none
deploying VM-CustomScriptExtension via Azure Policy RRS feed

  • Question

  • Hi Everyone, 

        I have a task at work to write an azure policy to check for all VMs in a resource group and deploy the Custom Script Extension if not found. I have created the below policy json file, but it refuses to accept it and create the policy as intended. Also, I tried to find sample templates for this task but to no avail.

    {
      "properties": {
        "displayName": "Deploy Microsoft Custom Script extension for a Virtual Machine",
        "policyType": "BuiltIn",
        "mode": "Indexed",
        "description": "This policy deploys Microsoft Custom Script extension with a default configuration when a VM is not configured with the Custom Script extension.",
        "metadata": {
          "category": "Compute"
        },
        "parameters": {},
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines/extensions"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "notEquals": "Microsoft. Compute.CustomScriptExtension"
              }
            ]
          },
          "then": {
            "effect": "deployIfNotExists",
            "details": {
              "type": "Microsoft.Compute/virtualMachines/extensions",
              "existenceCondition": {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "Microsoft. Compute.CustomScriptExtension"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                    "equals": "Microsoft.Azure.Security"
                  }
                ]
              },
              "deployment": {
                "properties": {
                  "mode": "incremental",
                  "template": {
                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    },
    			  "parameters": {},
                    "resources": [
                      {
    						"apiVersion": "2018-06-01",
    						"type": "Microsoft.Compute/virtualMachines/extensions",
    						"name": "virtualMachineName/config-app",
    						"location": "[resourceGroup().location]",
    						"dependsOn": [
    							"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'),copyindex())]",
    							"[variables('musicstoresqlName')]"
    						],
    						"tags": {
    							"displayName": "config-app"
    						},
    						"properties": {
    							"publisher": "Microsoft.Compute",
    							"type": "CustomScriptExtension",
    							"typeHandlerVersion": "1.9",
    							"autoUpgradeMinorVersion": true,
    							"settings": {
    								"fileUris": [
    									"https://raw.githubusercontent.com/Microsoft/dotnet-core-sample-templates/master/dotnet-core-music-windows/scripts/configure-music-app.ps1"
    								],
    								"timestamp":123456789
    							},
    							"protectedSettings": {
    								"commandToExecute": "myExecutionCommand",
    								"storageAccountName": "myStorageAccountName",
    								"storageAccountKey": "myStorageAccountKey"
    							}
    						}
    					}
                    ]
                  },
                }
              }
            }
        }
      },
      "id": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "2835b622-407b-4114-9198-6f7064cbe0dc"
    }

    Thank you.

    Friday, December 6, 2019 2:06 AM

All replies

  • Hello Shadykouriesh,  You are definitely on the right track by using the deployIfNotExists effect however I'm curious why you added the 'allOf' syntax as it requires all conditions to be met/true to trigger the policy effect. Also you may need to revise the existenceCondition property in your template similar to example below.

    Just in case you haven't seen this, Here's an example of a policy that evaluates Azure SQL databases to determine if transparentDataEncryption is enabled, if not, a deployment template is invoked to enable the setting.

    The above link also provides useful guidance on how to use the deployifNotexists effect.

    Hope this helps but don't hesitate to ping if you have any followup questions.

    "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers/databases"
    },
    "then": {
        "effect": "DeployIfNotExists",
        "details": {
            "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
            "name": "current",
            "roleDefinitionIds": [
                "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
                "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
            ],
            "existenceCondition": {
                "field": "Microsoft.Sql/transparentDataEncryption.status",
                "equals": "Enabled"
            },
            "deployment": {
                "properties": {
                    "mode": "incremental",
                    "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                            "fullDbName": {
                                "type": "string"
                            }
                        },
                        "resources": [{
                            "name": "[concat(parameters('fullDbName'), '/current')]",
                            "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
                            "apiVersion": "2014-04-01",
                            "properties": {
                                "status": "Enabled"
                            }
                        }]
                    },
                    "parameters": {
                        "fullDbName": {
                            "value": "[field('fullName')]"
                        }
                    }
                }
            }
        }
    }



    Wednesday, December 11, 2019 4:33 AM
    Moderator