You can see public builds for this repo here. See the details below to understand the reasoning behind this approach.

This repository is a design feedback solution for Azure Policy Guest Configuration to support customer-provided content. As part of an open collaboration with the community we welcome you to review the information on this page, the project examples, submit pull requests to test content, and please provide feedback using the survey in the Issues list.

In Spring 2019, we would like to offer support for customers to use their own content in Azure Policy Guest Configuration scenarios. Azure already offers built-in Policy content to audit settings inside virtual machines such as which application are installed and/or not installed. This change would empower customers to author and use custom configurations.

Examples include:

• Security configuration baselines (many settings)
• Key security checks such as which accounts have administrative privileges inside VMs
• Application settings

To validate this scenario, we would like to work together with customers to test content, openly.

An early iteration of this capability in preview supports configurations for Windows authored in Desired State Configuration and profiles for Linux authored in Chef Inspec. Only resources provided in the Guest Configuration module are recommended.

In future iterations, custom DSC resources and 3rd party tools will also be available for testing.

Dana is responsible for virtual machines running in the Azure cloud. She needs to be certain that for all machines, an anti-virus solution is installed and configured correctly. She creates a configuration with details about the solution and publishes it to Azure blob storage. Next, She creates new definitions in Azure Policy to assign the content to all VMs and audit the compliance status. Finally, She reviews the results in Azure Policy and sets up an alert to be notified if any servers do not meet requirements.

For built-in policies, the Guest Configuration API accepts a GET operation that returns properties including a contentURI path to the configuration package and contentHash value so the content can be verified. As a solution to support custom content, we also allow a PUT operation to set properties for the location and hash value. This means the content package can be hosted in locations such GitHub, cloud storage, or static links to NuGet feeds such as the Artifact service in Azure DevOps.

We also believe there is a need for additional tooling to simplify the process of authoring configuration content. New cmdlets in the Guest Configuration module are available to provide assistance for content authors. This includes validation, packaging, and publishing, including helping you to produce and publish Azure Policy definitions.

Many organizations need to audit servers against configuration baselines published by third party organizations. A community module, Baseline Management provides a solution to convert from Group Policy templates to DSC configurations, which can be used directly in Azure to audit settings in virtual machines.

This repo demonstrates how a project to centrally manage a custom policy might be organized.

Folders in this repo and their purpose:

The deployIfNotExists files for each operating system are refreshed during each build including the hash value of the content package.

Parameter values are expressed as PowerShell hashtables in the YAML build script. These could be moved to data files if preferred.

If you would like to test your own content, there are two options available.

• Fork this repo and connect Azure DevOps to your project. This will require you to setup a new project in Azure DevOps with a service connection named 'ARM' and a variable group connected to Azure KeyVault. A step by step guid to creating a content package using the Guest Configuration cmdlets is published in the docs folder. Feedback on this draft documentation is greatly appreciated.
• Submit a PR. Although incoming pull requests will not trigger new builds automatically, we will review your code and manually trigger a build to test your content for you, and follow up in the PR conversation.

We are very interested in understanding how you would leverage Azure Guest Configuration to audit settings inside your virtual machines. Please contribute to the Issues list with ideas for content that could be validated in this RFC repo, and any requirements you have for tools that improve your authoring experience.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

20190423

• Resolved issue where backslashes in registry resource name where being caught as escape characters in JSON
• Moved package version to variable for each OS

20190422

• Refactored project to use ARM deployment templates rather than PowerShell wherever possible
• Added Linux example
• Added blob storage example with SAS token