Forge Home

iis

Manage IIS for Windows Server 2012, 2012R2 and 2016. Maintain application sites, pools, installation, and many other IIS settings.

273,776 downloads

57 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 10.0.1 (latest)
  • 10.0.0
  • 9.0.0
  • 8.1.1
  • 8.1.0
  • 8.0.3
  • 8.0.2
  • 8.0.1
  • 8.0.0
  • 7.2.0
  • 7.1.0
  • 7.0.1
  • 7.0.0
  • 6.0.0
  • 5.0.0
  • 4.5.1
  • 4.5.0
  • 4.4.0
  • 4.3.2
  • 4.3.1
  • 4.3.0
  • 4.2.1
  • 4.2.0
  • 4.1.2
  • 4.1.1
  • 4.1.0
  • 4.0.0
  • 0.1.0
released Dec 17th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-iis', '10.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-iis
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-iis --version 10.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/iis — version 10.0.1 Dec 17th 2024

Reference

Table of Contents

Resource types

  • iis_application: Allows creation of a new IIS Application and configuration of application parameters.
  • iis_application_pool: Allows creation of a new IIS Application Pool and configuration of application pool parameters.
  • iis_feature: Allows installation and removal of IIS Features.
  • iis_site: Allows creation of a new IIS Web Site and configuration of site parameters.
  • iis_virtual_directory: Allows creation of a new IIS Virtual Directory and configuration of virtual directory parameters.

Resource types

iis_application

The iis_application type uses an applicationname and a sitename to create an IIS Application. When specifying an application you must specify both. You can specify the sitename by putting it in the title as in "$site_name\$application_name", or you can use the named parameters. If converting a virtual directory to an app, you can use the virtual_directory parameter to specify the site and omit the sitename parameter. To manage two applications of the same name within different websites on an IIS instance, you must ensure the resource title is unique. You can do this by entering both the sitename and applicationname in the title, or using a descriptive title for the resource and using the named parameters for sitename and applicationname

Properties

The following properties are available in the iis_application type.

applicationpool

The name of the application pool for the application.

authenticationinfo
enabledprotocols

The comma-delimited list of enabled protocols for the application. Valid protocols are: \'http\', \'https\', \'net.pipe\', \'net.tcp\', \'net.msmq\', \'msmq.formatname\'.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

physicalpath

The physical path to the application directory. This path must be fully qualified.

sitename

The name of the site for the application.

sslflags

Valid values: Ssl, SslRequireCert, SslNegotiateCert

The SSL settings for the application. Valid options are an array of flags, with the following names: \'Ssl\', \'SslRequireCert\', \'SslNegotiateCert\', \'Ssl128\'.

Parameters

The following parameters are available in the iis_application type.

applicationname

The name of the application. The virtual path of the application is '/'.

provider

The specific backend to use for this iis_application resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

virtual_directory

The IIS Virtual Directory to convert to an application on create. Similar to iis_application, iis_virtual_directory uses composite namevars.

iis_application_pool

Allows creation of a new IIS Application Pool and configuration of application pool parameters.

Properties

The following properties are available in the iis_application_pool type.

auto_shutdown_exe

Specifies an executable to run when the WWW service shuts down an application pool. You can use the auto_shutdown_params property to send parameters to the executable.

auto_shutdown_params

Specifies command-line parameters for the executable that is specified in the auto_shutdown_exe property.

auto_start

Valid values: true, false

When true, indicates to the World Wide Web Publishing Service (W3SVC) that the application pool should be automatically started when it is created or when IIS is started.

clr_config_file

Specifies the .NET configuration file for the application pool

cpu_action

Valid values: NoAction, KillW3wp, Throttle, ThrottleUnderLoad

Configures the action that IIS takes when a worker process exceeds its configured CPU limit.

cpu_limit

Configures the maximum percentage of CPU time (in 1/1000ths of one percent) that the worker processes in an application pool are allowed to consume over a period of time as indicated by the cpu_reset_interval property. If the limit set by the limit property is exceeded, an event is written to the event log and an optional set of events can be triggered. These optional events are determined by the cpu_action property.

cpu_reset_interval

Specifies the reset period (in minutes) for CPU monitoring and throttling limits on an application pool. When the number of minutes elapsed since the last process accounting reset equals the number specified by this property, IIS resets the CPU timers for both the logging and limit intervals.

Important: The resetInterval value must be greater than the time between logging operations, otherwise IIS will reset counters before logging has occurred, and process accounting will not occur.

Note: Because process accounting in IIS uses Windows job objects to monitor CPU times for the whole process, process accounting will only log and throttle applications that are isolated in a separate process from IIS.

cpu_smp_affinitized

Valid values: true, false

Specifies whether a particular worker process assigned to an application pool should also be assigned to a given CPU. This property is used together with the cpu_smp_processor_affinity_mask and cpu_smp_processor_affinity_mask2 properties.

cpu_smp_processor_affinity_mask

Specifies the hexadecimal processor mask for multi-processor computers, which indicates to which CPU the worker processes in an application pool should be bound. Before this property takes effect, the cpu_smp_affinitized property must be set to true for the application pool.

Note: On 64-bit computers, the cpu_smp_processor_affinity_mask property contains the low-order DWORD for the processor mask, and the cpu_smp_processor_affinity_mask2 property contains the high-order DWORD for the processor mask. On 32-bit computers, the cpu_smp_processor_affinity_mask2 property has no effect.

If you set the value to 1 (which corresponds to 00000000000000001 in binary), the worker processes in an application pool run on only the first processor. If you set the value to 2 (which corresponds to 0000000000000010 in binary), the worker processes run on only the second processor. If you set the value to 3 (which corresponds to 0000000000000011 in binary) the worker processes run on both the first and second processors.

Note: Do not set this property to 0. Doing so disables symmetric multiprocessing (SMP) affinity and creates an error condition. This means that processes running on one CPU will not remain affiliated with that CPU throughout their lifetime.

cpu_smp_processor_affinity_mask2

Specifies the high-order DWORD hexadecimal processor mask for 64-bit multi-processor computers, which indicates to which CPU the worker processes in an application pool should be bound. Before this property takes effect, the cpu_smp_affinitized property must be set to true for the application pool.

Note: On 64-bit computers, the cpu_smp_processor_affinity_mask property contains the low-order DWORD for the processor mask, and the cpu_smp_processor_affinity_mask2 property contains the high-order DWORD for the processor mask. On 32-bit computers, the cpu_smp_processor_affinity_mask2 property has no effect.

disallow_overlapping_rotation

Valid values: true, false

Specifies whether the WWW Service should start another worker process to replace the existing worker process while that process is shutting down. The value of this property should be set to true if the worker process loads any application code that does not support multiple worker processes.

disallow_rotation_on_config_change

Valid values: true, false

Specifies whether the WWW Service should rotate worker processes in an application pool when the configuration has changed.

enable32_bit_app_on_win64

Valid values: true, false

When true, enables a 32-bit application to run on a computer that runs a 64-bit version of Windows.

enable_configuration_override

Valid values: true, false

When true, indicates that delegated settings in Web.config files will processed for applications within this application pool. When false, all settings in Web.config files will be ignored for this application pool.

ensure

Valid values: present, absent

Specifies whether an application pool should be present or absent. If state is not specified, the application pool will be created and left in the default started state.

Default value: present

identity_type

Valid values: ApplicationPoolIdentity, LocalService, LocalSystem, NetworkService, SpecificUser

Specifies the account identity under which the application pool runs. Note: Starting in IIS 7.5 the default value is 'ApplicationPoolIdentity'. (In IIS 7.0 the default value was 'NetworkService').

idle_timeout

Specifies how long (in minutes) a worker process should run idle if no new requests are received and the worker process is not processing requests. After the allocated time passes, the worker process requests that it be shut down by the WWW service.

idle_timeout_action

Valid values: Terminate, Suspend

Specifies the action to perform when the idle_timeout duration has been reached. Before IIS 8.5, a worker process that was idle for the duration of the idle_timeout property would be terminated. After IIS 8.5, you have the choice of terminating a worker process that reaches the idle_timeout limit, or suspending it by moving it from memory to disk. Suspending a process will likely take less time and consume less memory than terminating it.

load_balancer_capabilities

Valid values: HttpLevel, TcpLevel

Specifies behavior when a worker process cannot be started, such as when the request queue is full or an application pool is in rapid-fail protection.

load_user_profile

Valid values: true, false

Specifies whether IIS loads the user profile for the application pool identity. Setting this value to false causes IIS to revert to IIS 6.0 behavior. IIS 6.0 does not load the user profile for an application pool identity.

log_event_on_process_model

Specifies which action taken in the process gets logged to the Event Viewer. In IIS 8.0, the only action that applies is the idle_timeout_action, in which the process is terminated because it was idle for the idle_timeout period.

log_event_on_recycle

Specifies that IIS should log an event when an application pool is recycled. The log_event_on_recycle property must have a bit set corresponding to the reason for the recycle if IIS is to log the event. The log_event_on_recycle property can have one or more of the following possible values: 'ConfigChange', 'IsapiUnhealthy', 'Memory', 'OnDemand', 'PrivateMemory', 'Requests', 'Schedule' and 'Time'.

If you specify more than one value, separate them with a comma (,). The default flags for versions of IIS earlier than IIS 10 are 'Time', 'Memory', and 'PrivateMemory'; for IIS 10 and later are all values.

logon_type

Valid values: LogonBatch, LogonService

Specifies the logon type for the process identity. (For additional information about logon types, see the LogonUser Function topic on Microsoft's MSDN Web site).

managed_pipeline_mode

Valid values: Integrated, Classic

Specifies the request-processing mode that is used to process requests for managed content.

managed_runtime_loader

Specifies the managed loader to use for pre-loading the the application pool. Note: This property was added in IIS 7.5. The default value is 'webengine4.dll'.

managed_runtime_version

Valid values: '', v1.1, v2.0, v4.0

Specifies the .NET Framework version to be used by the application pool. Specify an empty string ('') to set as 'No Managed Code.'

manual_group_membership

Valid values: true, false

Specifies whether the IIS_IUSRS group Security Identifier (SID) is added to the worker process token. When false, IIS automatically uses an application pool identity as though it were a member of the built-in IIS_IUSRS group, which has access to necessary file and system resources. When true, an application pool identity must be explicitly added to all resources that a worker process requires at runtime.

max_processes

Indicates the maximum number of worker processes that would be used for the application pool.

A value of 1 indicates a maximum of a single worker process for the application pool. This would be the setting on a server that does not have NUMA nodes.

A value of 2 or more indicates a Web garden that uses multiple worker processes for an application pool (if necessary).

A value of 0 specifies that IIS runs the same number of worker processes as there are Non-Uniform Memory Access (NUMA) nodes. IIS identifies the number of NUMA nodes that are available on the hardware and starts the same number of worker processes. For example, if you have four NUMA nodes, it will use a maximum of four worker processes for that application pool. In this example, setting max_processes to a value of 0 or 4 would have the same result.

orphan_action_exe

Specifies an executable to run when the WWW service orphans a worker process (if the orphan_worker_process is set to true). You can use the orphan_action_params property to send parameters to the executable.

orphan_action_params

Indicates command-line parameters for the executable named by the orphan_action_exe property. To specify the process ID of the orphaned process, use '%1%'.

orphan_worker_process

Valid values: true, false

Specifies whether to assign a worker process to an orphan state instead of terminating it when an application pool fails.

pass_anonymous_token

Valid values: true, false

When true, the Windows Process Activation Service (WAS) creates and passes a token for the built-in IUSR anonymous user account to the Anonymous authentication module. The Anonymous authentication module uses the token to impersonate the built-in account. When false, the token is not passed. Note: The IUSR anonymous user account replaces the IIS_MachineName anonymous account. The IUSR account can be used by IIS or other applications. It does not have any privileges assigned to it during setup.

password

Specifies the password associated with the user_name property. This property is only necessary when the value of identity_type is 'SpecificUser'.

Note: To avoid storing unencrypted password strings in configuration files, this uses AppCmd.exe. This encrypts the password automatically before it is written to the XML configuration files. This provides better password security than storing unencrypted passwords.

ping_interval

Specifies the time between health-monitoring pings that the WWW service sends to a worker process

ping_response_time

Specifies the time that a worker process is given to respond to a health-monitoring ping. After the time limit is exceeded, the WWW service terminates the worker process.

pinging_enabled

Valid values: true, false

The pinging_enabled property specifies whether the WWW Service should periodically monitor the health of a worker process. Setting the value of this property to true indicates to the WWW service to monitor the worker processes to ensure that the they are running and healthy.

queue_length

Indicates to HTTP.sys how many requests to queue for an application pool before rejecting future requests. When the value set for this property is exceeded, IIS rejects subsequent requests with a 503 error. If the load_balancer_capabilities setting is 'TcpLevel', the connection is closed instead of rejecting requests with a 503. For more information about load_balancer_capabilities, see Failure Settings for an Application Pool. Valid options 11 to 65535.

rapid_fail_protection

Setting to true instructs the WWW service to remove from service all applications that are in an application pool when:

  • The number of worker process crashes has reached the maximum specified in the rapid_fail_protection_max_crashes property.

  • The crashes occur within the number of minutes specified in the rapid_fail_protection_interval property.

Valid options true or false.

rapid_fail_protection_interval

Specifies the number of minutes before the failure count for a process is reset.

rapid_fail_protection_max_crashes

Specifies the maximum number of failures allowed within the number of minutes specified by the rapid_fail_protection_interval property.

restart_memory_limit

Specifies the amount of virtual memory (in kilobytes) that a worker process can use before the worker process is recycled. The maximum value supported for this property is 4,294,967 KB.

A value of 0 sets this to unlimited.

restart_private_memory_limit

Specifies the amount of private memory (in kilobytes) that a worker process can use before the worker process recycles. The maximum value supported for this property is 4,294,967 KB.

A value of 0 sets this to unlimited.

restart_requests_limit

Specifies that the worker process should be recycled after it processes a specific number of requests.

A value of 0 sets this to unlimited.

restart_schedule

Specifies the specific times in a 24-hour period that the worker process should be recycled.

restart_time_limit

Specifies that the worker process should be recycled after a specified amount of time has elapsed.

set_profile_environment

Valid values: true, false

When set to true, WAS creates an environment block to pass to CreateProcessAsUser when creating a worker process. This ensures that the environment is set based on the user profile for the new process.

shutdown_time_limit

Specifies the time that the W3SVC service waits after it initiated a recycle. If the worker process does not shut down within the shutdown_time_limit, it will be terminated by the W3SVC service.

start_mode

Valid values: OnDemand, AlwaysRunning

Specifies the startup type for the application pool.

startup_time_limit

Specifies the time that IIS waits for an application pool to start. If the application pool does not startup within the startup_time_limit, the worker process is terminated and the rapid-fail protection count is incremented.

state

Valid values: started, stopped, Stopped, Started

Aliases: "Stopped"=>"stopped", "Started"=>"started"

The state of the ApplicationPool. By default, a newly created application pool will be started

user_name

Specifies the identity under which the application pool runs when the identity_type is 'SpecificUser'.

Parameters

The following parameters are available in the iis_application_pool type.

name

namevar

The unique name of the ApplicationPool.

provider

The specific backend to use for this iis_application_pool resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

iis_feature

Allows installation and removal of IIS Features.

Properties

The following properties are available in the iis_feature type.

ensure

Valid values: present, absent

Manage the state of this rule.

Default value: present

Parameters

The following parameters are available in the iis_feature type.

include_all_subfeatures

Indicates whether to install all sub features of a parent IIS feature. For instance, ASP.NET as well as the IIS Web Server

include_management_tools

Indicates whether to automatically install all managment tools for a given IIS feature

name

namevar

The unique name of the feature to manage.

provider

The specific backend to use for this iis_feature resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

restart

Indicates whether to allow a restart if the IIS feature installation requests one

source

Optionally include a source path for the installation media for an IIS feature

iis_site

Allows creation of a new IIS Web Site and configuration of site parameters.

Properties

The following properties are available in the iis_site type.

applicationpool

The name of an ApplicationPool for this IIS Web Site

authenticationinfo
bindings

The protocol, address, port, and ssl certificate bindings for a web site.

For web (http/https) protocols, the bindinginformation value should be in the form of the IPv4/IPv6 address or wildcard *, then the port, then the optional hostname separated by colons: (ip|\*):[1-65535]:(hostname)?

