'How to deploy Update Management to Azure resources the programmatic way
I'm currently trying to setup Azure's Update Management Solution to a resource group I have setup. I've read through a lot of documentation on this matter including Microsoft's: https://docs.microsoft.com/en-us/azure/automation/automation-update-management
It's pretty straightforward to setup using the GUI however I have been unsuccessful in finding a way to deploy this programatically. I wanted to reach out to the stack community and see if anyone has been able to deploy an environment that uses update management with a code base, or if anyone has found/built a powershell module which can be used to enable update manager on select VMs
Solution 1:[1]
How to deploy Update Management to Azure automatically with Terraform (step by step):
Create Automation Account - resource "azurerm_automation_account"
Create Log Analytics Workspace - resource "azurerm_log_analytics_workspace"
Linked previous created Log Analytics with Automation Account - resource "azurerm_log_analytics_linked_service
Create Log Analytics solution "Updates" - resource "azurerm_log_analytics_solution" with
plan { publisher = "Microsoft" product = "OMSGallery/Updates" }Create update schedule using ARM Template Terraform resource - resource "azurerm_resource_group_template_deployment" - sample code showed in 4c74356b41 comment above
Add Microsoft Monitoring Agent extension for VMs you want to be auto updated and added to Update Management, connect them with earlier Log Analytic Workspace - resource "azurerm_virtual_machine_extension"
Solution 2:[2]
this piece of arm template should work:
{
"apiVersion": "2017-05-15-preview",
"type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
"name": "automationName/softwareUpdateName",
"location": "[resourceGroup().location]",
"properties": {
"updateConfiguration": {
"operatingSystem": "Windows",
"duration": "PT2H0M",
"windows": {
"excludedKbNumbers": [
"168934",
"168973"
],
"includedUpdateClassifications": "Critical",
"rebootSetting": "IfRequired"
},
"azureVirtualMachines": [
"/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-01",
"/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-02",
"/subscriptions/5ae68d89-69a4-454f-b5ce-e443cc4e0067/resourceGroups/myresources/providers/Microsoft.Compute/virtualMachines/vm-03"
],
"nonAzureComputerNames": [
"box1.contoso.com",
"box2.contoso.com"
]
},
"scheduleInfo": {
"frequency": "Hour",
"startTime": "2017-10-19T12:22:57+00:00",
"timeZone": "America/Los_Angeles",
"interval": 1,
"expiryTime": "2018-11-09T11:22:57+00:00",
"advancedSchedule": {
"weekDays": [
"Monday",
"Thursday"
]
}
}
}
}
you can use the rest api to find out how to construct properties the way you need.
you could use the same properties json with invoke-webrequest as a payload, for example, or curl.
Solution 3:[3]
Interacting with "Azure Updates" in powershell is done through the "AzureRMAutomation" cmdlets. For example Scheduling Software updates uses the "New-AzureRmAutomationSoftwareUpdateConfiguration" cmdlet.
You should be able to find anything else you want to do in that directory.
I stumbled across this site, which isn't as useful as the above information...
https://sharepointyankee.com/2018/02/26/importing-powershell-modules-into-azure-automation/
This process allows you to download powershell modules from the modules gallery. After doing a simple search for "update". I found 2 modules "xWindowsUpdate" and "PSWindowsUpdate". These don't directly interact with azure update manager, but functionally accomplishes the same result.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Mieszko |
| Solution 2 | 4c74356b41 |
| Solution 3 |