azure-policy
azure-policy copied to clipboard
Published
20 hours ago •
Azure
Azure
Alias request: Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode and Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode
Scenario
Because of existing issues in the current Update Manager built-in policies that do not set patchMode correctly on virtual machines when the setting gets modified (currently a limitation of built-in policy /providers/Microsoft.Authorization/policyDefinitions/ba0df93e-e4ac-479a-aac2-134bbae39a1a), I am trying to supplement the built-in policies with a custom one that modifies patchMode to the desired setting (which in our case is AutomaticByPlatform whenever it is detected to be incorrect.
Unfortunately it appears that right now the aliases we need is not modifiable by policy. The aliases are:
- Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode (NOTE: SEE UPDATE BELOW. I discovered the Windows one is actually fine. Only the Linux one is not modifiable)
- Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode
The following command shows that the alias does exist , so I guess it's read only and not modifiable:
az provider show --namespace Microsoft.Compute --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name" | grep patchMode
Proposed Definition
This is basically a clone of the built-in policy /providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15, but for setting patchMode instead of assessmentMode
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"value": "[empty(parameters('locations'))]",
"equals": true
},
{
"field": "location",
"in": "[parameters('locations')]"
}
]
},
{
"field": "[if(equals(tolower(parameters('osType')), 'windows'), 'Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode', 'Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode')]",
"notEquals": "[parameters('patchMode')]"
},
{
"anyOf": [
{
"value": "[empty(parameters('tagValues'))]",
"equals": true
},
{
"allOf": [
{
"value": "[parameters('tagOperator')]",
"equals": "Any"
},
{
"value": "[greaterOrEquals(if(empty(field('tags')), 0, length(intersection(parameters('tagValues'), field('tags')))), 1)]",
"equals": true
}
]
},
{
"allOf": [
{
"value": "[parameters('tagOperator')]",
"equals": "All"
},
{
"value": "[equals(if(empty(field('tags')), 0, length(intersection(parameters('tagValues'), field('tags')))), length(parameters('tagValues')))]",
"equals": true
}
]
}
]
},
{
"anyOf": [
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Linux*"
}
]
},
{
"value": "[parameters('osType')]",
"equals": "Linux"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Canonical"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftcblmariner"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "cbl-mariner"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"cbl-mariner-1",
"1-gen2",
"cbl-mariner-2",
"cbl-mariner-2-gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "oracle"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "oracle-linux"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"8",
"8-ci",
"81",
"81-ci",
"81-gen2"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "ol7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "ol8*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "ol9*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "ol9-lvm*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "oracle-database"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "oracle_db_21"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "oracle-database-*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "18.*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "oracle-database-19-3"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "oracle-database-19-0904"
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-aks"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "aks"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "aks-engine-ubuntu-1804-202112"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoft-dsvm"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "aml-workstation"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"ubuntu-20",
"ubuntu-20-gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "Redhat"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "RHEL"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "8*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "9*"
}
]
},
{
"field": "Microsoft.Compute/imageSKU",
"notEquals": "74-gen2"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "RHEL-RAW"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "8*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "9*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"rhel-sap-ha"
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"equals": "90sapha-gen2"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "8*"
}
]
},
{
"field": "Microsoft.Compute/imageSKU",
"notEquals": "7.5"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"rhel-sap-apps"
]
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"equals": "90sapha-gen2"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "8*"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "rhel-sap-*"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "9_0"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rhel-ha"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "8*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notIn": [
"7.4",
"7.5",
"7.6",
"8.1",
"81_gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "rhel-sap"
},
{
"field": "Microsoft.Compute/imageSKU",
"notIn": [
"7.4",
"7.5",
"7.7"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "OpenLogic"
},
{
"allOf": [
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "Centos"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "7*"
},
{
"field": "Microsoft.Compute/imageSKU",
"notLike": "8*"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "centos-lvm"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"7-lvm",
"8-lvm",
"7-lvm-gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "centos-ci"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "7-ci"
}
]
}
]
},
{
"field": "Microsoft.Compute/imageOffer",
"notEquals": "centos-hpc"
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "SUSE"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"sles-12-sp5",
"sles-15-sp2",
"sle-hpc-15-sp4",
"sles-15-sp1-sapcal",
"sles-15-sp3-sapcal",
"sles-15-sp4-basic",
"sles-15-sp4"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"gen1",
"gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"sles",
"sles-standard"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "12-sp4-gen2"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"sles-15-sp2-basic",
"sles-15-sp2-hpc"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "gen2"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "sles-15-sp4-sapcal"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "gen1"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"sles-byos",
"sles-sap"
]
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"12-sp4",
"12-sp4-gen2"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "sles-sap-byos"
},
{
"field": "Microsoft.Compute/imageSKU",
"in": [
"12-sp4",
"12-sp4-gen2",
"gen2-12-sp4"
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "sles-sapcal"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "12-sp3"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageSKU",
"like": "gen*"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "opensuse-leap-15-*"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "sles-12-sp5-*"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "sles-sap-12-sp5*"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"like": "sles-sap-15-*"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "sles-sap-15-*-byos"
}
]
}
]
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
},
{
"field": "Microsoft.Compute/imageOffer",
"notLike": "sql2019-sles*"
},
{
"field": "Microsoft.Compute/imageOffer",
"notIn": [
"sql2019-rhel7",
"sql2017-rhel7"
]
}
]
}
]
}
]
},
{
"allOf": [
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
"exists": "true"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"like": "Windows*"
}
]
},
{
"value": "[parameters('osType')]",
"equals": "Windows"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftWindowsServer"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"windowsserver",
"windows-cvm",
"windowsserverdotnet",
"windowsserver-gen2preview",
"windowsserversemiannual",
"windowsserverupgrade"
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "microsoftserveroperatingsystems-previews"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "windows-server-vnext-azure-edition-core"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imageOffer",
"equals": "windowsserverhotpatch-previews"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "windows-server-2022-azure-edition-hotpatch"
}
]
}
]
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "MicrosoftSQLServer"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftdynamicsax"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "dynamics"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftazuresiterecovery"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "process-server"
},
{
"field": "Microsoft.Compute/imageSKU",
"equals": "windows-2012-r2-datacenter"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftbiztalkserver"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "biztalk-server"
}
]
},
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftpowerbi"
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftsharepoint"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "microsoftsharepointserver"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftwindowsserverhpcpack"
},
{
"field": "Microsoft.Compute/imageOffer",
"equals": "windowsserverhpcpack"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"equals": "microsoftvisualstudio"
},
{
"field": "Microsoft.Compute/imageOffer",
"like": "visualstudio*"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/imageSKU",
"like": "*-ws2012r2"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "*-ws2016"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "*-ws2019"
},
{
"field": "Microsoft.Compute/imageSKU",
"like": "*-ws2022"
}
]
}
]
}
]
},
{
"field": "Microsoft.Compute/imagePublisher",
"notEquals": "microsoft-ads"
}
]
}
]
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"conflictEffect": "audit",
"operations": [
{
"condition": "[equals(tolower(parameters('osType')), 'windows')]",
"operation": "addOrReplace",
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode",
"value": "[parameters('patchMode')]"
},
{
"condition": "[equals(tolower(parameters('osType')), 'linux')]",
"operation": "addOrReplace",
"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode",
"value": "[parameters('patchMode')]"
}
]
}
}
},
"parameters": {
"patchMode": {
"type": "String",
"metadata": {
"displayName": "Patch mode",
"description": "Patch mode for the machines."
},
"allowedValues": [
"ImageDefault",
"AutomaticByPlatform"
],
"defaultValue": "AutomaticByPlatform"
},
"osType": {
"type": "String",
"metadata": {
"displayName": "OS type",
"description": "OS type for the machines."
},
"allowedValues": [
"Windows",
"Linux"
],
"defaultValue": "Windows"
},
"locations": {
"type": "Array",
"metadata": {
"displayName": "Machines locations",
"description": "The list of locations from which machines need to be targeted.",
"strongType": "location"
},
"defaultValue": []
},
"tagValues": {
"type": "Object",
"metadata": {
"displayName": "Tags on machines",
"description": "The list of tags that need to matched for getting target machines."
},
"defaultValue": {}
},
"tagOperator": {
"type": "String",
"metadata": {
"displayName": "Tag operator",
"description": "Matching condition for resource tags"
},
"allowedValues": [
"All",
"Any"
],
"defaultValue": "Any"
}
}
}
UPDATE: After interrogating the metadata a bit more I've discovered that apparently the Windows one is marked as modifiable in the metadata, whereas the Linux one is not:
Windows:
PS > Get-AzPolicyAlias -NamespaceMatch 'compute' | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.Name -eq 'Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode' }
Name : Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode
Paths : {Microsoft.Azure.Management.ResourceManager.Models.AliasPath}
Type :
DefaultPath : properties.osProfile.windowsConfiguration.patchSettings.patchMode
DefaultPattern :
DefaultMetadata : Microsoft.Azure.Management.ResourceManager.Models.AliasPathMetadata
PS /home/eric> $alias= Get-AzPolicyAlias -NamespaceMatch 'compute' | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.Name -eq 'Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode' } PS /home/eric> $alias.DefaultMetadata
Type Attributes
---- ----------
String Modifiable
Linux:
PS > Get-AzPolicyAlias -NamespaceMatch 'compute' | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.Name -eq 'Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode' }
Name : Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode
Paths :
Type :
DefaultPath : properties.osProfile.linuxConfiguration.patchSettings.patchMode
DefaultPattern :
DefaultMetadata :
Note the blank DefaultMetadata structure in the Linux alias.
If I am misinterpreting anything here, I apologize. I'm certainly not an expert in this area. Just hoping this helps someone fix this quickly, or perhaps reveal a workaround that I haven't yet thought of :)
You're not misinterpreting things. I tested this with windows and it works. With Linux not.
I also tried: https://learn.microsoft.com/en-us/answers/questions/1520341/custom-azure-policy-to-enable-automatic-vm-guest-p?page=1&orderby=Helpful&comment=answer-1444586#newest-answer-comment
as a workaround but in this case all policies just evaluate as compliant. So there seems to be a problem there as well
Looks like same problem exists for: bypassPlatformSafetyChecksOnUserSchedule & enableHotpatching
Looks like someone took notice of this issue and fixed it, although this issue remained open.
Here's what I am seeing now for the same command I issued above before that was showing the broken/missing alias.
PS /home/eric> Get-AzPolicyAlias -NamespaceMatch 'compute' | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.Name -eq 'Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode' }
Name : Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode
Paths : {Microsoft.Azure.Management.ResourceManager.Models.AliasPath}
Type :
DefaultPath : properties.osProfile.linuxConfiguration.patchSettings.patchMode
DefaultPattern :
DefaultMetadata : Microsoft.Azure.Management.ResourceManager.Models.AliasPathMetadata
Closing myself, since this is no longer an issue and I should be able to create the policy I needed to create now due to the fix.