This repository is a sample solution deploying IaaS supported by OMS Automation and Control.

The arm template requires 6 specific settings:

Copy the sample paramteters file required for deploying the Automation and Control system and edit it with the desired values.

cp templates/azuredeploy.parameters.json templates/params.json

Parameters (params.json)

NOTE 1: Runbooks are automatically uploaded from the directory runbooks. The default location of this can be changed if desired.

Runbooks Location: https://github.com/danielscholl/azure-automation-arm/runbooks

Automatic ARM template creation of the "RunAs" Account isn't possible. 2 Solutions exist to solve this problem with Option 1 implemented.

Option 1: The template automatically creates a schedule to run the runbook "bootstrap." This uses Azure to run powershell commands and creates a temporary Key Vault to generate a certificate that then is used for the RunAs account. In order to execute activities in the Azure Subscription a user/password with contributor rights to the subscription are temporarily stored as credentials in the automation account and deleted upon succesful completion of the runbook. It is important to know however that if the credentials have 2 Factor Authentication requirements the Runbook job will fail.

Option 2: In order to manually create the Run As Account the script create-runas-account.ps1 can be run which will create the certificates on the local machine and then upload the certificates to the automation account.

NOTE 2: This ARM template uses an Azure Function to create unique GUIDs neecessary for job automation.

Repo URL: https://github.com/danielscholl/azure-functions

In order to prevent having to submit a growing number of GUIDs via parameters, an Azure Function is utilized to creates a dynamic template with (x) number of GUIDs from a URL.

URL Example: https://<your_function_app>.azurewebsites.net/api/guidTemplate?count=2

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "variables": {},
  "resources": [],
  "outputs": {
    "guid0": {
      "type": "string",
      "value": "33f8f633-03ed-4d7d-9111-69ea3bbcb655"
    },
    "guid1": {
      "type": "string",
      "value": "e3473867-e90f-4706-ae74-390384013641"
    }
  }
}

Manual Deployment Instructions

1. Create a Resource Group

az group create --location southcentralus --name automate

2. Deploy Template to Resource Group

az group deployment create --template-file templates/azuredeploy.json --parameters templates/params.json --resource-group automate

The Automation and Control Solution deploys and configures the following items.

1. Log Analytics OMS Workspace with Solutions

• Security Solution
• Agent Health Assesment
• Change Tracking
• Updates
• Azure Activity

2. Automation Account

3. Automation Account Modules

• AzureRm.Profile - 3.3.1
• Azure.Storage - 3.3.1
• AzureRm.Storage - 3.3.1
• Azure - 4.3.1
• AzureRm.Resources - 4.3.1
• AzureRm.Automation - 3.3.1
• AzureRm.Compute - 3.3.1
• AzureRm.Sql - 3.3.1
• AzureRm.OperationalInsights 3.3.1
• AzureRm.SiteRecovery - 4.3.1
• AzureRm.RecoveryServices - 4.3.1
• AzureRm.Backup - 4.3.1
• AzureRm.KeyVault = 3.3.1

4. Automation Account Variables

• omsWorkspaceId
• omsWorkspaceKey
• azureSubscriptionId
• omsRecoveryVault
• omsResourceGroupName

5. Automation Account Runbooks

• start-machines
• stop-machines

6. Automation Account DSC

• Backend.Database
• Frontend.Web

Copy the sample parameters file required for deploying the IaaS Solution and edit it with the desired values.

cp templates/IaaS/azuredeploy.parameters.json templates/IaaS/params.json

Parameters (params.json)

The following cli command can be used to retrieve a service principal.

az ad user show --upn [email protected] --query objectId -otsv

To get the OMS Workspace Id and Key the portal must be used.

1. Go to the Microsoft Operations Management Suite

• Connected Sources
• Windows Servers

Manual Deployment Instructions

1. Create a Resource Group

az group create --location southcentralus --name automate-iaas

2. Deploy Template to Resource Group

az group deployment create --template-file templates/IaaS/azuredeploy.json --parameters templates/IaaS/params.json --resource-group automate-iaas

The IaaS Solution deploys and configures the following items.

1. Virtual Network

• Subnet: front
• Subnet: back
• Subnet: dmz
• Subnet: manage

2. Network Security Groups

• Subnet Firewall: front-nsg
• Subnet Firewall: back-nsg
• Subnet Firewall: dmz-nsg
• Subnet Firewall: manage-nsg
• JumpBox Machine Firewall: remote-access-nsg

3. Storage Account

• Diagnostics Storage Account

4. Key Vault

• Contains Default Admin Login Credentials

5. Load Balancer

• Backend Load Balancer
• Static IP

6. Virtual Machines

• JumpServer on Manage Subnet
  • BGInfo Extension
  • Diagnostics Extension
  • OMS Agent Configuration Extension
  • DSC Extensionn
• Public IP
• Multiple Backend Servers
  • BGInfo Extension
  • Diagnostics Extension
  • OMS Agent Configuration Extension
  • DSC Extension
• 2 Managed Data Disks

7. App Gateway

• Frontend Application Gateway
• Public IP

8. Virtual Machine Scale Set

• VMSS on Front Network
  • BGInfo Extension
  • Diagnostics Extension
  • OMS Agent Configuration Extension
  • DSC Extension