dbatools icon indicating copy to clipboard operation
dbatools copied to clipboard
verified publisher icon dataplat

New parameter for connect-dbainstance that will attempt a connection with trustservercertificate only if TLS connection fails

Open Shashtsoh opened this issue 1 year ago • 1 comments

Summarize Functionality

Some environments don't have proper certs on all of their SQL instances for political and/or technical reasons. When automating for an environment with a mix of servers the current options are:

  1. Ignore TLS by either turning off TLS verification in the module or using trustservercertificate on all connections. Big hammer, big security issue.
  2. Split codebases for the connections and try to maintain lists of which servers use which connection. Ugly hammer, big headache.
  3. Write a wrapper function that attempts a TLS connection first, tries -trustservercertificate if that fails, then fails as usual if all attempts fail. Ugly hammer, minor inconvenience.

Option 3 is the best of the currently available options, but still requires some annoying code changes that don't feel like they should be necessary. I'm proposing implementing Option 3's logic via a parameter on connect-dbainstance that I'll call AllowTrustServerCertificate. This will maintain all current functionality allowing users to explicitly choose which connection type they want/need, but also give them an option that will do both with one call where either type could be needed.

I've started looking into what changes would be required in connect-dbainstance, but would love some input/feedback on the idea before I get too far down the road.

Is there a command that is similiar or close to what you are looking for?

No

Technical Details

The calls & functionality would look like this

# Only connects if a cert is properly implemented
connect-dbainstance -sqlinstance <myserver> 

# Connects ignoring any certs
connect-dbainstance -sqlinstance <myserver> -trustservercertificate 

# Connects with TLS if cert is present, otherwise connects using trustservercertificate
connect-dbainstance -sqlinstance <myserver> -allowtrustservercertificate

Shashtsoh avatar Feb 09 '24 00:02 Shashtsoh

I like the idea and would help with the implementation as I refactored the command some time ago.

You would also want to have a config item for that, because the command is often used by other commands.

As it is "the" central command, let's first get feedback from more maintainers.

@potatoqualitee @wsmelton @niphlod

andreasjordan avatar Feb 09 '24 18:02 andreasjordan