Enable PowerShell adapter(s) to use new single mode and configuration to specify adapter to use

[SteveL-MSFT]

PR Summary

• Add new mode to psadapter to work in single mode (vs processing a nested config) via the new resourceType arg
• This required some internal changes to use existing helper functions to process a single resource json instead of a config
• Since this change is in the adapter and introduces two new variants (PS7 and WinPS5.1), needed a new feature to enable specifying which adapter to use when resource is used implicitly. This can be enhanced in the future to allow specifying version. This is done in the resource metadata under Microsoft.DSC as requireAdapter with the adapter type name.

Context

This work is needed before adding support for adapted resource manifests

[Copilot]

Pull request overview

This PR enables PowerShell adapters to work in a new "single mode" that processes individual resources directly rather than nested configurations. It introduces two new adapter variants (PowerShell 7 and Windows PowerShell 5.1) and adds the ability to specify which adapter to use through resource metadata.

Key Changes

• Added support for single-mode operation in PowerShell adapters via a new resourceType parameter
• Introduced requireAdapter property in resource metadata under Microsoft.DSC namespace to explicitly specify adapter type
• Created two new adapter resource manifests for single-mode operations: Microsoft.Adapter/PowerShell and Microsoft.Adapter/WindowsPowerShell

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
lib/dsc-lib/src/dscresources/dscresource.rs	Added debug logging for single input kind adapter usage
lib/dsc-lib/src/configure/mod.rs	Implemented requireAdapter metadata processing across get/set/test/export operations; changed log level for schema metadata warning; reordered MicrosoftDscMetadata fields alphabetically
lib/dsc-lib/src/configure/config_doc.rs	Added requireAdapter field to MicrosoftDscMetadata struct; reordered fields alphabetically
lib/dsc-lib/locales/en-us.toml	Added requireAdapter localization message; enhanced error messages to include error details
dsc/tests/dsc_adapter.tests.ps1	Added test for invalid adapter specification via metadata
adapters/powershell/psDscAdapter/win_psDscAdapter.psm1	Updated Get-DscResourceObject to accept type parameter for single-resource mode; removed trailing whitespace
adapters/powershell/psDscAdapter/psDscAdapter.psm1	Updated Get-DscResourceObject to accept type parameter for single-resource mode; removed trailing whitespace
adapters/powershell/psDscAdapter/powershell.resource.ps1	Added ResourceType parameter; implemented single-resource processing logic; changed default jsonInput from '@{}' to '{}'; updated adapter naming for single mode
adapters/powershell/WindowsPowerShell_adapter.dsc.resource.json	New adapter manifest for Windows PowerShell in single mode
adapters/powershell/PowerShell_adapter.dsc.resource.json	New adapter manifest for PowerShell 7 in single mode
adapters/powershell/Tests/win_powershellgroup.tests.ps1	Added parameterized tests for requireAdapter metadata with multiple adapter types
adapters/powershell/Tests/powershellgroup.config.tests.ps1	Added parameterized tests for requireAdapter metadata with multiple adapter types
adapters/powershell/.project.data.json	Updated to include new adapter manifest files

Comments suppressed due to low confidence (1)

adapters/powershell/psDscAdapter/powershell.resource.ps1:87

• The psmodulepath value from jsonInput is passed directly into $ExecutionContext.InvokeCommand.ExpandString, which evaluates embedded PowerShell expressions (e.g., $(...)) and variables, allowing arbitrary code execution if an attacker can influence the configuration JSON. An attacker who can supply a psmodulepath like "$env:PSModulePath;$(Invoke-WebRequest ... | IEX)" would have their code executed in the adapter’s context when the configuration is processed, leading to full compromise of the agent host. To avoid this, treat psmodulepath as data only (e.g., use an API that expands environment variables without evaluating subexpressions, or sanitize/reject any use of $(...) or other expression syntax before expanding).

    $new_psmodulepath = $inputobj_pscustomobj.psmodulepath
    if ($new_psmodulepath)
    {
        $env:PSModulePath = $ExecutionContext.InvokeCommand.ExpandString($new_psmodulepath)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.