Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding feature to control antimalware extension on VMs #681

Merged
merged 5 commits into from
Oct 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion workload/arm/brownfield/deployNewSessionHostsToHostPools.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "2465926344295153346"
"templateHash": "7861484256086051414"
}
},
"parameters": {
Expand Down Expand Up @@ -413,6 +413,13 @@
"metadata": {
"description": "Data collection rule ID."
}
},
"deployAntiMalwareExt": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Deploys anti malware extension on session hosts. (Default: true)"
}
}
},
"variables": {
Expand Down Expand Up @@ -5307,6 +5314,7 @@
"name": "sessionHostsAntimalwareExtension",
"count": "[length(range(1, parameters('count')))]"
},
"condition": "[parameters('deployAntiMalwareExt')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('SH-Antimal-{0}-{1}', sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]",
Expand Down
25 changes: 21 additions & 4 deletions workload/arm/deploy-baseline.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "14398112227498582260"
"templateHash": "5937057250547040463"
},
"name": "AVD Accelerator - Baseline Deployment",
"description": "AVD Accelerator - Deployment Baseline",
Expand Down Expand Up @@ -936,6 +936,13 @@
"metadata": {
"description": "Enable purge protection for the keyvaults. (Default: true)"
}
},
"deployAntiMalwareExt": {
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Deploys anti malware extension on session hosts. (Default: true)"
}
}
},
"variables": {
Expand Down Expand Up @@ -30390,7 +30397,10 @@
"value": "[parameters('avdDeployMonitoring')]"
},
"alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]",
"dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]"
"dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]",
"deployAntiMalwareExt": {
"value": "[parameters('deployAntiMalwareExt')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
Expand All @@ -30399,7 +30409,7 @@
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "17246082322388360155"
"templateHash": "16948281966398873853"
}
},
"parameters": {
Expand Down Expand Up @@ -30653,7 +30663,7 @@
"deployMonitoring": {
"type": "bool",
"metadata": {
"description": "Deploy AVD monitoring resources and setings. (Default: true)"
"description": "Deploy AVD monitoring resources and setings."
}
},
"time": {
Expand All @@ -30668,6 +30678,12 @@
"metadata": {
"description": "Data collection rule ID."
}
},
"deployAntiMalwareExt": {
"type": "bool",
"metadata": {
"description": "Deploys anti malware extension on session hosts."
}
}
},
"variables": {
Expand Down Expand Up @@ -34411,6 +34427,7 @@
"name": "sessionHostsAntimalwareExtension",
"count": "[length(range(1, parameters('count')))]"
},
"condition": "[parameters('deployAntiMalwareExt')]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('SH-Antimal-{0}-{1}-{2}', parameters('batchId'), sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]",
Expand Down
5 changes: 4 additions & 1 deletion workload/bicep/brownfield/newSessionHosts/deploy.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,9 @@ param ownerTag string = '[email protected]'
@sys.description('Data collection rule ID.')
param dataCollectionRuleId string

@sys.description('Deploys anti malware extension on session hosts. (Default: true)')
param deployAntiMalwareExt bool = true

// =========== //
// Variable declaration //
// =========== //
Expand Down Expand Up @@ -382,7 +385,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice
}]

// Add antimalware extension to session host.
module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): {
module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) {
scope: resourceGroup('${computeSubscriptionId}', '${computeRgResourceGroupName}')
name: 'SH-Antimal-${i - 1}-${time}'
params: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,6 @@ param workloadCriticalityCustomValueTag = 'Contoso-Critical'
param workloadSlaTag = 'Contoso-SLA'
param opsTeamTag = '[email protected]'
param ownerTag = '[email protected]'
param deployAntiMalwareExt = true


Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,9 @@
},
"osImage": {
"value": "win11_23h2"
},
"deployAntiMalwareExt": {
"value": true
}
}
}
4 changes: 4 additions & 0 deletions workload/bicep/deploy-baseline.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -483,6 +483,9 @@ param enableTelemetry bool = true
@sys.description('Enable purge protection for the keyvaults. (Default: true)')
param enableKvPurgeProtection bool = true

@sys.description('Deploys anti malware extension on session hosts. (Default: true)')
param deployAntiMalwareExt bool = true

// =========== //
// Variable declaration //
// =========== //
Expand Down Expand Up @@ -1522,6 +1525,7 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [
: alaExistingWorkspaceResourceId)
: ''
dataCollectionRuleId: avdDeployMonitoring ? monitoringDiagnosticSettings.outputs.dataCollectionRuleId : ''
deployAntiMalwareExt: deployAntiMalwareExt
}
dependsOn: [
fslogixAzureFilesStorage
Expand Down
7 changes: 5 additions & 2 deletions workload/bicep/modules/avdSessionHosts/deploy.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ param tags object
@sys.description('Log analytics workspace for diagnostic logs.')
param alaWorkspaceResourceId string

@sys.description('Deploy AVD monitoring resources and setings. (Default: true)')
@sys.description('Deploy AVD monitoring resources and setings.')
param deployMonitoring bool

@sys.description('Do not modify, used to set unique value for resource deployment.')
Expand All @@ -136,6 +136,9 @@ param time string = utcNow()
@sys.description('Data collection rule ID.')
param dataCollectionRuleId string

@sys.description('Deploys anti malware extension on session hosts.')
param deployAntiMalwareExt bool

// =========== //
// Variable declaration //
// =========== //
Expand Down Expand Up @@ -243,7 +246,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice
}]

// Add antimalware extension to session host.
module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): {
module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) {
scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}')
name: 'SH-Antimal-${batchId}-${i - 1}-${time}'
params: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,5 @@ param enableAcceleratedNetworking = true
param diskEncryptionKeyExpirationInDays = 60
param diskZeroTrust = false
param deployGpuPolicies = false
param deployVmssFlex = true
param deployAntiMalwareExt = true
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,9 @@
},
"deployVmssFlex": {
"value": true
},
"deployAntiMalwareExt": {
"value": true
}
}
}
1 change: 1 addition & 0 deletions workload/docs/deploy-baseline.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
- **VM count** - Select the number of session hosts to deploy.
- **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and higher SLA.
- **Zero trust disk configuration** - Check the box to enable the zero trust configuration on the session host disks to ensure all the disks are encrypted, the OS and data disks are protected with double encryption with a customer managed key, and network access is disabled.
- **Enable Antimalware extension** - Enables Azure VM antimalware extension on session hosts
- **Enable accelerated networking** - Check the box to ensure the network traffic on the session hosts is offloaded to the network interface to enhance performance. This feature is free and available as long a supported VM SKU and [OS](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview?tabs=redhat#supported-operating-systems) is chosen. To check whether a VM size supports Accelerated Networking, see [Sizes for virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes). This feature is recommended as it will decrease CPU utilization for networking (offloading to NIC) and increase network performance/throughput to Azure VMs and Services, like Azure Files.
- **OS image source** - Select a marketplace image or an image from Azure Compute Gallery (Custom image build deployment will create images in compute gallery).
- **OS version or image** - Choose the OS version or desired image from the Azure compute gallery.
Expand Down
9 changes: 9 additions & 0 deletions workload/portal-ui/brownfield/portalUiNewSessionHosts.json
Original file line number Diff line number Diff line change
Expand Up @@ -614,6 +614,14 @@
"label": "Enable vTPM",
"defaultValue": true,
"toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets."
},
{
"name": "enableAntiMalwareExt",
"type": "Microsoft.Common.CheckBox",
"visible": true,
"label": "Enable Antimalware extension",
"defaultValue": true,
"toolTip": "Enables Azure VM antimalware extension on session hosts."
}
]
}
Expand Down Expand Up @@ -1166,6 +1174,7 @@
"securityType": "[steps('sessionHosts').sessionHostsSecuritySection.securityType]",
"secureBootEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled]",
"vTpmEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled]",
"deployAntiMalwareExt": "[steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt]",
"configureFslogix": "[steps('storage').fslogixConfiguration]",
"fslogixStorageAccountName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountSelector.id, '')]",
"fslogixFileShareName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountFileShare, '')]",
Expand Down
9 changes: 9 additions & 0 deletions workload/portal-ui/portal-ui-baseline.json
Original file line number Diff line number Diff line change
Expand Up @@ -874,6 +874,14 @@
"label": "Enable vTPM",
"defaultValue": true,
"toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets."
},
{
"name": "enableAntiMalwareExt",
"type": "Microsoft.Common.CheckBox",
"visible": true,
"label": "Enable Antimalware extension",
"defaultValue": true,
"toolTip": "Enables Azure VM antimalware extension on session hosts."
}
]
}
Expand Down Expand Up @@ -2401,6 +2409,7 @@
"securityType": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.securityType, 'Standard')]",
"secureBootEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled, false)]",
"vTpmEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled, false)]",
"deployAntiMalwareExt": "[if(equals(steps('sessionHosts').deploySessionHosts, true), steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt, true)]",
"avdImageTemplateDefinitionId": "[if(equals(steps('sessionHosts').sessionHostsOsSection.sessionHostsImageSource, true), steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage.id, 'no')]",
"avdSessionHostDiskType": "[steps('sessionHosts').sessionHostsSettingsSection.sessionHostDiskType]",
"enableAcceleratedNetworking": "[steps('sessionHosts').sessionHostsSettingsSection.acceleratedNetworking]",
Expand Down
Loading