Skip to content

Instantly share code, notes, and snippets.

@imksoo
Created March 24, 2024 14:20
Show Gist options
  • Save imksoo/b432524207016c49342f4d6d5466891b to your computer and use it in GitHub Desktop.
Save imksoo/b432524207016c49342f4d6d5466891b to your computer and use it in GitHub Desktop.
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "identity.type",
"contains": "UserAssigned"
},
{
"anyOf": [
{
"allOf": [
{
"not": {
"field": "name",
"in": "[parameters('filterSubstringForNameTagOrResourceIdString')]"
}
},
{
"not": {
"field": "tags.Name",
"in": "[parameters('filterSubstringForNameTagOrResourceIdString')]"
}
}
]
},
{
"anyOf": [
{
"field": "name",
"in": "[parameters('filterSubstringForNameTagOrResourceIdString')]"
},
{
"field": "tags.Name",
"in": "[parameters('filterSubstringForNameTagOrResourceIdString')]"
}
]
}
]
},
{
"field": "location",
"in": [
"australiacentral",
"australiaeast",
"australiasoutheast",
"brazilsouth",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centraluseuap",
"eastasia",
"eastus",
"eastus2",
"eastus2euap",
"francecentral",
"germanywestcentral",
"japaneast",
"japanwest",
"jioindiawest",
"koreacentral",
"koreasouth",
"northcentralus",
"northeurope",
"norwayeast",
"qatarcentral",
"southafricanorth",
"southcentralus",
"southeastasia",
"southindia",
"swedencentral",
"switzerlandnorth",
"uaenorth",
"uksouth",
"ukwest",
"westcentralus",
"westeurope",
"westindia",
"westus",
"westus2",
"westus3"
]
},
{
"anyOf": [
{
"allOf": [
{
"value": "[parameters('scopeToSupportedImages')]",
"equals": false
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Linux*"
}
]
},
{
"field": "Microsoft.Compute/imageId",
"in": "[parameters('listOfLinuxImageIdToInclude')]"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "RedHat"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"RHEL",
"RHEL-ARM64",
"RHEL-BYOS",
"RHEL-HA",
"RHEL-SAP",
"RHEL-SAP-APPS",
"RHEL-SAP-HA"
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSku",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "8*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "rhel-lvm7*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "rhel-lvm8*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "SUSE"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"SLES",
"SLES-HPC",
"SLES-HPC-Priority",
"SLES-SAP",
"SLES-SAP-BYOS",
"SLES-Priority",
"SLES-BYOS",
"SLES-SAPCAL",
"SLES-Standard"
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSku",
"like": "12*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "15*"
}
]
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "sles-12*"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "sles-15*"
}
]
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"gen1",
"gen2"
]
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Canonical"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "UbuntuServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "0001-com-ubuntu-server-*"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "0001-com-ubuntu-pro-*"
}
]
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"14.04.0-lts",
"14.04.1-lts",
"14.04.2-lts",
"14.04.3-lts",
"14.04.4-lts",
"14.04.5-lts",
"16_04_0-lts-gen2",
"16_04-lts-gen2",
"16.04-lts",
"16.04.0-lts",
"18_04-lts-arm64",
"18_04-lts-gen2",
"18.04-lts",
"20_04-lts-arm64",
"20_04-lts-gen2",
"20_04-lts",
"22_04-lts-gen2",
"22_04-lts",
"pro-16_04-lts-gen2",
"pro-16_04-lts",
"pro-18_04-lts-gen2",
"pro-18_04-lts",
"pro-20_04-lts-gen2",
"pro-20_04-lts",
"pro-22_04-lts-gen2",
"pro-22_04-lts"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Oracle"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Oracle-Linux"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSku",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "8*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "OpenLogic"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"CentOS",
"Centos-LVM",
"CentOS-SRIOV"
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSku",
"like": "6*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "8*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "cloudera"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "cloudera-centos-os"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "7*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "almalinux"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "almalinux"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "8*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "ctrliqinc1648673227698"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "rocky-8*"
},
{
"field": "Microsoft.Compute/imageSku",
"like": "rocky-8*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "credativ"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"Debian"
]
},
{
"field": "Microsoft.Compute/imageSku",
"equals": "9"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Debian"
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"debian-10",
"debian-11"
]
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"10",
"10-gen2",
"11",
"11-gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftcblmariner"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "cbl-mariner"
