This repository is a sample solution deploying IaaS supported by OMS Automation and Control.
The arm template requires 6 specific settings:
Copy the sample paramteters file required for deploying the Automation and Control system and edit it with the desired values.
cp templates/azuredeploy.parameters.json templates/params.json
Parameters (params.json)
Parameter | Default | Description |
---|---|---|
prefix | my | Your unique string (company prefix) |
omsWorkspaceRegion | East US | Azure Region for OMS to be located |
automationAccountName | automate | Azure Automation Account Name |
automationRegion | South Central US | Azure Region for Automation to be located |
assetLocation | *See Note 1 Below | Source Control Location for Runbooks |
repoURL | *See Note 2 Below | Source Control Location for Runbooks |
adminUser | None | Subscription Owner login name |
adminPassword | None | Subscription Owner login password |
NOTE 1: Runbooks are automatically uploaded from the directory runbooks. The default location of this can be changed if desired.
Runbooks Location: https://github.com/danielscholl/azure-automation-arm/runbooks
Automatic ARM template creation of the "RunAs" Account isn't possible. 2 Solutions exist to solve this problem with Option 1 implemented.
Option 1: The template automatically creates a schedule to run the runbook "bootstrap." This uses Azure to run powershell commands and creates a temporary Key Vault to generate a certificate that then is used for the RunAs account. In order to execute activities in the Azure Subscription a user/password with contributor rights to the subscription are temporarily stored as credentials in the automation account and deleted upon succesful completion of the runbook. It is important to know however that if the credentials have 2 Factor Authentication requirements the Runbook job will fail.
Option 2: In order to manually create the Run As Account the script create-runas-account.ps1 can be run which will create the certificates on the local machine and then upload the certificates to the automation account.
NOTE 2: This ARM template uses an Azure Function to create unique GUIDs neecessary for job automation.
Repo URL: https://github.com/danielscholl/azure-functions
In order to prevent having to submit a growing number of GUIDs via parameters, an Azure Function is utilized to creates a dynamic template with (x) number of GUIDs from a URL.
URL Example: https://<your_function_app>.azurewebsites.net/api/guidTemplate?count=2
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [],
"outputs": {
"guid0": {
"type": "string",
"value": "33f8f633-03ed-4d7d-9111-69ea3bbcb655"
},
"guid1": {
"type": "string",
"value": "e3473867-e90f-4706-ae74-390384013641"
}
}
}
Manual Deployment Instructions
- Create a Resource Group
az group create --location southcentralus --name automate
- Deploy Template to Resource Group
az group deployment create --template-file templates/azuredeploy.json --parameters templates/params.json --resource-group automate
The Automation and Control Solution deploys and configures the following items.
- Log Analytics OMS Workspace with Solutions
- Security Solution
- Agent Health Assesment
- Change Tracking
- Updates
- Azure Activity
-
Automation Account
-
Automation Account Modules
- AzureRm.Profile - 3.3.1
- Azure.Storage - 3.3.1
- AzureRm.Storage - 3.3.1
- Azure - 4.3.1
- AzureRm.Resources - 4.3.1
- AzureRm.Automation - 3.3.1
- AzureRm.Compute - 3.3.1
- AzureRm.Sql - 3.3.1
- AzureRm.OperationalInsights 3.3.1
- AzureRm.SiteRecovery - 4.3.1
- AzureRm.RecoveryServices - 4.3.1
- AzureRm.Backup - 4.3.1
- AzureRm.KeyVault = 3.3.1
- Automation Account Variables
- omsWorkspaceId
- omsWorkspaceKey
- azureSubscriptionId
- omsRecoveryVault
- omsResourceGroupName
- Automation Account Runbooks
- start-machines
- stop-machines
- Automation Account DSC
- Backend.Database
- Frontend.Web
Copy the sample parameters file required for deploying the IaaS Solution and edit it with the desired values.
cp templates/IaaS/azuredeploy.parameters.json templates/IaaS/params.json
Parameters (params.json)
Parameter | Default | Description |
---|---|---|
prefix | my | Your unique string (company prefix) |
servicePrincipalAppId | None | Service Principal to access KeyVault |
adminUser | azureuser | Default Servers Username |
adminPassword | None | Default Servers Password |
vnetPrefix | 10.1.0.0/24 | Virtual Network Address Space |
frontPrefix | 10.1.0.0/25 | Front Subnet Address Space |
backPrefix | 10.1.0.128/26 | Back Subnet Address Space |
dmzPrefix | 10.1.0.192/28 | DMZ Subnet Address Space |
managePrefix | 10.1.0.208/28 | Manage Subnet Address Space |
remoteAccessACL | Internet | IP Segement to allow RDP/SSH Access From |
jumpserverName | jumpserver | VM Name of JumpServer |
jumpserverSize | Standard_A1 | VM Size of JumpServer |
backendLoadBalanceIP | 10.1.0.132 | Static IP Address of Load Balancer |
backendServerNamePrefix | vm-back | Backend Virtual Machine Name |
backendServerSize | Standard_A1 | Backend Virtual Machine Size |
backendServerCount | 2 | Number of Backend Servers (2-5) |
scaleSetServerSize | Standard_A1 | Virtual Machine ScaleSet Size |
scaleSetInstanceCount | 2 | Number of Instances in VMSS |
omsId | None | OMS Workspace Id |
omsKey | None | OMS Workspace Key |
dscRegistrationUrl | None | Automation Account DSC URL |
dscRegistrationKey | None | Automation Account Access Key |
scaleSetNodeConfig | Frontend.Web | DSC Node Configuration Name |
vmNodeConfig | Backend.Database | DSC Node Configuration Name |
The following cli command can be used to retrieve a service principal.
az ad user show --upn [email protected] --query objectId -otsv
To get the OMS Workspace Id and Key the portal must be used.
- Go to the Microsoft Operations Management Suite
- Connected Sources
- Windows Servers
Manual Deployment Instructions
- Create a Resource Group
az group create --location southcentralus --name automate-iaas
- Deploy Template to Resource Group
az group deployment create --template-file templates/IaaS/azuredeploy.json --parameters templates/IaaS/params.json --resource-group automate-iaas
The IaaS Solution deploys and configures the following items.
- Virtual Network
- Subnet: front
- Subnet: back
- Subnet: dmz
- Subnet: manage
- Network Security Groups
- Subnet Firewall: front-nsg
- Subnet Firewall: back-nsg
- Subnet Firewall: dmz-nsg
- Subnet Firewall: manage-nsg
- JumpBox Machine Firewall: remote-access-nsg
- Storage Account
- Diagnostics Storage Account
- Key Vault
- Contains Default Admin Login Credentials
- Load Balancer
- Backend Load Balancer
- Static IP
- Virtual Machines
- JumpServer on Manage Subnet
- BGInfo Extension
- Diagnostics Extension
- OMS Agent Configuration Extension
- DSC Extensionn
- Public IP
- Multiple Backend Servers
- BGInfo Extension
- Diagnostics Extension
- OMS Agent Configuration Extension
- DSC Extension
- 2 Managed Data Disks
- App Gateway
- Frontend Application Gateway
- Public IP
- Virtual Machine Scale Set
- VMSS on Front Network
- BGInfo Extension
- Diagnostics Extension
- OMS Agent Configuration Extension
- DSC Extension