From c4f1787f019be24c45dc14f6625b2a213418800d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 11 Dec 2022 17:07:38 +1100 Subject: [PATCH 01/13] add VM Guest patching --- .../.test/linux/deploy.test.bicep | 2 ++ .../.test/windows/deploy.test.bicep | 2 ++ .../virtualMachines/deploy.bicep | 18 +++++++++++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep index 7e0a6bd7ca..c89ae71d7d 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep @@ -155,6 +155,8 @@ module testDeployment '../../deploy.bicep' = { } } ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep index 9ed0f6f0a7..46d86fb3fe 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep @@ -159,6 +159,8 @@ module testDeployment '../../deploy.bicep' = { } } ] + enableAutomaticUpdates: true + patchMode: 'AutomaticByPlatform' diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 90e86fb3fc..582b18d5de 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -276,6 +276,16 @@ param provisionVMAgent bool = true @description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true +@description('Optional. VM guest patching orchestration mode. Allowed values are \'AutomaticByPlatform\', \'AutomaticByOS (Windows only)\', \'Manual (Windows only)\', \'ImageDefault (Linux only)\'. Default value is blank (not set).') +@allowed([ + 'AutomaticByPlatform' + 'AutomaticByOS' + 'Manual' + 'ImageDefault' + '' +]) +param patchMode string = '' + @description('Optional. Specifies the time zone of the virtual machine. e.g. \'Pacific Standard Time\'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`.') param timeZone string = '' @@ -306,11 +316,17 @@ var linuxConfiguration = { publicKeys: publicKeysFormatted } provisionVMAgent: provisionVMAgent + patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'ImageDefault')) ? { + patchMode: patchMode + } : null } var windowsConfiguration = { provisionVMAgent: provisionVMAgent - enableAutomaticUpdates: enableAutomaticUpdates + enableAutomaticUpdates: patchMode !~ 'Manual' ? enableAutomaticUpdates : false + patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'AutomaticByOS' || patchMode =~ 'Manual')) ? { + patchMode: patchMode + } : null timeZone: empty(timeZone) ? null : timeZone additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent winRM: !empty(winRM) ? { From 551b624638241755458601df343999b5f62604b7 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 11 Dec 2022 17:15:57 +1100 Subject: [PATCH 02/13] update readme --- .../virtualMachines/readme.md | 805 +----------------- 1 file changed, 14 insertions(+), 791 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 8be20528ab..5b49ce32e9 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -28,7 +28,6 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally ## Parameters **Required parameters** - | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `adminUsername` | secureString | | | Administrator username. | @@ -40,7 +39,6 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `vmSize` | string | | | Specifies the size for the VMs. | **Optional parameters** - | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | @@ -86,6 +84,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | +| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. Allowed values are 'AutomaticByPlatform', 'AutomaticByOS (Windows only)', 'Manual (Windows only)', 'ImageDefault (Linux only)'. Default value is blank (not set). | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | @@ -108,7 +107,6 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | **Generated parameters** - | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | @@ -1044,162 +1042,11 @@ The following module usage examples are retrieved from the content of the files module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-cvmlincom' params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: '0001-com-ubuntu-server-focal' - publisher: 'Canonical' - sku: '' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - osDisk: { - caching: 'ReadOnly' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Linux' - vmSize: 'Standard_B12ms' - // Non-required parameters - availabilityZone: 1 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - dataDisks: [ - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'ReadWrite' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogsRetentionInDays: 7 - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - disablePasswordAuthentication: true - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionDSCConfig: { - enabled: false - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - location: '' - lock: 'CanNotDelete' - monitoringWorkspaceId: '' - name: '<>cvmlincom' - publicKeys: [ - { - keyData: '' - path: '/home/localAdminUser/.ssh/authorized_keys' - } - ] - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '': {} - } + } + dependsOn: [ + resourceGroupResources // Required to leverage `existing` SSH key reference + ] } ``` @@ -1214,231 +1061,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "0001-com-ubuntu-server-focal", - "publisher": "Canonical", - "sku": "", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "deleteOption": "Delete", - "ipConfigurations": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "osDisk": { - "value": { - "caching": "ReadOnly", - "createOption": "fromImage", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Linux" - }, - "vmSize": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "availabilityZone": { - "value": 1 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "ReadWrite", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "disablePasswordAuthentication": { - "value": true - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ] - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionDSCConfig": { - "value": { - "enabled": false - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } - }, - "location": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "monitoringWorkspaceId": { - "value": "" - }, - "name": { - "value": "<>cvmlincom" - }, - "publicKeys": { - "value": [ - { - "keyData": "", - "path": "/home/localAdminUser/.ssh/authorized_keys" - } - ] - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } - } - } + "parameters": {} } ``` @@ -1498,6 +1121,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } ] } + dependsOn: [ + resourceGroupResources // Required to leverage `existing` SSH key reference + ] } ``` @@ -1638,6 +1264,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } ] } + dependsOn: [ + resourceGroupResources // Required to leverage `existing` SSH key reference + ] } ``` @@ -1733,174 +1362,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-cvmwincom' params: { - // Required parameters - adminUsername: 'localAdminUser' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-datacenter' - version: 'latest' - } - nicConfigurations: [ - { - deleteOption: 'Delete' - ipConfigurations: [ - { - applicationSecurityGroups: [ - { - id: '' - } - ] - loadBalancerBackendAddressPools: [ - { - id: '' - } - ] - name: 'ipconfig01' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - subnetResourceId: '' - } - ] - nicSuffix: '-nic-01' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - } - ] - osDisk: { - caching: 'None' - createOption: 'fromImage' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_B12ms' - // Non-required parameters - adminPassword: '' - availabilityZone: 2 - backupPolicyName: '' - backupVaultName: '' - backupVaultResourceGroup: '' - dataDisks: [ - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - { - caching: 'None' - createOption: 'Empty' - deleteOption: 'Delete' - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - ] - diagnosticEventHubAuthorizationRuleId: '' - diagnosticEventHubName: '' - diagnosticLogsRetentionInDays: 7 - diagnosticStorageAccountId: '' - diagnosticWorkspaceId: '' - enableDefaultTelemetry: '' - encryptionAtHost: false - extensionAntiMalwareConfig: { - enabled: true - settings: { - AntimalwareEnabled: 'true' - Exclusions: { - Extensions: '.ext1;.ext2' - Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' - Processes: 'excludedproc1.exe;excludedproc2.exe' - } - RealtimeProtectionEnabled: 'true' - ScheduledScanSettings: { - day: '7' - isEnabled: 'true' - scanType: 'Quick' - time: '120' - } - } - } - extensionAzureDiskEncryptionConfig: { - enabled: true - settings: { - EncryptionOperation: 'EnableEncryption' - KekVaultResourceId: '' - KeyEncryptionAlgorithm: 'RSA-OAEP' - KeyEncryptionKeyURL: '' - KeyVaultResourceId: '' - KeyVaultURL: '' - ResizeOSDisk: 'false' - VolumeType: 'All' - } - } - extensionCustomScriptConfig: { - enabled: true - fileData: [ - { - storageAccountId: '' - uri: '' - } - ] - } - extensionCustomScriptProtectedSetting: { - commandToExecute: '' - } - extensionDependencyAgentConfig: { - enabled: true - } - extensionDSCConfig: { - enabled: true - } - extensionMonitoringAgentConfig: { - enabled: true - } - extensionNetworkWatcherAgentConfig: { - enabled: true - } - location: '' - lock: 'CanNotDelete' - monitoringWorkspaceId: '' - name: '<>cvmwincom' - proximityPlacementGroupResourceId: '' - roleAssignments: [ - { - principalIds: [ - '' - ] - principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Reader' - } - ] - systemAssignedIdentity: true - userAssignedIdentities: { - '': {} - } + } } ``` @@ -1916,246 +1378,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "adminUsername": { - "value": "localAdminUser" - }, - "imageReference": { - "value": { - "offer": "WindowsServer", - "publisher": "MicrosoftWindowsServer", - "sku": "2019-datacenter", - "version": "latest" - } - }, - "nicConfigurations": { - "value": [ - { - "deleteOption": "Delete", - "ipConfigurations": [ - { - "applicationSecurityGroups": [ - { - "id": "" - } - ], - "loadBalancerBackendAddressPools": [ - { - "id": "" - } - ], - "name": "ipconfig01", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "subnetResourceId": "" - } - ], - "nicSuffix": "-nic-01", - "roleAssignments": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - } - ] - }, - "osDisk": { - "value": { - "caching": "None", - "createOption": "fromImage", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_B12ms" - }, - // Non-required parameters - "adminPassword": { - "value": "" - }, - "availabilityZone": { - "value": 2 - }, - "backupPolicyName": { - "value": "" - }, - "backupVaultName": { - "value": "" - }, - "backupVaultResourceGroup": { - "value": "" - }, - "dataDisks": { - "value": [ - { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - }, - { - "caching": "None", - "createOption": "Empty", - "deleteOption": "Delete", - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - ] - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "" - }, - "diagnosticEventHubName": { - "value": "" - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "" - }, - "diagnosticWorkspaceId": { - "value": "" - }, - "enableDefaultTelemetry": { - "value": "" - }, - "encryptionAtHost": { - "value": false - }, - "extensionAntiMalwareConfig": { - "value": { - "enabled": true, - "settings": { - "AntimalwareEnabled": "true", - "Exclusions": { - "Extensions": ".ext1;.ext2", - "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", - "Processes": "excludedproc1.exe;excludedproc2.exe" - }, - "RealtimeProtectionEnabled": "true", - "ScheduledScanSettings": { - "day": "7", - "isEnabled": "true", - "scanType": "Quick", - "time": "120" - } - } - } - }, - "extensionAzureDiskEncryptionConfig": { - "value": { - "enabled": true, - "settings": { - "EncryptionOperation": "EnableEncryption", - "KekVaultResourceId": "", - "KeyEncryptionAlgorithm": "RSA-OAEP", - "KeyEncryptionKeyURL": "", - "KeyVaultResourceId": "", - "KeyVaultURL": "", - "ResizeOSDisk": "false", - "VolumeType": "All" - } - } - }, - "extensionCustomScriptConfig": { - "value": { - "enabled": true, - "fileData": [ - { - "storageAccountId": "", - "uri": "" - } - ] - } - }, - "extensionCustomScriptProtectedSetting": { - "value": { - "commandToExecute": "" - } - }, - "extensionDependencyAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionDSCConfig": { - "value": { - "enabled": true - } - }, - "extensionMonitoringAgentConfig": { - "value": { - "enabled": true - } - }, - "extensionNetworkWatcherAgentConfig": { - "value": { - "enabled": true - } - }, - "location": { - "value": "" - }, - "lock": { - "value": "CanNotDelete" - }, - "monitoringWorkspaceId": { - "value": "" - }, - "name": { - "value": "<>cvmwincom" - }, - "proximityPlacementGroupResourceId": { - "value": "" - }, - "roleAssignments": { - "value": [ - { - "principalIds": [ - "" - ], - "principalType": "ServicePrincipal", - "roleDefinitionIdOrName": "Reader" - } - ] - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "": {} - } - } - } + "parameters": {} } ``` From 54488becb5e3d04530eba439132ce48d4a134500 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 11 Dec 2022 18:38:14 +1100 Subject: [PATCH 03/13] update --- .../virtualMachines/readme.md | 820 +++++++++++++++++- 1 file changed, 807 insertions(+), 13 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 5b49ce32e9..992cb1d6be 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -28,6 +28,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally ## Parameters **Required parameters** + | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `adminUsername` | secureString | | | Administrator username. | @@ -39,6 +40,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `vmSize` | string | | | Specifies the size for the VMs. | **Optional parameters** + | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | @@ -107,6 +109,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | **Generated parameters** + | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | @@ -1042,11 +1045,164 @@ The following module usage examples are retrieved from the content of the files module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-cvmlincom' params: { - + // Required parameters + adminUsername: 'localAdminUser' + imageReference: { + offer: '0001-com-ubuntu-server-focal' + publisher: 'Canonical' + sku: '' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + subnetResourceId: '' + } + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + osDisk: { + caching: 'ReadOnly' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Linux' + vmSize: 'Standard_B12ms' + // Non-required parameters + availabilityZone: 1 + backupPolicyName: '' + backupVaultName: '' + backupVaultResourceGroup: '' + dataDisks: [ + { + caching: 'ReadWrite' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'ReadWrite' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + disablePasswordAuthentication: true + enableAutomaticUpdates: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: '' + uri: '' + } + ] + } + extensionCustomScriptProtectedSetting: { + commandToExecute: '' + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionDSCConfig: { + enabled: false + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + location: '' + lock: 'CanNotDelete' + monitoringWorkspaceId: '' + name: '<>cvmlincom' + patchMode: 'AutomaticByPlatform' + publicKeys: [ + { + keyData: '' + path: '/home/localAdminUser/.ssh/authorized_keys' + } + ] + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '': {} + } } - dependsOn: [ - resourceGroupResources // Required to leverage `existing` SSH key reference - ] } ``` @@ -1061,7 +1217,237 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": {} + "parameters": { + // Required parameters + "adminUsername": { + "value": "localAdminUser" + }, + "imageReference": { + "value": { + "offer": "0001-com-ubuntu-server-focal", + "publisher": "Canonical", + "sku": "", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ + { + "deleteOption": "Delete", + "ipConfigurations": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subnetResourceId": "" + } + ], + "nicSuffix": "-nic-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "osDisk": { + "value": { + "caching": "ReadOnly", + "createOption": "fromImage", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Linux" + }, + "vmSize": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "availabilityZone": { + "value": 1 + }, + "backupPolicyName": { + "value": "" + }, + "backupVaultName": { + "value": "" + }, + "backupVaultResourceGroup": { + "value": "" + }, + "dataDisks": { + "value": [ + { + "caching": "ReadWrite", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "ReadWrite", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "disablePasswordAuthentication": { + "value": true + }, + "enableAutomaticUpdates": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionAtHost": { + "value": false + }, + "extensionAzureDiskEncryptionConfig": { + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KekVaultResourceId": "", + "KeyEncryptionAlgorithm": "RSA-OAEP", + "KeyEncryptionKeyURL": "", + "KeyVaultResourceId": "", + "KeyVaultURL": "", + "ResizeOSDisk": "false", + "VolumeType": "All" + } + } + }, + "extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + { + "storageAccountId": "", + "uri": "" + } + ] + } + }, + "extensionCustomScriptProtectedSetting": { + "value": { + "commandToExecute": "" + } + }, + "extensionDependencyAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionDSCConfig": { + "value": { + "enabled": false + } + }, + "extensionMonitoringAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionNetworkWatcherAgentConfig": { + "value": { + "enabled": true + } + }, + "location": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "monitoringWorkspaceId": { + "value": "" + }, + "name": { + "value": "<>cvmlincom" + }, + "patchMode": { + "value": "AutomaticByPlatform" + }, + "publicKeys": { + "value": [ + { + "keyData": "", + "path": "/home/localAdminUser/.ssh/authorized_keys" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } } ``` @@ -1121,9 +1507,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } ] } - dependsOn: [ - resourceGroupResources // Required to leverage `existing` SSH key reference - ] } ``` @@ -1264,9 +1647,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } ] } - dependsOn: [ - resourceGroupResources // Required to leverage `existing` SSH key reference - ] } ``` @@ -1362,7 +1742,176 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-cvmwincom' params: { - + // Required parameters + adminUsername: 'localAdminUser' + imageReference: { + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2019-datacenter' + version: 'latest' + } + nicConfigurations: [ + { + deleteOption: 'Delete' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + pipConfiguration: { + publicIpNameSuffix: '-pip-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + subnetResourceId: '' + } + ] + nicSuffix: '-nic-01' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + osDisk: { + caching: 'None' + createOption: 'fromImage' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_B12ms' + // Non-required parameters + adminPassword: '' + availabilityZone: 2 + backupPolicyName: '' + backupVaultName: '' + backupVaultResourceGroup: '' + dataDisks: [ + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + { + caching: 'None' + createOption: 'Empty' + deleteOption: 'Delete' + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableAutomaticUpdates: true + enableDefaultTelemetry: '' + encryptionAtHost: false + extensionAntiMalwareConfig: { + enabled: true + settings: { + AntimalwareEnabled: 'true' + Exclusions: { + Extensions: '.ext1;.ext2' + Paths: 'c:\\excluded-path-1;c:\\excluded-path-2' + Processes: 'excludedproc1.exe;excludedproc2.exe' + } + RealtimeProtectionEnabled: 'true' + ScheduledScanSettings: { + day: '7' + isEnabled: 'true' + scanType: 'Quick' + time: '120' + } + } + } + extensionAzureDiskEncryptionConfig: { + enabled: true + settings: { + EncryptionOperation: 'EnableEncryption' + KekVaultResourceId: '' + KeyEncryptionAlgorithm: 'RSA-OAEP' + KeyEncryptionKeyURL: '' + KeyVaultResourceId: '' + KeyVaultURL: '' + ResizeOSDisk: 'false' + VolumeType: 'All' + } + } + extensionCustomScriptConfig: { + enabled: true + fileData: [ + { + storageAccountId: '' + uri: '' + } + ] + } + extensionCustomScriptProtectedSetting: { + commandToExecute: '' + } + extensionDependencyAgentConfig: { + enabled: true + } + extensionDSCConfig: { + enabled: true + } + extensionMonitoringAgentConfig: { + enabled: true + } + extensionNetworkWatcherAgentConfig: { + enabled: true + } + location: '' + lock: 'CanNotDelete' + monitoringWorkspaceId: '' + name: '<>cvmwincom' + patchMode: 'AutomaticByPlatform' + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + systemAssignedIdentity: true + userAssignedIdentities: { + '': {} + } } } ``` @@ -1378,7 +1927,252 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": {} + "parameters": { + // Required parameters + "adminUsername": { + "value": "localAdminUser" + }, + "imageReference": { + "value": { + "offer": "WindowsServer", + "publisher": "MicrosoftWindowsServer", + "sku": "2019-datacenter", + "version": "latest" + } + }, + "nicConfigurations": { + "value": [ + { + "deleteOption": "Delete", + "ipConfigurations": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "pipConfiguration": { + "publicIpNameSuffix": "-pip-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subnetResourceId": "" + } + ], + "nicSuffix": "-nic-01", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "osDisk": { + "value": { + "caching": "None", + "createOption": "fromImage", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "osType": { + "value": "Windows" + }, + "vmSize": { + "value": "Standard_B12ms" + }, + // Non-required parameters + "adminPassword": { + "value": "" + }, + "availabilityZone": { + "value": 2 + }, + "backupPolicyName": { + "value": "" + }, + "backupVaultName": { + "value": "" + }, + "backupVaultResourceGroup": { + "value": "" + }, + "dataDisks": { + "value": [ + { + "caching": "None", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + { + "caching": "None", + "createOption": "Empty", + "deleteOption": "Delete", + "diskSizeGB": "128", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableAutomaticUpdates": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionAtHost": { + "value": false + }, + "extensionAntiMalwareConfig": { + "value": { + "enabled": true, + "settings": { + "AntimalwareEnabled": "true", + "Exclusions": { + "Extensions": ".ext1;.ext2", + "Paths": "c:\\excluded-path-1;c:\\excluded-path-2", + "Processes": "excludedproc1.exe;excludedproc2.exe" + }, + "RealtimeProtectionEnabled": "true", + "ScheduledScanSettings": { + "day": "7", + "isEnabled": "true", + "scanType": "Quick", + "time": "120" + } + } + } + }, + "extensionAzureDiskEncryptionConfig": { + "value": { + "enabled": true, + "settings": { + "EncryptionOperation": "EnableEncryption", + "KekVaultResourceId": "", + "KeyEncryptionAlgorithm": "RSA-OAEP", + "KeyEncryptionKeyURL": "", + "KeyVaultResourceId": "", + "KeyVaultURL": "", + "ResizeOSDisk": "false", + "VolumeType": "All" + } + } + }, + "extensionCustomScriptConfig": { + "value": { + "enabled": true, + "fileData": [ + { + "storageAccountId": "", + "uri": "" + } + ] + } + }, + "extensionCustomScriptProtectedSetting": { + "value": { + "commandToExecute": "" + } + }, + "extensionDependencyAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionDSCConfig": { + "value": { + "enabled": true + } + }, + "extensionMonitoringAgentConfig": { + "value": { + "enabled": true + } + }, + "extensionNetworkWatcherAgentConfig": { + "value": { + "enabled": true + } + }, + "location": { + "value": "" + }, + "lock": { + "value": "CanNotDelete" + }, + "monitoringWorkspaceId": { + "value": "" + }, + "name": { + "value": "<>cvmwincom" + }, + "patchMode": { + "value": "AutomaticByPlatform" + }, + "proximityPlacementGroupResourceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } } ``` From 30e95cb50ef617799be442f558df19ea21348522 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 14 Dec 2022 20:49:06 +1100 Subject: [PATCH 04/13] Update patchMode description --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 582b18d5de..2ba75225f4 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -276,7 +276,7 @@ param provisionVMAgent bool = true @description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true -@description('Optional. VM guest patching orchestration mode. Allowed values are \'AutomaticByPlatform\', \'AutomaticByOS (Windows only)\', \'Manual (Windows only)\', \'ImageDefault (Linux only)\'. Default value is blank (not set).') +@description('Optional. VM guest patching orchestration mode.') @allowed([ 'AutomaticByPlatform' 'AutomaticByOS' diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 992cb1d6be..1ef1952e9a 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -86,7 +86,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | -| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. Allowed values are 'AutomaticByPlatform', 'AutomaticByOS (Windows only)', 'Manual (Windows only)', 'ImageDefault (Linux only)'. Default value is blank (not set). | +| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | From 71523c8d9d00e1f5dd2c15a375db3ec4dda2ab84 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 18 Dec 2022 16:15:00 +1100 Subject: [PATCH 05/13] add patch assessment mode parameter --- .../Microsoft.Compute/virtualMachines/deploy.bicep | 13 +++++++++++-- modules/Microsoft.Compute/virtualMachines/readme.md | 3 ++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 2ba75225f4..fb5a83983b 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -276,7 +276,7 @@ param provisionVMAgent bool = true @description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true -@description('Optional. VM guest patching orchestration mode.') +@description('Optional. VM guest patching orchestration mode. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') @allowed([ 'AutomaticByPlatform' 'AutomaticByOS' @@ -286,6 +286,13 @@ param enableAutomaticUpdates bool = true ]) param patchMode string = '' +@description('Optional. VM guest patching assessment mode. Allowed values are \'AutomaticByPlatform\', \'ImageDefault\'. Set it to \'AutomaticByPlatform\' to enable automatically check for updates every 24 hours.') +@allowed([ + 'AutomaticByPlatform' + 'ImageDefault' +]) +param patchAssessmentMode string = 'ImageDefault' + @description('Optional. Specifies the time zone of the virtual machine. e.g. \'Pacific Standard Time\'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`.') param timeZone string = '' @@ -318,14 +325,16 @@ var linuxConfiguration = { provisionVMAgent: provisionVMAgent patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'ImageDefault')) ? { patchMode: patchMode + assessmentMode: patchAssessmentMode } : null } var windowsConfiguration = { provisionVMAgent: provisionVMAgent - enableAutomaticUpdates: patchMode !~ 'Manual' ? enableAutomaticUpdates : false + enableAutomaticUpdates: enableAutomaticUpdates patchSettings: (provisionVMAgent && (patchMode =~ 'AutomaticByPlatform' || patchMode =~ 'AutomaticByOS' || patchMode =~ 'Manual')) ? { patchMode: patchMode + assessmentMode: patchAssessmentMode } : null timeZone: empty(timeZone) ? null : timeZone additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 1ef1952e9a..0b264d4c2e 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -86,7 +86,8 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | -| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. | +| `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Allowed values are 'AutomaticByPlatform', 'ImageDefault'. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | +| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | From 5e47a3c3d39f8419beefc3e0ab42ba566e17aec2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sun, 18 Dec 2022 16:23:04 +1100 Subject: [PATCH 06/13] update readme --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index fb5a83983b..fd0cad28e2 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -273,7 +273,7 @@ param disablePasswordAuthentication bool = false @description('Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later.') param provisionVMAgent bool = true -@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') +@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When pathcMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true @description('Optional. VM guest patching orchestration mode. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') From bb5d664d94b5463233bdf57dda523de36e87543c Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 20 Dec 2022 10:32:54 +1100 Subject: [PATCH 07/13] Update modules/Microsoft.Compute/virtualMachines/deploy.bicep Co-authored-by: Alexander Sehr --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index fd0cad28e2..a178185f08 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -286,7 +286,7 @@ param enableAutomaticUpdates bool = true ]) param patchMode string = '' -@description('Optional. VM guest patching assessment mode. Allowed values are \'AutomaticByPlatform\', \'ImageDefault\'. Set it to \'AutomaticByPlatform\' to enable automatically check for updates every 24 hours.') +@description('Optional. VM guest patching assessment mode. Set it to \'AutomaticByPlatform\' to enable automatically check for updates every 24 hours.') @allowed([ 'AutomaticByPlatform' 'ImageDefault' From 8583060d48b784173dc946e83367ac39155ed2cb Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 20 Dec 2022 10:33:01 +1100 Subject: [PATCH 08/13] Update modules/Microsoft.Compute/virtualMachines/deploy.bicep Co-authored-by: Alexander Sehr --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index a178185f08..d2a86deb4b 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -276,7 +276,7 @@ param provisionVMAgent bool = true @description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When pathcMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true -@description('Optional. VM guest patching orchestration mode. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') +@description('Optional. VM guest patching orchestration mode. \'AutomaticByOS\' & \'Manual\' are for Windows only, \'ImageDefault\' for Linux only. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') @allowed([ 'AutomaticByPlatform' 'AutomaticByOS' From bd9cfa55542cde52fc7447fa8bc5b8ace8ee7db7 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 20 Dec 2022 18:47:01 +1100 Subject: [PATCH 09/13] update readme --- modules/Microsoft.Compute/virtualMachines/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 0b264d4c2e..6419411a33 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -64,7 +64,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When pathcMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | | `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | @@ -86,8 +86,8 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | -| `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Allowed values are 'AutomaticByPlatform', 'ImageDefault'. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | -| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | +| `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | +| `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | From 2bd5db8a5d9d1710be74d1b3b5951e9549147e79 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 20 Dec 2022 18:51:47 +1100 Subject: [PATCH 10/13] resolve conflict on readme.md --- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 6419411a33..257cac43af 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -88,7 +88,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | | `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | | `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | -| `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | +`pipdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | | `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | From 81b3361cb007995f495e5ac67bf5e4aa2bb34a9e Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 20 Dec 2022 18:52:30 +1100 Subject: [PATCH 11/13] fix --- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 257cac43af..8b6f2dcd82 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -88,7 +88,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | | `patchAssessmentMode` | string | `'ImageDefault'` | `[AutomaticByPlatform, ImageDefault]` | VM guest patching assessment mode. Set it to 'AutomaticByPlatform' to enable automatically check for updates every 24 hours. | | `patchMode` | string | `''` | `['', AutomaticByOS, AutomaticByPlatform, ImageDefault, Manual]` | VM guest patching orchestration mode. 'AutomaticByOS' & 'Manual' are for Windows only, 'ImageDefault' for Linux only. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching' | -`pipdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | +| `pipdiagnosticLogCategoriesToEnable` | array | `[allLogs]` | `[allLogs, DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | | `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | From 9d2660592853c1378a92f46980213838df4d727d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 21 Dec 2022 20:59:39 +1100 Subject: [PATCH 12/13] Update modules/Microsoft.Compute/virtualMachines/deploy.bicep Co-authored-by: Alexander Sehr --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 370e11ba9f..6dd2081619 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -272,7 +272,7 @@ param disablePasswordAuthentication bool = false @description('Optional. Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later.') param provisionVMAgent bool = true -@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When pathcMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') +@description('Optional. Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.') param enableAutomaticUpdates bool = true @description('Optional. VM guest patching orchestration mode. \'AutomaticByOS\' & \'Manual\' are for Windows only, \'ImageDefault\' for Linux only. Refer to \'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching\'') From fbe6f01939ea045e078f67eb4da68edcb08a94df Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 21 Dec 2022 21:01:10 +1100 Subject: [PATCH 13/13] fix typo --- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 8b6f2dcd82..121aca230a 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -64,7 +64,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When pathcMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. When patchMode is set to Manual, this parameter must be set to false. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | | `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. |