Azure Automanage for Virtual Machines – Configuring with Terraform

Virtual Machines have always been the backbone of most IT infrastructures. With the move to the cloud, IaaS continues to be adopted and used to provide core business outcomes. It is critical to manage backups, updates, security and ensure best practices are applied to number of instances.  

With an increasing number of Virtual Machines it often becomes challenging to monitor, manage and maintain the onboarding process of a VM, ensuring the configuration aligns with your IT policy and requirements.

Azure Automanage is a new service which allows you to create and centrally manage configuration profiles and automate deployment of best practices and recommended settings. This includes, backup, patching, logging & monitoring. Most importantly, Automanage monitors for configuration drift and automatically remediates as required.

Automanage comes with two built-in configuration profiles: Production and Dev/Test. In this blog, we will go through creating a custom configuration profile including the below:

  • Backup
  • Microsoft Antimalware
  • Machines Insights Monitoring
  • Machine Configuration
  • Update Management
  • Microsoft Defender for Cloud
  • Change Tracking and Inventory
  • Azure Automation Account
  • Log Analytics Workspace
  • Boot Diagnostics
  • Windows Admin Center

Most importantly, we will be be concentrating on deploying Machine Configuration so that Automanage will apply and autocorrect Azure Security Baseline settings. This setting has two assignment types, listed below:

  • ApplyAndMonitor
  • Audit

You can get more details regarding the settings available in Azure Security Baseline for Windows Virtual Machines from here.

Using Terraform for Azure Automanage

We will be using Terraform to create an Automanage configuration profile. Since Terraform does not have an AzureRM provider for Automanage, we will be using AzAPI provider. We are configuring all the services we discussed above under the configuration block of AzAPI Automanage resource.

The first step is to define the resource group resource block as this will be the parent ID for our Automanage configuration profile resource.

resource "azurerm_resource_group" "rg”{
  name     = "rg-automanage"
  location = "australiaeast"
}

Once we have defined our resource group we will now be defining our configuration profile.

resource "azapi_resource" "automanage" {
  type      = "Microsoft.Automanage/configurationProfiles@2022-05-04"
  name      = "demo-automanage-config-profile"
  location  = "australiaeast"
  parent_id = azurerm_resource_group.rg.id
  body = jsonencode({
     properties = {
       configuration = {
              "Antimalware/Enable": true
              "Antimalware/EnableRealTimeProtection": true
              "Antimalware/RunScheduledScan": true
              "Antimalware/ScanType": "Quick"
              "Antimalware/ScanDay": 7
              "Antimalware/ScanTimeInMinutes": 120
              "AzureSecurityBaseline/Enable": true
              "AzureSecurityBaseline/AssignmentType": "ApplyAndAutoCorrect"
              "AzureSecurityCenter/Enable": true
              "Backup/Enable": true
              "Backup/PolicyName": "dailyBackupPolicy"
              "Backup/TimeZone": "AUS Eastern Standard Time"
              "Backup/InstantRpRetentionRangeInDays": 2
              "Backup/SchedulePolicy/ScheduleRunFrequency": "Daily"
              "Backup/SchedulePolicy/ScheduleRunTimes": [
                "2022-11-17T01:00:00Z",
                ]
              "Backup/SchedulePolicy/SchedulePolicyType": "SimpleSchedulePolicy"
              "Backup/RetentionPolicy/RetentionPolicyType": "LongTermRetentionPolicy"
              "Backup/RetentionPolicy/DailySchedule/RetentionTimes": [
                  "2022-11-17T01:00:00Z"
              ]
              "Backup/RetentionPolicy/DailySchedule/RetentionDuration/Count": 7
              "Backup/RetentionPolicy/DailySchedule/RetentionDuration/DurationType": "Days"
              "BootDiagnostics/Enable": true
              "ChangeTrackingAndInventory/Enable": true
              "LogAnalytics/Enable": true
              "UpdateManagement/Enable": true
              "VMInsights/Enable": true
        }
     }
   })
}

Points to remember:

  • We can also specify the Log Analytics Workspace ID in the configuration block, but you will need to ensure that Automanage API has contributor access to the Log Analytics workspace, otherwise you might see errors as in the screenshot below.
  • Defender for Cloud is still referred as Azure Security Centre.
  • By Default, the machine configuration service applies the Windows Security baseline works in audit mode only in case of the two built-in profiles

Reference:  

https://learn.microsoft.com/en-us/azure/automanage/automanage-windows-server

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-machines-windows-security-baseline

Read more recent blogs

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.