DbaAvailabilityGroup - Add ClusterConnectionOption parameter with TLS 1.3 encryption support (#10035)

potatoqualitee · web-flow · commit 354b45a88001 · 2025-12-05T14:18:01.000+01:00
diff --git a/public/New-DbaAvailabilityGroup.ps1 b/public/New-DbaAvailabilityGroup.ps1
@@ -202,6 +202,25 @@ function New-DbaAvailabilityGroup {
         The cluster will request an IP address from DHCP servers on each replica's subnet.
         Use this when static IP management is not desired and DHCP reservations can provide consistent addressing.
 
+    .PARAMETER ClusterConnectionOption
+        Specifies connection options for TDS 8.0 support in SQL Server 2025 and above.
+        This allows the Windows Server Failover Cluster (WSFC) to connect to SQL Server instances using ODBC with TLS 1.3 encryption.
+        The value is a string containing semicolon-delimited key-value pairs.
+
+        Available keys:
+        - Encrypt: Controls connection encryption
+        - TrustServerCertificate: Whether to trust the server certificate
+        - HostNameInCertificate: Expected hostname in the certificate
+        - ServerCertificate: Path to server certificate
+
+        This setting is persisted by WSFC in the registry and used continuously for cluster-to-instance communication.
+        Note: PowerShell does not validate these values - invalid combinations will be rejected by SMO or the ODBC driver.
+
+        Example: "Encrypt=Strict;TrustServerCertificate=False"
+
+        For detailed documentation, see:
+        https://learn.microsoft.com/en-us/sql/t-sql/statements/create-availability-group-transact-sql
+
     .PARAMETER WhatIf
         Shows what would happen if the command were to run. No actions are actually performed.
 
@@ -335,6 +354,7 @@ function New-DbaAvailabilityGroup {
         [ipaddress]$SubnetMask = "255.255.255.0",
         [int]$Port = 1433,
         [switch]$Dhcp,
+        [string]$ClusterConnectionOption,
         [switch]$EnableException
     )
     begin {
@@ -563,6 +583,10 @@ function New-DbaAvailabilityGroup {
                     $ag.ReuseSystemDatabases = $ReuseSystemDatabases
                 }
 
+                if ($server.VersionMajor -ge 17 -and $ClusterConnectionOption) {
+                    $ag.ClusterConnectionOptions = $ClusterConnectionOption
+                }
+
                 if ($PassThru) {
                     $defaults = 'LocalReplicaRole', 'Name as AvailabilityGroup', 'PrimaryReplicaServerName as PrimaryReplica', 'AutomatedBackupPreference', 'AvailabilityReplicas', 'AvailabilityDatabases', 'AvailabilityGroupListeners'
                     Write-Progress -Activity "Adding new availability group" -Completed
diff --git a/public/Set-DbaAvailabilityGroup.ps1 b/public/Set-DbaAvailabilityGroup.ps1
@@ -57,6 +57,25 @@ function Set-DbaAvailabilityGroup {
         Configures the availability group as a Distributed AG that spans multiple WSFC clusters or standalone instances.
         Used for disaster recovery scenarios across geographic locations or different domains. Requires SQL Server 2016 or later.
 
+    .PARAMETER ClusterConnectionOption
+        Specifies connection options for TDS 8.0 support in SQL Server 2025 and above.
+        This allows the Windows Server Failover Cluster (WSFC) to connect to SQL Server instances using ODBC with TLS 1.3 encryption.
+        The value is a string containing semicolon-delimited key-value pairs.
+
+        Available keys:
+        - Encrypt: Controls connection encryption
+        - TrustServerCertificate: Whether to trust the server certificate
+        - HostNameInCertificate: Expected hostname in the certificate
+        - ServerCertificate: Path to server certificate
+
+        This setting is persisted by WSFC in the registry and used continuously for cluster-to-instance communication.
+        Note: PowerShell does not validate these values - invalid combinations will be rejected by SMO or the ODBC driver.
+
+        Example: "Encrypt=Strict;TrustServerCertificate=False"
+
+        For detailed documentation, see:
+        https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-availability-group-transact-sql
+
     .PARAMETER InputObject
         Accepts availability group objects from Get-DbaAvailabilityGroup for pipeline operations.
         Use this to pipe specific AG objects directly to the function instead of specifying SqlInstance and AG names separately.
@@ -115,6 +134,7 @@ function Set-DbaAvailabilityGroup {
         [switch]$BasicAvailabilityGroup,
         [switch]$DatabaseHealthTrigger,
         [switch]$IsDistributedAvailabilityGroup,
+        [string]$ClusterConnectionOption,
         [parameter(ValueFromPipeline)]
         [Microsoft.SqlServer.Management.Smo.AvailabilityGroup[]]$InputObject,
         [switch]$EnableException
@@ -142,6 +162,16 @@ function Set-DbaAvailabilityGroup {
                             $ag.$prop = (Get-Variable -Name $prop -ValueOnly)
                         }
                     }
+
+                    # ClusterConnectionOption requires SQL Server 2025+ (version 17)
+                    if ((Test-Bound -ParameterName ClusterConnectionOption)) {
+                        if ($ag.Parent.VersionMajor -ge 17) {
+                            $ag.ClusterConnectionOptions = $ClusterConnectionOption
+                        } else {
+                            Write-Message -Level Warning -Message "ClusterConnectionOption is only supported in SQL Server 2025 and above. Skipping this setting on $($ag.Parent.Name)."
+                        }
+                    }
+
                     $ag.Alter()
                     $ag
                 }
diff --git a/tests/New-DbaAvailabilityGroup.Tests.ps1 b/tests/New-DbaAvailabilityGroup.Tests.ps1
@@ -44,6 +44,7 @@ Describe $CommandName -Tag UnitTests {
                 "SubnetMask",
                 "Port",
                 "Dhcp",
+                "ClusterConnectionOption",
                 "EnableException"
             )
             Compare-Object -ReferenceObject $expectedParameters -DifferenceObject $hasParameters | Should -BeNullOrEmpty
diff --git a/tests/Set-DbaAvailabilityGroup.Tests.ps1 b/tests/Set-DbaAvailabilityGroup.Tests.ps1
@@ -23,6 +23,7 @@ Describe $CommandName -Tag UnitTests {
                 "BasicAvailabilityGroup",
                 "DatabaseHealthTrigger",
                 "IsDistributedAvailabilityGroup",
+                "ClusterConnectionOption",
                 "InputObject",
                 "EnableException"
             )

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ Describe $CommandName -Tag UnitTests {`
`44`	`44`	`"SubnetMask",`
`45`	`45`	`"Port",`
`46`	`46`	`"Dhcp",`
	`47`	`+ "ClusterConnectionOption",`
`47`	`48`	`"EnableException"`
`48`	`49`	`)`
`49`	`50`	`Compare-Object -ReferenceObject $expectedParameters -DifferenceObject $hasParameters \| Should -BeNullOrEmpty`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ Describe $CommandName -Tag UnitTests {`
`23`	`23`	`"BasicAvailabilityGroup",`
`24`	`24`	`"DatabaseHealthTrigger",`
`25`	`25`	`"IsDistributedAvailabilityGroup",`
	`26`	`+ "ClusterConnectionOption",`
`26`	`27`	`"InputObject",`
`27`	`28`	`"EnableException"`
`28`	`29`	`)`