How to be required in Azure custom policy to have to install Virtual Machine Custom Extension or CustomScriptExtension

Question

How to be required in Azure custom policy to have to install Virtual Machine Custom Extension or CustomScriptExtension

Oda, Yutaka 171

Hi, community!

Currently, I'm struggling to create Azure custom policy requiring VM to install Virtual Machine Custom Extension or CustomScriptExtension.

And I create Azure Policy but I can't understand how specify custom extension which must be installed.

I can't find rerated parameter or property.

Could you give me advice?

{
  "properties": {
    "displayName": "Require Installation of Custom Extension on VMs",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "This policy ensures that a custom extension is installed on VMs.",
    "metadata": {
      "version": "1.0.0",
      "category": "CustomExtensions"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Specifies the effect of the policy enforcement."
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "listOfImageIdToInclude": {
        "type": "Array",
        "metadata": {
          "displayName": "List of Image IDs to Include",
          "description": "Specifies the list of image IDs to include in the policy."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imageId",
                "in": "[parameters('listOfImageIdToInclude')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "CustomScriptExtension"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/settings.workspaceId",
                "exists": "true"
              }
            ],
            "deployment": {
              "type": "Microsoft.Compute/virtualMachines/extensions",
              "apiVersion": "2021-04-01",
              "name": "[format('{0}/{1}', field('name'), 'InstallWebServer')]",
              "location": "[field('location')]",
              "properties": {
                "publisher": "Microsoft.Compute",
                "type": "CustomScriptExtension",
                "typeHandlerVersion": "1.7",
                "autoUpgradeMinorVersion": true,
                "settings": {
                  "fileUris": [
                    "https://azureblobstorageurl"
                  ],
                  "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File DiskPartitionChangePS.ps1"
                },
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat('Enabled extension for VM: ', field('name'))]"
                  }
                }
              },
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                }
              }
            }
          }
        }
      }
    }
  }
}

kobulloc-MSFT 26,811 Microsoft Employee Moderator

Hello, @Oda, Yutaka !

Hopefully this reply isn't too late. There's a concrete example to restrict extension installation on a VM which you can use as a base:

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/extensions-rmpolicy-howto-ps

{
	"if": {
		"allOf": [
			{
				"field": "type",
				"equals": "Microsoft.Compute/virtualMachines/extensions"
			},
			{
				"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
				"equals": "Microsoft.Compute"
			},
			{
				"field": "Microsoft.Compute/virtualMachines/extensions/type",
				"in": "[parameters('notAllowedExtensions')]"
			}
		]
	},
	"then": {
		"effect": "deny"
	}
}

{
	"notAllowedExtensions": {
		"type": "Array",
		"metadata": {
			"description": "The list of extensions that will be denied.",
			"displayName": "Denied extension"
		}
	}
}

Taking a quick look at Bing Chat, it recommends the following which deploys the Custom Script Extension to your VMs if it is not already installed (untested--I'd be happy to continue working through this if you are still looking for a solution):

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines/extensions"
            },
            {
                "not": {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "CustomScriptExtension"
                }
            }
        ]
    },
    "then": {
        "effect": "deployIfNotExists",
        "details": {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "name": "[concat('CustomScriptExtension-', uniqueString(resourceGroup().id))]",
            "existenceCondition": {
                "allOf": [
                    {
                        "field": "Microsoft.Compute/virtualMachines/extensions/type",
                        "equals": "CustomScriptExtension"
                    }
                ]
            },
            "deployment": {
                "properties": {
                    "mode": "incremental",
                    "templateLink": {
                        "uri": "[concat(parameters('_artifactsLocation'), '/', parameters('templateFolder'), '/CustomScriptExtension.json', parameters('_artifactsLocationSasToken'))]",
                        "contentVersion": "[parameters('templateVersion')]"
                    },
                    "parametersLink": {
                        "uri": "[concat(parameters('_artifactsLocation'), '/', parameters('templateFolder'), '/CustomScriptExtension.parameters.json', parameters('_artifactsLocationSasToken'))]",
                        "contentVersion": "[parameters('templateVersion')]"
                    }
                }
            }
        }
    }
}

1 answer

Your answer

Answer 1

I built the Custom Extension(CustomScriptExtension) Policy.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
              "equals": "Windows"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
              "exists": true
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "existenceCondition": {
          "field": "Microsoft.Compute/virtualMachines/extensions/type",
          "equals": "CustomScriptExtension"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "location": {
                  "type": "string"
                },
                "virtualMachineName": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "name": "[concat(parameters('virtualMachineName'),'/', 'CustomScriptExtension')]",
                  "type": "Microsoft.Compute/virtualMachines/extensions",
                  "apiVersion": "2023-03-01",
                  "location": "[parameters('location')]",
                  "properties": {
                    "publisher": "Microsoft.Compute",
                    "type": "CustomScriptExtension",
                    "typeHandlerVersion": "1.10",
                    "autoUpgradeMinorVersion": true,
                    "settings": {
                      "fileUris": [
                      "Azure blob file path"
                      ],
                      "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File PS.ps1"
                    },
                    "protectedSettings": {}
                  }
                }
              ]
            },
            "parameters": {
              "location": {
                "value": "[field('location')]"
              },
              "virtualMachineName": {
                "value": "[field('name')]"
              }
            }
          }
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
        ]
      }
    }
  },
  "parameters": {}
}

kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-07-20T15:36:06.6+00:00

Thank you for updating the community with the Custom Extension(CustomScriptExtension) Policy that you created, @Oda, Yutaka !

Share via

How to be required in Azure custom policy to have to install Virtual Machine Custom Extension or CustomScriptExtension

1 answer

Your answer