Onboard Azure VM and Arc connected machines to Azure Automation DSC

Community Policy definition

Onboard Azure VM and Arc connected machines to Azure Automation DSC

{

displayName: "Onboard Azure VM and Arc connected machines to Azure Automation DSC",
mode: "Indexed",
description: "Deploys the DSC extension to onboard nodes to Azure Automation DSC. Does not assign a configuration.",
metadata: {1 item
- category: "Automation"
},
policyRule: {2 items
- if: {1 item
  - anyOf: [2 items
    - {1 item
      - allOf: [2 items
        {2 items
        field: "type",
        equals: "Microsoft.Compute/virtualMachines"
        },
        {1 item
        anyOf: [10 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        in: [7 items
        "esri",
        "incredibuild",
        "MicrosoftDynamicsAX",
        "MicrosoftSharepoint",
        "MicrosoftVisualStudio",
        "MicrosoftWindowsDesktop",
        "MicrosoftWindowsServerHPCPack"
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "MicrosoftWindowsServer"
        },
        {2 items
        field: "Microsoft.Compute/imageSKU",
        notLike: "2008*"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "MicrosoftSQLServer"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        notLike: "SQL2008*"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "microsoft-dsvm"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        equals: "dsvm-windows"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "microsoft-ads"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        in: [2 items
        "standard-data-science-vm",
        "windows-data-science-vm"
        ]
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "batch"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        equals: "rendering-windows2016"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "center-for-internet-security-inc"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        like: "cis-windows-server-201*"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "pivotal"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        like: "bosh-windows-server*"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imagePublisher",
        equals: "cloud-infrastructure-services"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        like: "ad*"
        }
        ]
        },
        {1 item
        allOf: [2 items
        {1 item
        anyOf: [2 items
        {2 items
        field: "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
        exists: "true"
        },
        {2 items
        field: "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
        like: "Windows*"
        }
        ]
        },
        {1 item
        anyOf: [2 items
        {2 items
        field: "Microsoft.Compute/imageSKU",
        exists: "false"
        },
        {1 item
        allOf: [2 items
        {2 items
        field: "Microsoft.Compute/imageSKU",
        notLike: "2008*"
        },
        {2 items
        field: "Microsoft.Compute/imageOffer",
        notLike: "SQL2008*"
        }
        ]
        }
        ]
        }
        ]
        }
        ]
        }
        ]
      },
    - {1 item
      - allOf: [2 items
        {2 items
        field: "type",
        equals: "Microsoft.HybridCompute/machines"
        },
        {2 items
        field: "Microsoft.HybridCompute/imageOffer",
        like: "windows*"
        }
        ]
      }
    ]
  },
- then: {2 items
  - effect: "deployIfNotExists",
  - details: {4 items
    - roleDefinitionIds: [1 item
      - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
      ],
    - type: "[if(equals(tolower(field('Type')),'microsoft.compute/virtualmachines'),'Microsoft.Compute/virtualMachines/extensions','Microsoft.HybridCompute/machines/extensions')]",
    - name: "DSC",
    - deployment: {1 item
      - properties: {3 items
        mode: "incremental",
        parameters: {4 items
        automationAccount: {1 item
        value: "[parameters('automationAccount')]"
        },
        machineName: {1 item
        value: "[field('name')]"
        },
        location: {1 item
        value: "[field('location')]"
        },
        type: {1 item
        value: "[field('type')]"
        }
        },
        template: {5 items
        $schema: "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        contentVersion: "1.0.0.0",
        parameters: {4 items
        machineName: {1 item
        type: "String"
        },
        automationAccount: {1 item
        type: "string"
        },
        location: {1 item
        type: "string"
        },
        type: {1 item
        type: "string"
        }
        },
        variables: {1 item
        automationAccountName: "[last(split(parameters('automationAccount'),'/'))]"
        },
        resources: [2 items
        {6 items
        condition: "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]",
        type: "Microsoft.Compute/virtualMachines/extensions",
        name: "[concat(parameters('machineName'),'/DSC')]",
        apiVersion: "2019-07-01",
        location: "[parameters('location')]",
        properties: {6 items
        publisher: "Microsoft.Powershell",
        type: "DSC",
        typeHandlerVersion: "2.80",
        autoUpgradeMinorVersion: true,
        protectedSettings: {1 item
        Items: {1 item
        registrationKeyPrivate: "[listKeys(parameters('automationAccount'), '2018-01-15').Keys[0].value]"
        }
        },
        settings: {1 item
        Properties: [2 items
        {3 items
        Name: "RegistrationKey",
        Value: {2 items
        UserName: "PLACEHOLDER_DONOTUSE",
        Password: "PrivateSettingsRef:registrationKeyPrivate"
        },
        TypeName: "System.Management.Automation.PSCredential"
        },
        {3 items
        Name: "RegistrationUrl",
        Value: "[reference(parameters('automationAccount'),'2018-01-15').registrationUrl]",
        TypeName: "System.String"
        }
        ]
        }
        }
        },
        {6 items
        condition: "[equals(toLower(parameters('type')), toLower('microsoft.hybridcompute/machines'))]",
        type: "Microsoft.HybridCompute/machines/extensions",
        name: "[concat(parameters('machineName'),'/DSC')]",
        apiVersion: "2019-12-12",
        location: "[parameters('location')]",
        properties: {6 items
        publisher: "Microsoft.Powershell",
        type: "DSC",
        typeHandlerVersion: "2.80",
        autoUpgradeMinorVersion: true,
        protectedSettings: {1 item
        Items: {1 item
        registrationKeyPrivate: "[listKeys(parameters('automationAccount'), '2018-01-15').Keys[0].value]"
        }
        },
        settings: {1 item
        Properties: [2 items
        {3 items
        Name: "RegistrationKey",
        Value: {2 items
        UserName: "PLACEHOLDER_DONOTUSE",
        Password: "PrivateSettingsRef:registrationKeyPrivate"
        },
        TypeName: "System.Management.Automation.PSCredential"
        },
        {3 items
        Name: "RegistrationUrl",
        Value: "[reference(parameters('automationAccount'),'2018-01-15').registrationUrl]",
        TypeName: "System.String"
        }
        ]
        }
        }
        }
        ]
        }
        }
      }
    }
  }
},
parameters: {1 item
- automationAccount: {2 items
  - type: "String",
  - metadata: {4 items
    - displayName: "Automation account",
    - description: "Select Automation account from dropdown list. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the Automation account to the policy assignment's principal ID.",
    - strongType: "Microsoft.Automation/automationAccounts",
    - assignPermissions: true
    }
  }
}

}