Using a VM applications and Azure Policy to deploy applications

M T 55 Reputation points
2024-01-24T18:26:07.24+00:00

I have setup a Storage account, AZ Computer Gallery, VM application version and VM application definition without issue. I have uploaded the software and was able to test the install. My issue is when trying to use the deployIfNotExists(DINE) it will not install on any new machines that are built. I am able to see them as non-compliant, and run a remediation which is successful. I am looking to have the software installed on any new machine that comes online. Below is the JSON being used. What am I missing. It has been driving me nuts. 

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
          "equals": "Windows"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[field('name')]",
        "existenceCondition": {
          "allOf": [
            {
              "count": {
                "field": "Microsoft.Compute/virtualMachines/applicationProfile.galleryApplications[*]",
                "where": {
                  "field": "Microsoft.Compute/virtualMachines/applicationProfile.galleryApplications[*].packageReferenceId",
                  "equals": "/subscriptions/xxxxxxxxxx-a09da71c86da/resourceGroups/testrsg/providers/Microsoft.Compute/galleries/azgcomputegal01/applications/tanium/versions/7.4.10"
                }
              },
              "greater": 0
            }
          ]
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "vmName": {
                  "type": "string"
                },
                "location": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "apiVersion": "2021-07-01",
                  "type": "Microsoft.Compute/virtualMachines/VMapplications",
                  "name": "[concat(parameters('vmName'),'/Tanium')]",
                  "location": "[parameters('location')]",
                  "properties": {
                    "packageReferenceId": "/subscriptions/xxxxxxx42c8-8ffc-a09da71c86da/resourceGroups/testrsg/providers/Microsoft.Compute/galleries/azgcomputegal01/applications/tanium/versions/7.4.10"
                  }
                }
              ]
            },
            "parameters": {
              "vmName": {
                "value": "[field('name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
Accepted answer
  1. AnuragSingh-MSFT 20,431 Reputation points
    2024-01-30T11:47:22.4866667+00:00

    M T, thank you for posting this question here and apologies for the delayed response. The behavior, as mentioned in the question, seems to be stemming because of auto-generated resource property that bypasses policy evaluation

    In summary, when a VM is being created, the property Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType is not present in the PUT request payload. You may verify it by downloading the template in the last tab of create VM flow. When the request reaches the resource provider, the resource provider generates the property and sets the value.

    In the policy definition shared above, the same is the situation because of which if conditions are not true until after the resource is created. The VM resource is evaluated against policy during the next policy evaluation cycle which puts the resource in non-compliant state (as it is being done after the resource creation) and thus a remediation task is required to deploy the VMApplication.

    You might consider using Start-AzPolicyRemediation in Azure Automation to start remediation task for this policy for non-compliant resources, as a workaround.

    Hope this helps.

    Please let me know if you have any questions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest