mspnp · v-fearam · Jun 24, 2024 · Jun 24, 2024 · Jun 25, 2024 · Sep 12, 2024
diff --git a/solutions/azure-automation-state-configuration/README.md b/solutions/azure-automation-state-configuration/README.md
@@ -31,7 +31,13 @@ Run the following command to initiate the deployment. If you would like to adjus
 
 ```bash
 curl -o azuredeploy.bicep https://raw.githubusercontent.com/mspnp/samples/main/solutions/azure-automation-state-configuration/azuredeploy.bicep
-az deployment group create --resource-group ${RESOURCEGROUP} -f ./azuredeploy.bicep
+
+# Generate ssh key and get public data.
+ssh-keygen -t rsa -b 2048
+
+export SSH_KEY=$(cat ~/.ssh/id_rsa.pub)
+
+az deployment group create --resource-group ${RESOURCEGROUP} -f ./azuredeploy.bicep --parameters sshKey="${SSH_KEY}"
 ```
 
 Once complete, click on the **Automation Account** resource and then **State configuration (DSC)** and notice that all virtual machines have been added to the system and are compliant. These machines have all had the PowerShell DSC configuration applied, which has installed a web server on each.

diff --git a/solutions/azure-automation-state-configuration/azuredeploy.bicep b/solutions/azure-automation-state-configuration/azuredeploy.bicep
@@ -2,12 +2,14 @@ param location string = resourceGroup().location
 
 param adminUserName string
 
+@description('your public key. Authentication to Linux machines should require SSH keys.')
+param sshKey string
 @secure()
 param adminPassword string
 param emailAddress string
 param windowsVMCount int = 1
 param linuxVMCount int = 1
-param vmSize string = 'Standard_A1_v2'
+param vmSize string = 'Standard_DS1_v2'
 param windowsConfiguration object = {
   name: 'windowsfeatures'
   description: 'A configuration for installing IIS.'
@@ -134,8 +136,6 @@ resource automationAccountName_linuxConfiguration_name 'Microsoft.Automation/aut
   properties: {
     logVerbose: false
     description: linuxConfiguration.description
-    state: 'Published'
-    overwrite: 'true'
     source: {
       type: 'uri'
       value: linuxConfiguration.script
@@ -165,8 +165,6 @@ resource automationAccountName_windowsConfiguration_name 'Microsoft.Automation/a
   properties: {
     logVerbose: false
     description: windowsConfiguration.description
-    state: 'Published'
-    overwrite: 'true'
     source: {
       type: 'uri'
       value: windowsConfiguration.script
@@ -325,6 +323,9 @@ resource windowsVM 'Microsoft.Compute/virtualMachines@2023-09-01' = [
   for i in range(0, windowsVMCount): {
     name: '${windowsVMName}${i}'
     location: location
+    identity: {
+      type: 'SystemAssigned'
+    }
     properties: {
       hardwareProfile: {
         vmSize: vmSize
@@ -333,6 +334,14 @@ resource windowsVM 'Microsoft.Compute/virtualMachines@2023-09-01' = [
         computerName: '${windowsVMName}${i}'
         adminUsername: adminUserName
         adminPassword: adminPassword
+        windowsConfiguration: {
+          enableAutomaticUpdates: true
+          patchSettings: {
+             //Machines should be configured to periodically check for missing system updates
+            assessmentMode: 'AutomaticByPlatform'
+            patchMode: 'AutomaticByPlatform'
+          }
+        }
       }
       storageProfile: {
         imageReference: {
@@ -352,13 +361,34 @@ resource windowsVM 'Microsoft.Compute/virtualMachines@2023-09-01' = [
           }
         ]
       }
+      securityProfile: {
+        //Virtual machines and virtual machine scale sets should have encryption at host enabled
+        encryptionAtHost: true
+      }
     }
     dependsOn: [
       windowsNic
     ]
   }
 ]
 
+resource guestConfigExtensionWindows 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = [
+  for i in range(0, windowsVMCount): {
+    parent: windowsVM[i]
+    name: 'Microsoft.GuestConfiguration${windowsVM[i].name}'
+    location: location
+    properties: {
+      publisher: 'Microsoft.GuestConfiguration'
+      type: 'ConfigurationforWindows'
+      typeHandlerVersion: '1.0'
+      autoUpgradeMinorVersion: true
+      enableAutomaticUpgrade: true
+      settings: {}
+      protectedSettings: {}
+    }
+  }
+]
+
 resource windowsVMName_Microsoft_Powershell_DSC 'Microsoft.Compute/virtualMachines/extensions@2023-09-01' = [
   for i in range(0, windowsVMCount): {
     name: '${windowsVMName}${i}/Microsoft.Powershell.DSC'
@@ -385,7 +415,7 @@ resource windowsVMName_Microsoft_Powershell_DSC 'Microsoft.Compute/virtualMachin
           }
           {
             Name: 'RegistrationUrl'
-#disable-next-line BCP053
+            #disable-next-line BCP053
             Value: automationAccount.properties.registrationUrl
             TypeName: 'System.String'
           }
@@ -473,14 +503,33 @@ resource linuxVMN 'Microsoft.Compute/virtualMachines@2023-09-01' = [
   for i in range(0, linuxVMCount): {
     name: '${linuxVMNAme}${i}'
     location: location
+    identity: {
+      type: 'SystemAssigned'
+    }
     properties: {
       hardwareProfile: {
         vmSize: vmSize
       }
       osProfile: {
         computerName: '${linuxVMNAme}${i}'
         adminUsername: adminUserName
-        adminPassword: adminPassword
+        linuxConfiguration: {
+          patchSettings: {
+             //Machines should be configured to periodically check for missing system updates
+            assessmentMode: 'AutomaticByPlatform'
+            patchMode: 'AutomaticByPlatform '
+          }
+          disablePasswordAuthentication: true
+          ssh: {
+            publicKeys: [
+              {
+                path: '/home/${adminUserName}/.ssh/authorized_keys'
+                keyData: sshKey
+              }
+            ]
+          }
+          provisionVMAgent: true
+        }
       }
       storageProfile: {
         imageReference: {
@@ -500,13 +549,34 @@ resource linuxVMN 'Microsoft.Compute/virtualMachines@2023-09-01' = [
           }
         ]
       }
+      securityProfile: {
+        //Virtual machines and virtual machine scale sets should have encryption at host enabled
+        encryptionAtHost: true
+      }
     }
     dependsOn: [
       linuxNic
     ]
   }
 ]
 
+resource guestConfigExtensionLinux 'Microsoft.Compute/virtualMachines/extensions@2021-03-01' = [
+  for i in range(0, linuxVMCount): {
+    parent: linuxVMN[i]
+    name: 'Microsoft.GuestConfiguration${linuxVMN[i].name}'
+    location: location
+    properties: {
+      publisher: 'Microsoft.GuestConfiguration'
+      type: 'ConfigurationforLinux'
+      typeHandlerVersion: '1.0'
+      autoUpgradeMinorVersion: true
+      enableAutomaticUpgrade: true
+      settings: {}
+      protectedSettings: {}
+    }
+  }
+]
+
 resource linuxVMNAme_enabledsc 'Microsoft.Compute/virtualMachines/extensions@2023-09-01' = [
   for i in range(0, linuxVMCount): {
     name: '${linuxVMNAme}${i}/enabledsc'