Logging generated passwords in SIF

I’ve been looking at adjusting SIF scripts for a production deployment recently, and realised that sometimes you’d like SIF to generate random passwords for you, but you need them logged so you can reuse them in scripts you’re crafting for other roles. It doesn’t do that out of the box, but it turns out it’s actually quite simple:

Hey reader!
After many years, I’ve finally decided to start moving off WordPress and onto a blog I host myself. This post is now available at “https://blog.jermdavis.dev/posts/2019/logging-generated-passwords-in-sif“. Eventually this version will be retired so please update links on any sites you control, to avoid 404s in the future.

The default configuration for “XPx-SingleDeveloper.json” includes a task that generates a set of random passwords (and some other stuff) for you:

    "Tasks": {
        "GeneratePasswords": {
            "Description": "Generates all shared passwords and secrets.",
            "Type": "SetVariable",
            "Params": {
                "Name": "XP1Passwords",
                "Scope": "Global",
                "Value":  [
                    /* Other generation tasks... */

                    {"SqlCorePassword":                "[variable('SqlCore.Password')]"},

                    /* Other generation tasks... */

And if you’re feeling too lazy to generate all these things yourself, it seems sensible to reuse this in scripts where everything’s not on the same box…

It squirrels all these values away into variables, so that they can be reused for all the included tasks that set up all the roles – but it doesn’t seem to record them anywhere else. That’s entirely sensible from a security perspective – but that’s of no help if you’re going to have to take the Content Delivery .json over to another server and run it there. (Yes, I know SIF v2 supports remoting – but so far I’ve yet to meet a client that actually allows that on their production servers)

But it turns out that it’s actually very simple to get SIF to log something for you. There are two things to do:

First, you need to ensure that you’ve registered the “WriteInformation” task, which enables logging. Depending on what file you’re starting from, this might be done already – but what you need is to ensure that task is added to the “/Register/Tasks” block:

    "Register": {
        "Tasks": {
            "SetVariable": "Set-Variable",
            "WriteInformation": "Write-Information"

With that done, you can now add your own tasks to output whatever generated values you’re after. So after the generation block in “/Tasks” above, you might add:

    "Tasks": {

        /* Whatever generation tasks you need */

        "DisplaySqlCorePassword": {
            "Description": "Displays the Sql Core DB password.",
            "Type": "WriteInformation",
            "Params": {
                "MessageData": "[concat('Sql Core DB Password: ',variable('SqlCore.Password'))]",
                "InformationAction": "Continue"

in order to get the password generated for the Core database. And you can add more of these to write out whatever passwords you need to reuse:

That’s just binding a task based on “WriteInformation” which outputs the string defined by “MessageData“. So you can construct more complex messages if you want, too.

Just remember not to leave log files lying around with these values in them…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.