A protocol value of "http" indicates a binding that uses the HTTP protocol. A value of "https" indicates a binding that uses HTTP over SSL.

The sslflags parameter accepts integer values from 0 to 3 inclusive.

  • A value of "0" specifies that the secure connection be made using an IP/Port combination. Only one certificate can be bound to a combination of IP address and the port.
  • A value of "1" specifies that the secure connection be made using the port number and the host name obtained by using Server Name Indication (SNI).
  • A value of "2" specifies that the secure connection be made using the centralized SSL certificate store without requiring a Server Name Indicator.
  • A value of "3" specifies that the secure connection be made using the centralized SSL certificate store while requiring Server Name Indicator
defaultpage

Specifies the default page of the site.

enabledprotocols

The protocols enabled for the site. If 'https' is specified, 'http' is implied. If no value is provided, then this setting is disabled. Can be a comma delimited list of protocols. Valid protocols are: 'http', 'https', 'net.pipe', 'net.tcp', 'net.msmq', 'msmq.formatname'.

ensure

Valid values: stopped, started, present, absent, false, true

Aliases: "false"=>"stopped", "true"=>"started"

Specifies whether a site should be present or absent. If present is specified, the site will be created but left in the default stopped state. If started is specified, then the site will be created as well as started. If stopped is specified, then the site will be created and kept stopped.

limits

Configure limits for an IIS Site

logflags

Specifies what W3C fields are logged in the log file. This is only valid when logformat is set to 'W3C'.

logformat

Specifies the format for the log file. When set to 'W3C', used with logflags

loglocaltimerollover

Valid values: true, false

Use the system\'s local time to determine for the log file name as well as when the log file is rolled over

logpath

Specifies the physical path to place the log file

logperiod

Specifies how often the log file should rollover

logtruncatesize

Specifies how large the log file should be before truncating it. The value must be in bytes. The value can be any size between \'1048576 (1MB)\' and \'4294967295 (4GB)\'.

physicalpath

The physical path to the site directory. This path must be fully qualified.

preloadenabled

Valid values: true, false

Enables loading website automatically without a client request first

serviceautostart

Valid values: true, false

Enables autostart on the specified website

serviceautostartprovidername

Specifies the provider used for service auto start. Used with :serviceautostartprovidertype. The element specifies a collection of managed assemblies that Windows Process Activation Service (WAS) will load automatically when the startMode attribute of an application pool is set to AlwaysRunning. This collection allows developers to specify assemblies that perform initialization tasks before any HTTP requests are serviced.

example: serviceautostartprovidername => "MyAutostartProvider" serviceautostartprovidertype => "MyAutostartProvider, MyAutostartProvider, version=1.0.0.0, Culture=neutral, PublicKeyToken=426f62526f636b73"

serviceautostartprovidertype

Specifies the application type for the provider used for service auto start. Used with :serviceautostartprovider

example: serviceautostartprovidername => "MyAutostartProvider" serviceautostartprovidertype => "MyAutostartProvider, MyAutostartProvider, version=1.0.0.0, Culture=neutral, PublicKeyToken=426f62526f636b73"

Parameters

The following parameters are available in the iis_site type.

name

namevar

The Name of the IIS site. Used for uniqueness. Will set the target to this value if target is unset.

provider

The specific backend to use for this iis_site resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

iis_virtual_directory

Allows creation of a new IIS Virtual Directory and configuration of virtual directory parameters.

Properties

The following properties are available in the iis_virtual_directory type.

application

The application under which the virtual directory is created

ensure

Valid values: present, absent

Manage the state of this rule.

Default value: present

password

Specifies the password associated with the user_name property.

physicalpath

The physical path to the virtual directory. This path must be fully qualified. Though not recommended, this can be a UNC style path. Supply credentials for access to the UNC path with the user_name and password properties.

sitename

The site name under which the virtual directory is created

user_name

Specifies the identity that should be impersonated when accessing the physical path.

Parameters

The following parameters are available in the iis_virtual_directory type.

name

namevar

The name of the virtual directory to manage

provider

The specific backend to use for this iis_virtual_directory resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.