Running an on host Flex integration and bypassing the PowerShell execution policy

I thought I’d post this here as more of a solution for a problem that I couldn’t find an answer to and also for comment if anyone else has a better method for doing this.

I’m using a small flex integration with the infrastructure agent to run a PowerShell script to get soon to expire certificate information from all local certificate stores. This information is then used in an NRQL alert to raise an incident when a certificate is with X days of expiring.
This all works as required and incidents are raised.

My next thought was would this work on Windows servers with the PowerShell execution policy set to Restricted, I’d been testing with this set to RemoteSigned.

As expected the integration script fails to run after setting this to Restricted.

So my problem was how to get the flex integration to run a script and bypass the execution policy?
I know using -ExecutionPolicy Bypass does this but I couldn’t find any information on how configure this in the integrations .yaml file.

After much trial and error, getting very confused with “illegal characters in path” messages and not being able to work out the correct way to capture the script file path as a string, it kept failing at the first space, I came across a method that works.
See the working integrations .yaml file contents below:

name: CertifcateMonitorWindows
apis:
  - name: CertificateMonitorWin
    shell: powershell
    commands:
    - run: powershell -ExecutionPolicy Bypass "& 'C:\Program Files\New Relic\newrelic-infra\integrations.d\Scripts\CertificateMonitoring\Get-expired-certs-PS-Drive-NR.ps1'"

The important bits of this are:

Even though the powershell command is being used on the - run: line the shell: also needs to be set to powershell as well.
This then allows the use of the single quotes around the scripts file path that works natively in PowerShell and so allows the script path to be captured as a string.

Using double quotes (as you would do in many of the examples where - run: just has the "& "filepath" set e.g. nothing before it) does not work, maybe because the whole - run: command is being executed inside of the PowerShell session started by the shell: and hence the native PowerShell syntax is being used instead of it being interpreted in YAML?

Before enabling PowerShell via the shell: and calling it only in - run: I was getting all sorts of errors about illegal characters when trying to work out how to encapsulate the script path as a string and trying to escape special YAML characters.

This was the only way I could workout for bypassing the PowerShell execution policy when running scripts as a Flex integration.

If anyone else has another or better way of doing this I’d appreciate some feedback.

If anyone else is also trying to work this out hopefully they can find this solution and it helps.

4 Likes

Hey @o.winterbone, Thanks for providing this detailed solution. Its very helpful :slight_smile:

1 Like

No worries, it may helpful to have some information around bypassing PowerShell execution policy in the Flex documentation as I imagine it would not be an uncommon requirement.

Hi @o.winterbone! Great idea! I’ll pass that feedback on internally!

1 Like