puppet - Capturing output/error when invoking PowerShell script

Question

I am trying to invoke a PowerShell script from Puppet. The issue is even if the PowerShell script fails on remote box, it still shows successful run as shown below:

Notice: /Stage[main]/Main/Node[dev.abc.com]/Exec[Check UAC]/returns: executed successfully

Content of my node block in site.pp:

exec { 'Check UAC':
  command   => '& C:empcheck_uac.ps1',
  provider  => powershell,
  logoutput => 'on_failure',
}

The script failed when I tried running from PowerShell console stating that execution policy was set to Restricted.

PS C:> C:empcheck_uac.ps1
C:empcheck_uac.ps1 : File C:empcheck_uac.ps1 cannot be loaded because running
scripts is disabled on this system. For more information, see about_Execution_Policies
at http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ C:empcheck_uac.ps1
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

How can I capture the above error when invoking the script from Puppet to avoid surprises later?

Answer 1

You need to set an exit code to have Puppet pick up failures:

exec { 'Check UAC':
  command   => '& C:empcheck_uac.ps1; exit (1 - [int]$?)',
  provider  => powershell,
  logoutput => 'on_failure',
}

However, since the powershell provider should normally bypass execution policies, the error you observed means that the execution policy is enforced via group policy.

A better approach would be to fix the execution policy in your environment, so that it doesn't prohibit script execution, and have your script return an exit code to indicate whether or not UAC is enabled.

If for some obscure reason you cannot fix the actual problem and have to deal with the symptoms instead, you need to exec PowerShell directly, like this:

exec { 'Check UAC':
  command   => 'C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -NoProfile -NoLogo -NonInteractive -Command "& {C:empcheck_uac.ps1; exit (1 - [int]$?)}"',
  logoutput => 'on_failure',
}

The powershell provider won't work in this scenario.

---

If all you want is to determine whether or not execution of PowerShell scripts is restricted, I would consider a dynamic fact a better way to determine that information, e.g. with a batch script in %AllUsersProfile%PuppetLabsfacterfacts.d:

@echo off

for /f "tokens=* delims=" %%p in (
  'powershell -NoProfile -NonInteractive -NoLogo -Command "Get-ExecutionPolicy"'
) do set "policy=%%p"

if /i "%policy%"=="restricted" (
  echo ExecutionRestricted=true
) else (
  echo ExecutionRestricted=false
)