BREAKING CHANGE: SqlLogin: Parameters no longer enforce default values (

dsccommunity#1696) - SqlLogin - BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced` parameters no longer enforce default values (issue dsccommunity#1669).
dlenkov · Mar 28, 2022 · d8b4d9d · d8b4d9d
1 parent 26a7b07
commit d8b4d9d
Show file tree

Hide file tree

Showing 6 changed files with 589 additions and 52 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Bumped Stale task to v5 in the GitHub workflow.
 - Wiki
   - add introduction and links to DSC technology
+- SqlLogin
+  - BREAKING CHANGE: `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced`
+    parameters no longer enforce default values ([issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669)).
 
 ### Fixed
 

diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1
@@ -107,13 +107,13 @@ function Get-TargetResource
         The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
 
     .PARAMETER LoginMustChangePassword
-        Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Does not update pre-existing SQL Logins. Default is $true.
+        Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Does not update pre-existing SQL Logins.
 
     .PARAMETER LoginPasswordExpirationEnabled
-        Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
+        Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins.
 
     .PARAMETER LoginPasswordPolicyEnforced
-        Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
+        Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins.
 
     .PARAMETER Disabled
         Specifies if the login is disabled. Default is $false.
@@ -163,15 +163,15 @@ function Set-TargetResource
 
         [Parameter()]
         [System.Boolean]
-        $LoginMustChangePassword = $true,
+        $LoginMustChangePassword,
 
         [Parameter()]
         [System.Boolean]
-        $LoginPasswordExpirationEnabled = $true,
+        $LoginPasswordExpirationEnabled,
 
         [Parameter()]
         [System.Boolean]
-        $LoginPasswordPolicyEnforced = $true,
+        $LoginPasswordPolicyEnforced,
 
         [Parameter()]
         [System.Boolean]
@@ -195,25 +195,34 @@ function Set-TargetResource
                 if ( $login.LoginType -eq 'SqlLogin' )
                 {
                     # There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed
-                    if ( $login.MustChangePassword -ne $LoginMustChangePassword )
+                    if ( $PSBoundParameters.ContainsKey('LoginMustChangePassword') -and $login.MustChangePassword -ne $LoginMustChangePassword )
                     {
                         $errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged
                         New-InvalidOperationException -Message $errorMessage
                     }
 
-                    # `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state)
-                    if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or
-                         $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled )
+                    # Update SQL login data if either `PasswordPolicyEnforced or `PasswordExpirationEnabled` is specified and not in desired state.
+                    # Avoids executing `Update-SQLServerLogin` twice if both are not in desired state.
+                    if ( ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced ) -or
+                         ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) )
                     {
-                        Write-Verbose -Message (
-                            $script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
-                        )
-                        Write-Verbose -Message (
-                            $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
-                        )
+                        if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') )
+                        {
+                            Write-Verbose -Message (
+                                $script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName
+                            )
 
-                        $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
-                        $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
+                            $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced
+                        }
+
+                        if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') )
+                        {
+                            Write-Verbose -Message (
+                                $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName
+                            )
+
+                            $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled
+                        }
 
                         Update-SQLServerLogin -Login $login
                     }
@@ -365,13 +374,13 @@ function Set-TargetResource
         The credential containing the password for a SQL Login. Only applies if the login type is SqlLogin.
 
     .PARAMETER LoginMustChangePassword
-        Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. Default is $true.
+        Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins.
 
     .PARAMETER LoginPasswordExpirationEnabled
-        Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. Default is $true.
+        Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins.
 
     .PARAMETER LoginPasswordPolicyEnforced
-        Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. Default is $true.
+        Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins.
 
     .PARAMETER Disabled
         Specifies if the login is disabled. Default is $false.
@@ -421,15 +430,15 @@ function Test-TargetResource
 
         [Parameter()]
         [System.Boolean]
-        $LoginMustChangePassword = $true,
+        $LoginMustChangePassword,
 
         [Parameter()]
         [System.Boolean]
-        $LoginPasswordExpirationEnabled = $true,
+        $LoginPasswordExpirationEnabled,
 
         [Parameter()]
         [System.Boolean]
-        $LoginPasswordPolicyEnforced = $true,
+        $LoginPasswordPolicyEnforced,
 
         [Parameter()]
         [System.Boolean]
@@ -504,7 +513,7 @@ function Test-TargetResource
 
         if ( $LoginType -eq 'SqlLogin' )
         {
-            if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
+            if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled )
             {
                 if ($LoginPasswordExpirationEnabled)
                 {
@@ -522,7 +531,7 @@ function Test-TargetResource
                 $testPassed = $false
             }
 
-            if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
+            if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced )
             {
                 if ($LoginPasswordPolicyEnforced)
                 {
@@ -831,4 +840,3 @@ function Set-SQLServerLoginPassword
         $ErrorActionPreference = $originalErrorActionPreference
     }
 }
-
diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof
@@ -9,9 +9,9 @@ class DSC_SqlLogin : OMI_BaseResource
         Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType;
     [Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName;
     [Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential;
-    [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
-    [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled;
-    [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced;
+    [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword;
+    [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordExpirationEnabled;
+    [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordPolicyEnforced;
     [Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled;
     [Write, Description("Specifies the default database name.")] String DefaultDatabase;
 };