DSC ConfigurationData parameter in Azure ARM template deployment

4
votes

I am deploying a resource group by using the Azure REST API and supplying the ARM templates. In the virtual machine resource, I have an extension that is of type DSC. The code snippet is as follows:

{
  "resources": [
    {
      "name": "[concat(variables('VMName'),'/SetupScript')]",
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "location": "[parameters('DNSLocation')]",
      "apiVersion": "2015-05-01-preview",
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', variables('VMName'))]"
      ],
      "tags": {
        "displayName": "SetupScript"
      },
      "properties": {
        "publisher": "Microsoft.Powershell",
        "type": "DSC",
        "typeHandlerVersion": "1.7",
        "settings": {
          "modulesUrl": "[variables('SetupScriptConfigurationFile')]",
          "sasToken": "",
          "configurationFunction": "[variables('SetupScriptConfigurationFunction')]",
          "properties": {
            "DomainName": "[parameters('DomainName')]",
            "DomainAdminUsername": "[parameters('VMAdminUsername')]",
            "DomainAdminPassword": "[parameters('VMAdminPassword')]"
          }
        },
        "protectedSettings": {

        }
      }
    }
  ]
}

The DSC configuration that is being called is shown bellow:

Configuration DNSConfig
{ 
    param
    ( 
        [string]$NodeName ='localhost',  
        [Parameter(Mandatory=$true)][string]$DomainName,
        [Parameter(Mandatory=$true)][string]$DomainAdminUsername,
        [Parameter(Mandatory=$true)][string]$DomainAdminPassword
    ) 

    #Import the required DSC Resources  
    Import-DscResource -Module xComputerManagement 
    Import-DscResource -Module xActiveDirectory

    $securePassword = ConvertTo-SecureString -AsPlainText $DomainAdminPassword -Force;
    $DomainAdminCred = New-Object System.Management.Automation.PSCredential($DomainAdminUsername, $securePassword);

    Node $NodeName
    { #ConfigurationBlock

        WindowsFeature DSCService {
            Name = "DSC-Service"
            Ensure = "Present"
            IncludeAllSubFeature = $true
        }

        WindowsFeature ADDSInstall 
        {   
            Ensure = 'Present'
            Name = 'AD-Domain-Services'
            IncludeAllSubFeature = $true
        }

        WindowsFeature RSATTools 
        { 
            DependsOn= '[WindowsFeature]ADDSInstall'
            Ensure = 'Present'
            Name = 'RSAT-AD-Tools'
            IncludeAllSubFeature = $true
        }  

        xADDomain SetupDomain {
            DomainName= $DomainName
            DomainAdministratorCredential= $DomainAdminCred
            SafemodeAdministratorPassword= $DomainAdminCred
            DependsOn='[WindowsFeature]RSATTools'
        }
    #End Configuration Block    
    } 
}

WHen I run the DSC script locally, to successfully generate the MOF file for this DSC Script, I need to pass in a hashtable for the ConfigurationData like so:

$ConfigData = @{
    AllNodes = @(
        @{
            NodeName                    = '*'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

DNSConfig -ConfigurationData $ConfigData -DomainName "mydomain.com" ...

My problem now is that, I want to pass this type of ConfigurationData through the ARM template that I showed first. Is it even possible? If not, then how should I set the ConfigurationData of the DSC Script that is executed by the VM Extension?

Thanks!

2
powershellazureazure-virtual-machinedscazure-resource-manager

2 Answers

3
votes

To pass your configuration data to the DSC Extension you need to save it to a *.psd1 file, for example:

    C:\ PS> Get-Content C:\ConfigurationData.ps1
     @{
        AllNodes = @(
            @{
                NodeName                    = '*'
                PSDscAllowPlainTextPassword = $true
            }
        )
    }

Then upload this file to a location accessible from your VM and pass the URI in the protected settings of your template:

    "protectedSettings": {
        "DataBlobUri": "https://.../ConfigurationData.psd1"
    }

Two suggestions not related to your original question:

  • Version 1.7 of the DSC Extension may produce intermittent errors during some ARM deployments. I would suggest taking a look at Version 2.0

  • You may want to encrypt passwords instead of using PSDscAllowPlainTextPassword. The DSC Extension uses encryption certificates already deployed to the VM by Azure, so setting up encryption is very simple. More information here

1
votes

This has changed with newer version see documentation.

In a nutshell now the psd1 has to be located at the same level as the rest of configuration elements and the SAS Token under the protected settings section.

"settings": {
  "configurationData": {
    "url": "https://foo.psd1"
  } 
},
"protectedSettings": {
  "configurationDataUrlSasToken": "?dataAcC355T0k3N"
}