From 63f28ff3d424c993b96b2c0b6354ecc4a0745c3d Mon Sep 17 00:00:00 2001 From: Dany Contreras <78437433+danycontre@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:30:05 -0400 Subject: [PATCH] Adding feature to control antimalware extension on VMs (#681) * updates * updates * updates * updates * updates --- .../deployNewSessionHostsToHostPools.json | 10 +++++++- workload/arm/deploy-baseline.json | 25 ++++++++++++++++--- .../brownfield/newSessionHosts/deploy.bicep | 5 +++- ...ew-session-hosts.parameters.all.bicepparam | 2 ++ .../new-session-hosts.parameters.all.json | 3 +++ workload/bicep/deploy-baseline.bicep | 4 +++ .../modules/avdSessionHosts/deploy.bicep | 7 ++++-- ...loy-baseline-parameters-example.bicepparam | 2 ++ .../deploy-baseline-parameters-example.json | 3 +++ workload/docs/deploy-baseline.md | 1 + .../brownfield/portalUiNewSessionHosts.json | 9 +++++++ workload/portal-ui/portal-ui-baseline.json | 9 +++++++ 12 files changed, 72 insertions(+), 8 deletions(-) diff --git a/workload/arm/brownfield/deployNewSessionHostsToHostPools.json b/workload/arm/brownfield/deployNewSessionHostsToHostPools.json index f46cbbbf1..f5b7b3040 100644 --- a/workload/arm/brownfield/deployNewSessionHostsToHostPools.json +++ b/workload/arm/brownfield/deployNewSessionHostsToHostPools.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "2465926344295153346" + "templateHash": "7861484256086051414" } }, "parameters": { @@ -413,6 +413,13 @@ "metadata": { "description": "Data collection rule ID." } + }, + "deployAntiMalwareExt": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Deploys anti malware extension on session hosts. (Default: true)" + } } }, "variables": { @@ -5307,6 +5314,7 @@ "name": "sessionHostsAntimalwareExtension", "count": "[length(range(1, parameters('count')))]" }, + "condition": "[parameters('deployAntiMalwareExt')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('SH-Antimal-{0}-{1}', sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]", diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json index 8fe7db7be..65314ae69 100644 --- a/workload/arm/deploy-baseline.json +++ b/workload/arm/deploy-baseline.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "14398112227498582260" + "templateHash": "5937057250547040463" }, "name": "AVD Accelerator - Baseline Deployment", "description": "AVD Accelerator - Deployment Baseline", @@ -936,6 +936,13 @@ "metadata": { "description": "Enable purge protection for the keyvaults. (Default: true)" } + }, + "deployAntiMalwareExt": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Deploys anti malware extension on session hosts. (Default: true)" + } } }, "variables": { @@ -30390,7 +30397,10 @@ "value": "[parameters('avdDeployMonitoring')]" }, "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]", - "dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]" + "dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]", + "deployAntiMalwareExt": { + "value": "[parameters('deployAntiMalwareExt')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", @@ -30399,7 +30409,7 @@ "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "17246082322388360155" + "templateHash": "16948281966398873853" } }, "parameters": { @@ -30653,7 +30663,7 @@ "deployMonitoring": { "type": "bool", "metadata": { - "description": "Deploy AVD monitoring resources and setings. (Default: true)" + "description": "Deploy AVD monitoring resources and setings." } }, "time": { @@ -30668,6 +30678,12 @@ "metadata": { "description": "Data collection rule ID." } + }, + "deployAntiMalwareExt": { + "type": "bool", + "metadata": { + "description": "Deploys anti malware extension on session hosts." + } } }, "variables": { @@ -34411,6 +34427,7 @@ "name": "sessionHostsAntimalwareExtension", "count": "[length(range(1, parameters('count')))]" }, + "condition": "[parameters('deployAntiMalwareExt')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('SH-Antimal-{0}-{1}-{2}', parameters('batchId'), sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]", diff --git a/workload/bicep/brownfield/newSessionHosts/deploy.bicep b/workload/bicep/brownfield/newSessionHosts/deploy.bicep index 59feb1ad8..acd7bdcfa 100644 --- a/workload/bicep/brownfield/newSessionHosts/deploy.bicep +++ b/workload/bicep/brownfield/newSessionHosts/deploy.bicep @@ -206,6 +206,9 @@ param ownerTag string = 'workload-owner@Contoso.com' @sys.description('Data collection rule ID.') param dataCollectionRuleId string +@sys.description('Deploys anti malware extension on session hosts. (Default: true)') +param deployAntiMalwareExt bool = true + // =========== // // Variable declaration // // =========== // @@ -382,7 +385,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice }] // Add antimalware extension to session host. -module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): { +module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) { scope: resourceGroup('${computeSubscriptionId}', '${computeRgResourceGroupName}') name: 'SH-Antimal-${i - 1}-${time}' params: { diff --git a/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam b/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam index 3b940eca9..88f558b4f 100644 --- a/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam +++ b/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam @@ -51,4 +51,6 @@ param workloadCriticalityCustomValueTag = 'Contoso-Critical' param workloadSlaTag = 'Contoso-SLA' param opsTeamTag = 'workload-admins@Contoso.com' param ownerTag = 'workload-owner@Contoso.com' +param deployAntiMalwareExt = true + diff --git a/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json b/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json index d6f7a2985..607b82c12 100644 --- a/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json +++ b/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json @@ -121,6 +121,9 @@ }, "osImage": { "value": "win11_23h2" + }, + "deployAntiMalwareExt": { + "value": true } } } \ No newline at end of file diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index 5fa3cbcf5..9f6feb90c 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -483,6 +483,9 @@ param enableTelemetry bool = true @sys.description('Enable purge protection for the keyvaults. (Default: true)') param enableKvPurgeProtection bool = true +@sys.description('Deploys anti malware extension on session hosts. (Default: true)') +param deployAntiMalwareExt bool = true + // =========== // // Variable declaration // // =========== // @@ -1522,6 +1525,7 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [ : alaExistingWorkspaceResourceId) : '' dataCollectionRuleId: avdDeployMonitoring ? monitoringDiagnosticSettings.outputs.dataCollectionRuleId : '' + deployAntiMalwareExt: deployAntiMalwareExt } dependsOn: [ fslogixAzureFilesStorage diff --git a/workload/bicep/modules/avdSessionHosts/deploy.bicep b/workload/bicep/modules/avdSessionHosts/deploy.bicep index d6ba0f603..01ac1b0cd 100644 --- a/workload/bicep/modules/avdSessionHosts/deploy.bicep +++ b/workload/bicep/modules/avdSessionHosts/deploy.bicep @@ -127,7 +127,7 @@ param tags object @sys.description('Log analytics workspace for diagnostic logs.') param alaWorkspaceResourceId string -@sys.description('Deploy AVD monitoring resources and setings. (Default: true)') +@sys.description('Deploy AVD monitoring resources and setings.') param deployMonitoring bool @sys.description('Do not modify, used to set unique value for resource deployment.') @@ -136,6 +136,9 @@ param time string = utcNow() @sys.description('Data collection rule ID.') param dataCollectionRuleId string +@sys.description('Deploys anti malware extension on session hosts.') +param deployAntiMalwareExt bool + // =========== // // Variable declaration // // =========== // @@ -243,7 +246,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice }] // Add antimalware extension to session host. -module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): { +module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) { scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}') name: 'SH-Antimal-${batchId}-${i - 1}-${time}' params: { diff --git a/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam b/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam index 7e911bb8a..c476567e8 100644 --- a/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam +++ b/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam @@ -66,3 +66,5 @@ param enableAcceleratedNetworking = true param diskEncryptionKeyExpirationInDays = 60 param diskZeroTrust = false param deployGpuPolicies = false +param deployVmssFlex = true +param deployAntiMalwareExt = true diff --git a/workload/bicep/parameters/deploy-baseline-parameters-example.json b/workload/bicep/parameters/deploy-baseline-parameters-example.json index de8229595..5bb4ee37b 100644 --- a/workload/bicep/parameters/deploy-baseline-parameters-example.json +++ b/workload/bicep/parameters/deploy-baseline-parameters-example.json @@ -211,6 +211,9 @@ }, "deployVmssFlex": { "value": true + }, + "deployAntiMalwareExt": { + "value": true } } } diff --git a/workload/docs/deploy-baseline.md b/workload/docs/deploy-baseline.md index 61cdebd83..d9f7d4551 100644 --- a/workload/docs/deploy-baseline.md +++ b/workload/docs/deploy-baseline.md @@ -43,6 +43,7 @@ - **VM count** - Select the number of session hosts to deploy. - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and higher SLA. - **Zero trust disk configuration** - Check the box to enable the zero trust configuration on the session host disks to ensure all the disks are encrypted, the OS and data disks are protected with double encryption with a customer managed key, and network access is disabled. + - **Enable Antimalware extension** - Enables Azure VM antimalware extension on session hosts - **Enable accelerated networking** - Check the box to ensure the network traffic on the session hosts is offloaded to the network interface to enhance performance. This feature is free and available as long a supported VM SKU and [OS](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview?tabs=redhat#supported-operating-systems) is chosen. To check whether a VM size supports Accelerated Networking, see [Sizes for virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes). This feature is recommended as it will decrease CPU utilization for networking (offloading to NIC) and increase network performance/throughput to Azure VMs and Services, like Azure Files. - **OS image source** - Select a marketplace image or an image from Azure Compute Gallery (Custom image build deployment will create images in compute gallery). - **OS version or image** - Choose the OS version or desired image from the Azure compute gallery. diff --git a/workload/portal-ui/brownfield/portalUiNewSessionHosts.json b/workload/portal-ui/brownfield/portalUiNewSessionHosts.json index 569cfdba2..315aa117d 100644 --- a/workload/portal-ui/brownfield/portalUiNewSessionHosts.json +++ b/workload/portal-ui/brownfield/portalUiNewSessionHosts.json @@ -614,6 +614,14 @@ "label": "Enable vTPM", "defaultValue": true, "toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets." + }, + { + "name": "enableAntiMalwareExt", + "type": "Microsoft.Common.CheckBox", + "visible": true, + "label": "Enable Antimalware extension", + "defaultValue": true, + "toolTip": "Enables Azure VM antimalware extension on session hosts." } ] } @@ -1166,6 +1174,7 @@ "securityType": "[steps('sessionHosts').sessionHostsSecuritySection.securityType]", "secureBootEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled]", "vTpmEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled]", + "deployAntiMalwareExt": "[steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt]", "configureFslogix": "[steps('storage').fslogixConfiguration]", "fslogixStorageAccountName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountSelector.id, '')]", "fslogixFileShareName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountFileShare, '')]", diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json index 68e50d332..6c6096da1 100644 --- a/workload/portal-ui/portal-ui-baseline.json +++ b/workload/portal-ui/portal-ui-baseline.json @@ -874,6 +874,14 @@ "label": "Enable vTPM", "defaultValue": true, "toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets." + }, + { + "name": "enableAntiMalwareExt", + "type": "Microsoft.Common.CheckBox", + "visible": true, + "label": "Enable Antimalware extension", + "defaultValue": true, + "toolTip": "Enables Azure VM antimalware extension on session hosts." } ] } @@ -2401,6 +2409,7 @@ "securityType": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.securityType, 'Standard')]", "secureBootEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled, false)]", "vTpmEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled, false)]", + "deployAntiMalwareExt": "[if(equals(steps('sessionHosts').deploySessionHosts, true), steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt, true)]", "avdImageTemplateDefinitionId": "[if(equals(steps('sessionHosts').sessionHostsOsSection.sessionHostsImageSource, true), steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage.id, 'no')]", "avdSessionHostDiskType": "[steps('sessionHosts').sessionHostsSettingsSection.sessionHostDiskType]", "enableAcceleratedNetworking": "[steps('sessionHosts').sessionHostsSettingsSection.acceleratedNetworking]",