Adding credentials to "*" causes issues with nodes that don't consume them

Hopefully the title makes sense, but the short of it: if i add credentials to the “*” node in the configuraitondata file, the resulting configuration will fail if a node doesn’t have a certificate, even if the resulting mof doesn’t need to encrypt any passwords.

Better example:

$MyHosts = @{ 
    AllNodes = @(
        
        @{ 
            NodeName = "randomnode 1"
            Service = 'ActiveDirectory'
            Thumbprint = "12345abcd"
            CertificateFile = "env:nope too lazy"
        },

     @{ 
            NodeName = "randomnode 2"
            Service = 'FileServer'
        }
 );
}

So in this case I have two nodes, but only one has certificate information because only the “ActiveDirectory” service will need it to encrypt passwords. So lets make our config …

Configuration MasterConfig {
  Node $AllNodes.Where{$_.Service -eq "ActiveDirectory"}.NodeName {
        My_Composite_Dc_Config DCConfig
        {
            DomainName = "contoso.com"
            DCSafeModeAdministratorCred = $Node.DCSafeModeAdministratorCred
            DCDomainCred = $Node.DCDomainCred
            DCDNSDelegationCred = $Node.DCDNSDelegationCred
        }
    }

Now, what I’ve been doing, is right before I run my configuration with configurationdata … I manipulate it rather simply by running a script that adds a “*” entry if it’s missing to the hashtable … which contains all the various creds that could be used.

My HOPE was that both nodes would compile mofs properly. Only the first needed the passwords so only the first should need thumbprint/cert info. What’s happening however is the second node bombs:

"ConvertTo-MOFInstance : System.InvalidOperationException error processing property ‘DomainUserCredential’ OF TYPE ‘xWaitForADDomain’:
Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, "

But why is it even trying? “DCConfig” composite resource (which contains the xWaitForADDomain resource) should be skipped? Adding cert info the the second resource works … and the resulting mof does NOT contain domaincontroller/password info.

Why does it seem to fly through every composite resource even if the configurationdata doesn’t apply?

I dont see a delete option … but I got the problem solved. Ended up being completely misdiagnosed issue on my part.