How to enable Update Management for an Azure Automation Account programmatically?

Question

I'm currently using Terraform and bits of Powershell to automate all of my infrastructure and I'm seeking a fully automated means to configure update management for all of my VMs. I'm able to deploy the Automation Account, Log Analytics Workspace, and a linked service resource to manage the connection between the two. However, I'm unable to enable the update management service on the Auto Account.

Is there any automatable means (ps, tf, api, etc.) by which I can simply enable update management for my automation account?

Answer 1

as far as I understand this is what you need:

{
    "type": "Microsoft.OperationalInsights/workspaces",
    "name": "[variables('namespace')]",
    "apiVersion": "2017-03-15-preview",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "Standalone"
        }
    },
    "resources": [
        {
            "name": "Automation", # this onboards automation to oms, which is what you need
            "type": "linkedServices",
            "apiVersion": "2015-11-01-preview",
            "dependsOn": [
                "[variables('automation')]",
                "[variables('namespace')]"
            ],
            "properties": {
                "resourceId": "[resourceId('Microsoft.Automation/automationAccounts/', variables('automation'))]"
            }
        }
    ]
},
{
    "type": "Microsoft.Automation/automationAccounts",
    "name": "[variables('automation')]",
    "apiVersion": "2015-10-31",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "OMS"
        }
    }
},
{
    "type": "Microsoft.OperationsManagement/solutions", # this install update management solution, you probably need this for update management
    "name": "[concat(variables('solutions')[copyIndex()],'(', variables('namespace'), ')')]",
    "apiVersion": "2015-11-01-preview",
    "location": "[resourceGroup().location]",
    "copy": {
        "name": "solutions",
        "count": "[length(variables('solutions'))]"
    },
    "plan": {
        "name": "[concat(variables('solutions')[copyIndex()], '(', variables('namespace'), ')')]",
        "promotionCode": "",
        "product": "[concat('OMSGallery/', variables('solutions')[copyIndex()])]",
        "publisher": "Microsoft"
    },
    "properties": {
        "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('namespace'))]"
    },
    "dependsOn": [
        "[variables('namespace')]"
    ]
}

here's the variable I'm using to define solutions to be installed:

"solutions": [
    "AlertManagement",
    "Updates",
    "Security"
]

Basically you can map this to api calls 1-to-1

Answer 2

Here is a Terraform module that creates an automation account, creates a link to a log analytics workspace (workspace Id passed in in this example) and then adds the required update management and/or change tracking workspace solutions to the workspace.

This module was built using Terraform 0.11.13 with AzureRM provider version 1.28.0.

# Create the automation account
resource "azurerm_automation_account" "aa" {
  resource_group_name = "${var.resource_group_name}"
  location            = "${var.location}"
  name = "${var.name}"

  sku {
    name = "${var.sku}"
  }

  tags = "${var.tags}"
}


# Link automation account to a Log Analytics Workspace.
# Only deployed if enable_update_management and/or enable_change_tracking are/is set to true
resource "azurerm_log_analytics_linked_service" "law_link" {
  count               = "${var.enable_update_management || var.enable_change_tracking ? 1 : 0}"
  resource_group_name = "${var.resource_group_name}"
  workspace_name      = "${element(split("/", var.log_analytics_workspace_id), length(split("/", var.log_analytics_workspace_id)) - 1)}"
  linked_service_name = "automation"
  resource_id         = "${azurerm_automation_account.aa.id}"
}


# Add Updates workspace solution to log analytics if enable_update_management is set to true.
# Adding this solution to the log analytics workspace, combined with above linked service resource enables update management for the automation account.
resource "azurerm_log_analytics_solution" "law_solution_updates" {
  count                 = "${var.enable_update_management}"
  resource_group_name   = "${var.resource_group_name}"
  location              = "${var.location}"

  solution_name         = "Updates"
  workspace_resource_id = "${var.log_analytics_workspace_id}"
  workspace_name        = "${element(split("/", var.log_analytics_workspace_id), length(split("/", var.log_analytics_workspace_id)) - 1)}"

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/Updates"
  }
}


# Add Updates workspace solution to log analytics if enable_change_tracking is set to true.
# Adding this solution to the log analytics workspace, combined with above linked service resource enables Change Tracking and Inventory for the automation account.
resource "azurerm_log_analytics_solution" "law_solution_change_tracking" {
  count                 = "${var.enable_change_tracking}"
  resource_group_name   = "${var.resource_group_name}"
  location              = "${var.location}"

  solution_name         = "ChangeTracking"
  workspace_resource_id = "${var.log_analytics_workspace_id}"
  workspace_name        = "${element(split("/", var.log_analytics_workspace_id), length(split("/", var.log_analytics_workspace_id)) - 1)}"

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/ChangeTracking"
  }
}


# Send logs to Log Analytics
# Required for automation account with update management and/or change tracking enabled.
# Optional on automation accounts used of other purposes.
resource "azurerm_monitor_diagnostic_setting" "aa_diags_logs" {
  count                      = "${var.enable_logs_collection || var.enable_update_management || var.enable_change_tracking ? 1 : 0}"
  name                       = "LogsToLogAnalytics"
  target_resource_id         = "${azurerm_automation_account.aa.id}"
  log_analytics_workspace_id = "${var.log_analytics_workspace_id}"

  log {
    category = "JobLogs"
    enabled  = true

    retention_policy {
      enabled = false
    }
  }

  log {
    category = "JobStreams"
    enabled  = true

    retention_policy {
      enabled = false
    }
  }

  log {
    category = "DscNodeStatus"
    enabled  = true

    retention_policy {
      enabled = false
    }
  }

  metric {
    category = "AllMetrics"
    enabled = false

    retention_policy {
      enabled = false
    }
  }
}


# Send metrics to Log Analytics
resource "azurerm_monitor_diagnostic_setting" "aa_diags_metrics" {
  count                      = "${var.enable_metrics_collection || var.enable_update_management || var.enable_change_tracking ? 1 : 0}"
  name                       = "MetricsToLogAnalytics"
  target_resource_id         = "${azurerm_automation_account.aa.id}"
  log_analytics_workspace_id = "${var.metrics_log_analytics_workspace_id}"

    log {
    category = "JobLogs"
    enabled  = false

    retention_policy {
      enabled = false
    }
  }

  log {
    category = "JobStreams"
    enabled  = false

    retention_policy {
      enabled = false
    }
  }

  log {
    category = "DscNodeStatus"
    enabled  = false

    retention_policy {
      enabled = false
    }
  }

  metric {
    category = "AllMetrics"
    enabled = true

    retention_policy {
      enabled = false
    }
  }
}