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"1-gen2",
"cbl-mariner-1",
"cbl-mariner-2",
"cbl-mariner-2-arm64",
"cbl-mariner-2-gen2"
]
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureMonitorLinuxAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Monitor"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"equals": "Succeeded"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion",
"equals": "[parameters('extensionAutoUpgradeMinorVersion')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/enableAutomaticUpgrade",
"equals": "[parameters('extensionEnableAutomaticUpgrade')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/typeHandlerVersion",
"equals": "[parameters('extensionTypeHandlerVersion')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string"
},
"location": {
"type": "string"
},
"extensionTypeHandlerVersion": {
"type": "string"
},
"extensionAutoUpgradeMinorVersion": {
"type": "bool"
},
"extensionEnableAutomaticUpgrade": {
"type": "bool"
},
"extensionAuthenticationManagedIdentityName": {
"type": "string"
}
},
"variables": {
"extensionName": "AzureMonitorLinuxAgent",
"extensionPublisher": "Microsoft.Azure.Monitor",
"extensionType": "AzureMonitorLinuxAgent"
},
"resources": [
{
"name": "[concat(parameters('vmName'), '/', variables('extensionName'))]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "[parameters('location')]",
"apiVersion": "2019-07-01",
"properties": {
"publisher": "[variables('extensionPublisher')]",
"type": "[variables('extensionType')]",
"typeHandlerVersion": "[parameters('extensionTypeHandlerVersion')]",
"autoUpgradeMinorVersion": "[parameters('extensionAutoUpgradeMinorVersion')]",
"enableAutomaticUpgrade": "[parameters('extensionEnableAutomaticUpgrade')]",
"settings": {
"authentication": {
"managedIdentity": {
"identifier-name": "mi_res_id",
"identifier-value": "[parameters('extensionAuthenticationManagedIdentityName')]"
}
}
}
}
}
]
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
},
"extensionTypeHandlerVersion": {
"value": "[parameters('extensionTypeHandlerVersion')]"
},
"extensionAutoUpgradeMinorVersion": {
"value": "[parameters('extensionAutoUpgradeMinorVersion')]"
},
"extensionEnableAutomaticUpgrade": {
"value": "[parameters('extensionEnableAutomaticUpgrade')]"
},
"extensionAuthenticationManagedIdentityName": {
"value": "[parameters('extensionAuthenticationManagedIdentityName')]"
}
}
}
}
}
}
},
"parameters": {
"filterSubstringForNameTagOrResourceIdString": {
"type": "Array",
"metadata": {
"displayName": "Filter Substrings for Name Tag or Resource ID",
"description": "A list of substrings used to filter resources by matching parts of their Resource IDs or Name tags. This applies to resources where identification might be partially matched through either their assigned Name tag or Resource ID string."
},
"defaultValue": []
},
"extensionTypeHandlerVersion": {
"type": "String",
"metadata": {
"displayName": "Azure Monitor Agent Extension Version",
"description": "The version of the Azure Monitor Agent extension to use. For more information, see https://aka.ms/AMAOverview."
},
"defaultValue": "1.30"
},
"extensionAutoUpgradeMinorVersion": {
"type": "Boolean",
"metadata": {
"displayName": "Automatically trigger a minor version update",
"description": "ExtensionAutoUpgradeMinorVersion parameter indicates whether the extension should use a newer minor version if one is available at deployment time. Once deployed, however, the extension won't upgrade minor versions unless redeployed, even with this property set to true."
},
"allowedValues": [
true,
false
],
"defaultValue": false
},
"extensionEnableAutomaticUpgrade": {
"type": "Boolean",
"metadata": {
"displayName": "Automatic extension upgrade for an extension",
"description": "To enable automatic extension upgrade for an extension, you must ensure the property extensionEnableAutomaticUpgrade is set to true."
},
"allowedValues": [
true,
false
],
"defaultValue": false
},
"extensionAuthenticationManagedIdentityName": {
"type": "String",
"metadata": {
"displayName": "Resource ID of user-assigned managed identity",
"description": "You must pass the managed identity details to Azure Monitor Agent via extension settings. The managed identity must have the required permissions to access Azure Monitor. For more information, see https://aka.ms/AMAOverview."
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy."
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"scopeToSupportedImages": {
"type": "Boolean",
"metadata": {
"displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems",
"description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview."
},
"allowedValues": [
true,
false
],
"defaultValue": true
},
"listOfLinuxImageIdToInclude": {
"type": "Array",
"metadata": {
"displayName": "Additional Virtual Machine Images",
"description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions/<subscriptionId>/resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'"
},
"defaultValue": []
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment