabled/ExcludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $ExcludeUsers = @(), [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) begin { AssertXDModule -Name 'Citrix.Broker.Admin.V2' -IsSnapin; if ([System.String]::IsNullOrEmpty($Name)) { $Name = '{0}_Direct' -f $DeliveryGroup; if ($AccessType -eq 'AccessGateway') { $Name = '{0}_AG' -f $DeliveryGroup; } } } process { $scriptBlock = { Add-PSSnapin -Name 'Citrix.Broker.Admin.V2' -ErrorAction Stop; $desktopGroup = Get-BrokerDesktopGroup -Name $using:DeliveryGroup -ErrorAction Stop; $desktopGroupAccessPolicy = Get-BrokerAccessPolicyRule -Name $using:Name -DesktopGroupUid $desktopGroup.Uid -ErrorAction SilentlyContinue; $targetResource = @{ DeliveryGroup = $using:DeliveryGroup; Name = $desktopGroupAccessPolicy.Name; AccessType = if ($desktopGroupAccessPolicy.AllowedConnections -eq 'ViaAG') { 'AccessGateway' } else { 'Direct' } Enabled = $desktopGroupAccessPolicy.Enabled; AllowRestart = $desktopGroupAccessPolicy.AllowRestart; Protocol = [System.String[]] $desktopGroupAccessPolicy.AllowedProtocols; Description = [System.String] $desktopGroupAccessPolicy.Description; IncludeUsers = @() ExcludeUsers = @(); Ensure = 'Absent'; } $targetResource['IncludeUsers'] += $desktopGroupAccessPolicy.IncludedUsers | Where Name -ne $null | Select -ExpandProperty Name; $targetResource['ExcludeUsers'] += $desktopGroupAccessPolicy.ExcludedUsers | Where Name -ne $null | Select -ExpandProperty Name; if ($desktopGroupAccessPolicy) { $targetResource.Ensure = 'Present'; } return $targetResource; } #end scriptBlock $invokeCommandParams = @{ ScriptBlock = $scriptBlock; ErrorAction = 'Stop'; } if ($Credential) { AddInvokeScriptBlockCredentials -Hashtable $invokeCommandParams -Credential $Credential; } else { $invokeCommandParams['ScriptBlock'] = [System.Management.Automation.ScriptBlock]::Create($scriptBlock.ToString().Replace('$using:','$')); } Write-Verbose ($localizedData.InvokingScriptBlockWithParams -f [System.String]::Join("','", @($Name, $Enabled, $Ensure))); return Invoke-Command @invokeCommandParams; } } #end function Get-TargetResource function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( # Delivery Group Name [Parameter(Mandatory)] [System.String] $DeliveryGroup, # NotViaAG | ViaAG [Parameter(Mandatory)] [ValidateSet('AccessGateway','Direct')] [System.String] $AccessType, [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $AllowRestart = $true, [Parameter()] [ValidateSet('HDX','RDP')] [System.String[]] $Protocol = @('HDX','RDP'), # Name example: <DeliveryGroupName>_Direct or <DeliveryGroupName>_AG [Parameter()] [System.String] $Name, [Parameter()] [AllowNull()] [System.String] $Description = $null, # IncludedUsersFilterEnabled/IncludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $IncludeUsers = @(), # ExcludedUserFilterEnabled/ExcludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $ExcludeUsers = @(), [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) begin { if ([System.String]::IsNullOrEmpty($Name)) { $Name = '{0}_Direct' -f $DeliveryGroup; if ($AccessType -eq 'AccessGateway') { $Name = '{0}_AG' -f $DeliveryGroup; } } } #end begin process { $PSBoundParameters['Ensure'] = $Ensure; $targetResource = Get-TargetResource @PSBoundParameters; $inCompliance = $true; foreach ($property in $PSBoundParameters.Keys) { if ($targetResource.ContainsKey($property)) { $expected = $PSBoundParameters[$property]; $actual = $targetResource[$property]; if ($PSBoundParameters[$property] -is [System.String[]]) { if (Compare-Object -ReferenceObject $expected -DifferenceObject $actual) { Write-Verbose ($localizedData.ResourcePropertyMismatch -f $property, ($expected -join ','), ($actual -join ',')); $inCompliance = $false; } } elseif ($expected -ne $actual) { Write-Verbose ($localizedData.ResourcePropertyMismatch -f $property, $expected, $actual); $inCompliance = $false; } } } if ($inCompliance) { Write-Verbose ($localizedData.ResourceInDesiredState -f $DeliveryGroup); } else { Write-Verbose ($localizedData.ResourceNotInDesiredState -f $DeliveryGroup); } return $inCompliance; } #end process } #end function Test-TargetResource function Set-TargetResource { [CmdletBinding()] param ( # Delivery Group Name [Parameter(Mandatory)] [System.String] $DeliveryGroup, # NotViaAG | ViaAG [Parameter(Mandatory)] [ValidateSet('AccessGateway','Direct')] [System.String] $AccessType, [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $AllowRestart = $true, [Parameter()] [ValidateSet('HDX','RDP')] [System.String[]] $Protocol = @('HDX','RDP'), # Name example: <DeliveryGroupName>_Direct or <DeliveryGroupName>_AG [Parameter()] [System.String] $Name, [Parameter()] [AllowNull()] [System.String] $Description = $null, # IncludedUsersFilterEnabled/IncludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $IncludeUsers = @(), # ExcludedUserFilterEnabled/ExcludedUsers [Parameter()] [ValidateNotNull()] [System.String[]] $ExcludeUsers = @(), [Parameter()] [ValidateSet('Present','Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateNotNull()] [System.Management.Automation.PSCredential] [System.Management.Automation.CredentialAttribute()] $Credential ) begin { AssertXDModule -Name 'Citrix.Broker.Admin.V2' -IsSnapin; if ([System.String]::IsNullOrEmpty($Name)) { $Name = '{0}_Direct' -f $DeliveryGroup; if ($AccessType -eq 'AccessGateway') { $Name = '{0}_AG' -f $DeliveryGroup; } } } #end begin process { $scriptBlock = { Add-PSSnapin -Name 'Citrix.Broker.Admin.V2' -ErrorAction Stop; $desktopGroup = Get-BrokerDesktopGroup -Name $using:DeliveryGroup -ErrorAction Stop; $desktopGroupAccessPolicy = Get-BrokerAccessPolicyRule -Name $using:Name -DesktopGroupUid $desktopGroup.Uid -ErrorAction SilentlyContinue; if ($using:Ensure -eq 'Present') { $accessPolicyParams = @{ Enabled = $using:Enabled; Description = $using:Description; AllowRestart = $using:AllowRestart; AllowedConnections = if ($using:AccessType -eq 'AccessGateway') { 'ViaAG' } else { 'NotViaAG' } AllowedProtocols = $using:Protocol; IncludedUserFilterEnabled = $false; IncludedUsers = @(); ExcludedUserFilterEnabled = $false; ExcludedUsers = @(); } if ($using:IncludeUsers.Count -ge 1) { $accessPolicyParams['IncludedUserFilterEnabled'] = $true; foreach ($user in $using:IncludeUsers) { $brokerUser = Get-BrokerUser -FullName $user -ErrorAction SilentlyContinue; if (-not $brokerUser) { $brokerUser = New-BrokerUser -Name $user -ErrorAction Stop; } $accessPolicyParams['IncludedUsers'] += $brokerUser; } } if ($using:ExcludeUsers.Count -ge 1) { $accessPolicyParams['ExcludedUserFilterEnabled'] = $true; foreach ($user in $using:ExcludeUsers) { $brokerUser = Get-BrokerUser -FullName $user -ErrorAction SilentlyContinue; if (-not $brokerUser) { $brokerUser = New-BrokerUser -Name $user -ErrorAction Stop; } $accessPolicyParams['ExcludedUsers'] += $brokerUser; } } if ($desktopGroupAccessPolicy) { ## Can't change name or delivery group if ($desktopGroup.Uid -ne $desktopGroupAccessPolicy.DesktopGroupUid) { throw ($using:localizedData.ImmutablePropertyError -f 'Uid'); } elseif ($using:Name -ne $desktopGroupAccessPolicy.Name) { throw ($using:localizedData.ImmutablePropertyError -f 'Name'); } Write-Verbose ($using:localizedData.UpdatingAccessPolicy -f $using:Name); $desktopGroupAccessPolicy | Set-BrokerAccessPolicyRule @accessPolicyParams; } else { $accessPolicyParams['Name'] = $using:Name; $accessPolicyParams['DesktopGroupUid'] = $desktopGroup.Uid; Write-Verbose ($using:localizedData.AddingAccessPolicy -f $using:Name); New-BrokerAccessPolicyRule @accessPolicyParams; } } else { if ($desktopGroupAccessPolicy) { Write-Verbose ($using:localizedData.RemovingAccessPolicy -f $using:Name); $desktopGroupAccessPolicy | Remove-BrokerAccessPolicyRule; } } } #end scriptBlock $invokeCommandParams = @{ ScriptBlock = $scriptBlock; ErrorAction = 'Stop'; } if ($Credential) { AddInvokeScriptBlockCredentials -Hashtable $invokeCommandParams -Credential $Credential; } else { $invokeCommandParams['ScriptBlock'] = [System.Management.Automation.ScriptBlock]::Create($scriptBlock.ToString().Replace('$using:','$')); } Write-Verbose ($localizedData.InvokingScriptBlockWithParams -f [System.String]::Join("','", @($Name, $Enabled, $Ensure))); return Invoke-Command @invokeCommandParams; } #end process } #end function Set-TargetResource |