In the previous lesson, we learned all about the magic of DSC. A PowerShell toolset of declaring configuration state. This is great for getting everything nearly defined and establishing a proper infrastructure as code paradigm. But how do we keep things in a good state? Aside from obsessively refreshing the dashboard every 20 seconds. How can we add a layer of automation and management above DSC to guarantee compliance with all of the level of configuration we have defined in DSC?

Outside of Azure, there are a lot of different tools and frameworks. We mentioned a few such as Chef and Puppet, Ansible, Terraform. However, within Azure, we have a very powerful service that integrates quite neatly with PowerShell DSC. It is known as Azure Automation Configuration State and if you're a DevOps engineer using Azure, this too will become your best friend.

We will refer to Azure Automation State Configuration as AASC for simplicity's sake because it's a long name. And we want to differentiate it from Azure Security Center, ASC. So AASC, Azure Automation State Configuration, works on top of DSC. It is built right into the Azure automation dashboard as state configuration with DSC in parentheses in the left-hand menu basically. So recall that DSC is comprised of resources and configurations and the LCM. By itself, we would need to think of a way to manage all of these artifacts generated and referenced by the various PowerShell scripts. Comprising our overall DSC infrastructure. What AASC does is it gives us a centralized system for managing all of our DSC artifacts with an intuitive pull-based deployment model.

AASC lets you manage not only DSC artifacts but the target nodes and the reporting settings. The pole server collects state data from all target nodes automatically and can be configured to send reports to the log analytics service if you want reports to be more actionable. We will come back to that in a bit. AASC works with both Windows and Linux operating systems and can be configured to work within private networks and proxies. The only prerequisites for actually using Azure state configuration is that you have an Azure automation account and are using a Standard Azure Resource Manager VM since the classic VM version isn't supported yet but that may change.

So that's enough about the high-level features in specs. Let's actually talk through a practical example so you can understand how AASC will make your life easier. So let's start with a basic example of DSC configuration. Here we have a pretty basic script that's meant to ensure a specific config based on whether or not a node is a web server. So we're just you know in confirming a specific setting based on the node. So we can check this code into a git repo and we can run it manually from a terminal if we want. But what do we gain if we integrate it with AASC?

With the whole dashboard and Azure report. From the Azure portal, we can import this script with just a few clicks. We go into Azure automation section, we click on state configuration, the DSC page, we click into configurations and then we select add. And from there, we upload our config file. There's also a text box to add a description which I strongly recommend doing. You wanna know some info about the scripts you'll thank your future self. Now as before once you upload that config, you have to compile it into the node configuration before it can be applied to the pull server and actually run on machines. And this is again just a few clicks in the UI, we did that last lesson.

So once compilation succeeds, the new configuration can be applied to one or more node groups. Now, this may not seem like a big deal applying to node groups from the portal, you know. It may not seem all that important when you're just dealing with a single, simple PowerShell script. However, remember that a more realistic application architecture is gonna have far more moving parts than this. We might have a queuing system, we might have a caching layer, we might have multiple front ends, we could have proxies and authentication systems and different databases, etc. We could need dozens of PowerShell scripts of varying sizes to keep everything in a healthy state and avoid drift. Managing all of that is no easy task. AASC makes it a lot easier and the even cooler thing about AASC is that it not only manages our DSC code but it let us manage the VMs themselves.

AASC supports adding Azure nodes both under the standard resource management and even VMs and other clouds and it lets us manage classic nodes, classic nodes not the classic resource manager but classic nodes themselves. So we'll add a link to the documentation about this. This kind of multi-cloud functionality but what this means is that AASC lets us manage for example AWS EC2 nodes. This is a bit of out of scope, for this class to go into detail on that but it's nice to know that if you do have or if you need to set up a multi-cloud infrastructure Azure does give you the tools to at least manage much of your config in one place. 

Now one best practice we want to mention here for scenarios where you need quick response times to compliance failure, is that you should forward AASC reporting data to Azure Monitor logs. As mentioned AASC readily integrates with your Azure log analytics account. With a few PowerShell commands you can configure Azure Monitoring to aggregate AASC data so that it is viewable in the Monitoring section of the AASC dashboard. So you can look at the logs and monitor all of the reporting data going on in your automation state dashboard. You can then set up queries to trigger emails or alerts or other actions if a monitor detects a compliance failure in the logs. So this is really important for cases where compliance failures are very dangerous. So for the exact walkthrough on this, see the documentation link to show exactly how to set that up, if it's an interest to you.

So that about wraps up Azure Automation State Configuration as we can see it is one of the best solutions for automating compliance by managing DSC infrastructure in an Azure cloud. It takes practice to really understand it always a lot of moving parts, so be sure to watch our demos and play around with it on your own. In the next lesson, we go one step further by introducing VM agents and extensions. It will be a blast, see you there.

 

Useful Links

https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration

https://docs.microsoft.com/en-us/powershell/scripting/dsc/overview/overview?view=powershell-7

Lectures

Course Introduction - Compliance & Security Scanning - Security Center Demo - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary