How to publish custom guest configuration package artifacts
Before you begin, it's a good idea to read the overview page for guest configuration.
Guest configuration custom .zip packages must be stored in a location that is accessible via HTTPS by the managed machines. Examples include GitHub repositories, an Azure Repo, Azure storage, or a web server within your private datacenter.
Configuration packages that support Audit
and AuditandSet
are published the
same way. There isn't a need to do anything special during publishing based on
the package mode.
Publish a configuration package
The preferred location to store a configuration package is Azure Blob Storage. There are no special requirements for the storage account, but it's a good idea to host the file in a region near your machines. If you prefer to not make the package public, you can include a SAS token in the URL or implement a service endpoint for machines in a private network.
If you don't have a storage account, use the following example to create one.
# Creates a new resource group, storage account, and container
New-AzResourceGroup -name myResourceGroupName -Location ChinaNorth
New-AzStorageAccount -ResourceGroupName myResourceGroupName -Name mystorageaccount -SkuName 'Standard_LRS' -Location 'chinanorth' | New-AzStorageContainer -Name guestconfiguration -Permission Blob
To publish your configuration package to Azure blob storage, you can follow the below steps which leverages the Az.Storage module.
First, obtain the context of the storage account in which the package will be stored. This example creates a context by specifying a connection string and saves the context in the variable $Context.
$Context = New-AzStorageContext -ConnectionString "DefaultEndpointsProtocol=https;AccountName=ContosoGeneral;AccountKey=< Storage Key for ContosoGeneral ends with == >;"
Next, add the configuration package to the storage account. This example uploads the zip file ./MyConfig.zip to the blob "guestconfiguration".
Set-AzStorageBlobContent -Container "guestconfiguration" -File ./MyConfig.zip -Blob "guestconfiguration" -Context $Context
Optionally, you can add a SAS token in the URL, this ensures that the content package will be accessed securely. The below example generates a blob SAS token with full blob permission and returns the full blob URI with the shared access signature token.
$contenturi = New-AzStorageBlobSASToken -Context $Context -FullUri -Container guestconfiguration -Blob "guestconfiguration" -Permission rwd
Next steps
- Test the package artifact from your development environment.
- Use the
GuestConfiguration
module to create an Azure Policy definition for at-scale management of your environment. - Assign your custom policy definition using Azure portal.
- Learn how to view compliance details for guest configuration policy assignments.