Offical repo is at the following location: https://github.com/Azure/missionlz/tree/main/src/bicep/add-ons/Imaging
This zero trust imaging solution for Azure allows you create images in an Azure environment that adheres to zero trust. While other options exist in Azure, its either a manual process or it doesn't adhere to zero trust. Azure Image Builder (AIB) is a great imaging service in Azure but does not adhere to zero trust. The service creates a staging resource group with a storage account that cannot be configured with a private endpoint. This breaks the zero trust principles. This solution uses a storage account with a private endpoint to store applications and the existing, preconfigured resources that comply with the principles.
graph TD;
A[Download Software Prerequisites] -->B(Upload Scripts and Installers to Storage Account)-->C(Review Azure Resource Requirements) -->D(Clone Repo) --> E(Create TemplateSpec)--> F(Ready for Zero Trust Imaging)
This solution adheres to Zero Trust which dictates that all virtual machine disks must be encrypted. The encryption at host feature enables disk encryption on virtual machine temp and cache disks. To use this feature, a resource provider feature must enabled on your Azure subscription. Use the following PowerShell script to enable the feature:
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
Permissions: Ensure the principal deploying the solution has "Owner" and "Key Vault Administrator" roles assigned on the target Azure subscription. This solution deploys role assignments at various scopes so the principal deploying this solution will need to be an Owner at the subscription scope for a successful deployment. It also deploys a key and secrets in a key vault to enhance security. A custom role may be used to reduce the scope of permisions required if your organization wants to use something other than they built in roles.
Ensure the following software is installed on your client workstation:
-
ArcGIS Pro Installer - as Zip File
You can download ArcGIS Pro from My Esri or your ArcGIS Online organization. Once the application is downloaded, if your windows OS image requires ArcGIS Pro you will need to create a ZIP file that contains all of the installation bits including the Windows Runtime.
Software Minimum requirement Microsoft .NET Microsoft .NET Desktop Runtime 6.0.5 or a later patch release (6.0.6 and so on), using a Windows x64 installer, is required. The presence of Microsoft .NET Desktop Runtime 7 or later is inconsequential.
The following resources must exist in your Azure environment before deployment:
- Virtual Network
- Storage Account
- Private Endpoint
- Private DNS Zone
- Blob container with executables, scripts, etc. that are required for the imaging deployment
You must enable the feature for your subscription before you use the EncryptionAtHost property for your VM/VMSS. Use the following steps to enable the feature for your subscription.
Execute the following command to register the feature for your subscription
Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
New-AzTemplateSpec `
-Name 'ZeroTrustImaging' `
-ResourceGroupName rg-image-usgovvirginia-01 `
-Version '1.0' `
-Location usgovvirginia `
-DisplayName "Zero Trust Image Template" `
-TemplateFile '.\solution.json' `
-UIFormDefinitionFile '.\uiDefinition.json' `
-Force
Specifies the local administrator user name of the virtual machine that will be captured.
Type: String
Specifies the container name where files, and scripts will be uploaded and consumed during the image process.
Type: String
Specifies the existing Azure Image Gallery where the image will be created.
Type: String
Specifies the name of the image that will created.
Type: String
Specifies the name of the image offer of the image that will be created.
Type: String
Specifies the name of the image publisher of the image that will be created.
Type: String
Specifies the name of the image SKU of the image that will be created.
Type: String
Specifies the name of the image version of the image that will be created.
Type: String
Specifies if Access will be installed on the image created.
Type: Boolean
Specifies if Excel will be installed on the image created.
Type: Boolean
Specifies if FsLogix will be installed on the image created.
Type: Boolean
Specifies if OneDrive For Business will be installed on the image created.
Type: Boolean
Specifies if OneNote will be installed on the image created.
Type: Boolean
Specifies if PowerPoint will be installed on the image created.
Type: Boolean
Specifies if Publisher will be installed on the image created.
Type: Boolean
Specifies if Teams will be installed on the image created.
Type: Boolean
Specifies if Virtual Desktop Optimization Tool (VDOT) will be installed on the image created.
Type: Boolean
Specifies if Visio will be installed on the image created.
Type: Boolean
Specifies if Word will be installed on the image created.
Type: Boolean
Specifies a location for the resources of the solution to be deployed.
Type: String
Specifies the name of an existing managed identity to be used during deployment of the solution.
Type: String
Specifies the OS Version of the image to be captured.
Type: String
Specifies the name of the resource group to create resources.
Type: String
Specifies the security type of the image to be captured.
Type: String
Specifies the name of the storage account where assets will be downloaded from and used during the image process.
Type: String
Specifies the storage endpoint of the target storage account.
Type: String
Specifies the subnet of the virtual network to be used during the image process.
Type: String
Specifies the tenant type used in the target environment.
Type: String
AllowedValues: 'Commercial', 'DepartmentOfDefense','GovernmentCommunityCloud','GovernmentCommunityCloudHigh'
Specifies the object ID of the managed identity used during deployment.
Type: String
Specifies the virtual network name of the vNet used during the image process.
Type: String
Specifies the name of the virtual machine to be captuired.
Type: String
Specifies the size of the the virtual machine to be captuired.
Type: String
- Add additional applications by adding addtional blocks of installers in module image.bicep
- Any blob called will have to be uploaded to the storage account and container that are defined in the parameter set
- Using the enabled argument will allow the installer to be modular and flexible during image creation
var installers = [
{
name: 'myapp1'
blobName: 'software1.exe'
arguments: '/S'
enabled: true
}
{
name: 'myapp2'
blobName: 'software2.exe'
arguments: '/S'
enabled: false
}
]
The applications are installed using the Run Command extension on the Azure virtual machine. To the view and troubleshoot the status of a Run Command use the example below:
PS C:\git\ztaimage> $x = Get-AzVMRunCommand -ResourceGroupName rg-image -VMName vm-image -RunCommandName office -Expand InstanceView
PS C:\git\ztaimage> $x.InstanceView
ExecutionState : Running
ExecutionMessage :
ExitCode : 0
Output :
Error :
StartTime : 8/2/2023 2:14:27 PM
EndTime :
Statuses :