(CAT-1939) Validation (DO NOT REVIEW)

Author: Ramesh7

.github/workflows/ci.yml

@@ -112,6 +112,12 @@ jobs:
         pass=`grep -oP '(?<=password: ).*' spec/fixtures/litmus_inventory.yaml`
         bundle exec bolt command run "[Environment]::SetEnvironmentVariable('pass', '$pass', 'Machine')" --targets ssh_nodes --inventoryfile spec/fixtures/litmus_inventory.yaml
 
+    - name: Start SSH session
+      uses: luchihoratiu/debug-via-ssh@main
+      with:
+        NGROK_AUTH_TOKEN: ${{ secrets.NGROK_AUTH_TOKEN }}
+        SSH_PASS: ${{ secrets.SSH_PASS }}
+
     - name: Run acceptance tests
       run: |
         bundle exec rake 'litmus:acceptance:parallel'

manifests/concurrent_session_limit.pp

@@ -0,0 +1,45 @@
+# A description of what this class does
+#
+# @summary A short summary of the purpose of this class
+#
+# @param instancename
+#   The instance name you want to manage.  Defaults to the $title when not defined explicitly.
+#
+# @param logonlogin
+#   The password for the logon_trigger_login account
+#
+# @example
+#   include database_configurations::sqlserver::concurrent_session_limit
+class sqlserver::concurrent_session_limit (
+  String $instancename  = 'MSSQLSERVER',
+  String $logonlogin = 'thisisnotarealpassword'
+) {
+  # V-79119 CAT II - Limit concurrent sessions
+  sqlserver::login { 'logon_trigger_login':
+    ensure           => 'present',
+    instance         => 'MSSQLSERVER',
+    password         => $logonlogin,
+    login_type       => 'SQL_LOGIN',
+    check_expiration => true,
+    check_policy     => true,
+    disabled         => true,
+    permissions      => { 'REVOKE' => ['CONNECT SQL'] },
+  }
+
+  sqlserver::role { 'ServerRole':
+    ensure      => 'present',
+    instance    => $instancename,
+    role        => 'SL-ConnectTr',
+    permissions => { 'GRANT' => ['CONNECT SQL', 'VIEW SERVER STATE'] },
+    type        => 'SERVER',
+    members     => ['logon_trigger_login'],
+    #members_purge => true,
+    require     => Sqlserver::Login['logon_trigger_login'],
+  }
+
+  sqlserver_tsql { 'create logon_trigger_login':
+    command => epp('sqlserver/query/customer/create_logon_trigger.sql.epp'),
+    onlyif  => "IF NOT EXISTS (SELECT 1 from sys.server_triggers where name = 'connection_limit_trigger') THROW 50000, 'trignotfound', 10",
+    require => Sqlserver::Role['ServerRole'],
+  }
+}

metadata.json

@@ -21,18 +21,14 @@
     {
       "operatingsystem": "Windows",
       "operatingsystemrelease": [
-        "2012",
-        "2012 R2",
-        "2016",
-        "2019",
-        "2022"
+        "2016"
       ]
     }
   ],
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">=7.0.0 < 9.0.0"
+      "version_requirement": ">=7.0.0 < 8.0.0"
     }
   ],
   "tags": [

templates/query/customer/create_logon_trigger.sql.epp

@@ -0,0 +1,18 @@
+CREATE TRIGGER [connection_limit_trigger]
+ON ALL SERVER WITH EXECUTE AS 'logon_trigger_login'
+FOR LOGON
+AS
+BEGIN
+IF EXISTS (
+SELECT NULL 
+FROM sys.dm_exec_sessions s
+WHERE is_user_process = 1 AND
+s.original_login_name = ORIGINAL_LOGIN()
+HAVING COUNT(*) > 5000
+)
+	BEGIN
+	DECLARE @original_login SYSNAME = ORIGINAL_LOGIN();
+	RAISERROR ('Max concurrent logins exceeded for login ''%s''', 16, 1, @original_login) WITH LOG;
+	ROLLBACK;
+	END
+END;