使用 Azure 资源管理器模板加入更新管理解决方案Onboard Update Management solution using Azure Resource Manager template

可以使用 Azure 资源管理器模板在资源组中启用 Azure 自动化更新管理解决方案。You can use Azure Resource Manager templates to enable the Azure Automation Update Management solution in your resource group. 本文提供用于自动执行以下操作的示例模板:This article provides a sample template that automates the following:

  • 创建 Azure Monitor Log Analytics 工作区。Creation of a Azure Monitor Log Analytics workspace.
  • 创建 Azure 自动化帐户。Creation of an Azure Automation account.
  • 将自动化帐户链接到 Log Analytics 工作区(如果尚未链接)。Linking the Automation account to the Log Analytics workspace, if not already linked.
  • 加入 Azure 自动化更新管理解决方案。Onboarding the Azure Automation Update Management solution.

该模板不会自动加入一个或多个 Azure VM 或非 Azure VM。The template does not automate the onboarding of one or more Azure or non-Azure VMs.

如果已在订阅支持的区域中部署了 Log Analytics 工作区和自动化帐户,不会链接该工作区和帐户。If you already have a Log Analytics workspace and Automation account deployed in a supported region in your subscription, they are not linked. 尚未在工作区中部署更新管理解决方案。The workspace doesn't already have the Update Management solution deployed. 使用此模板可以成功创建链接并部署更新管理解决方案。Using this template successfully creates the link and deploys the Update Management solution.

Note

在 Linux 上作为更新管理一部分加入的 nxautomation 用户仅执行已签名的 Runbook。The nxautomation user onboarded as part of Update Management on Linux executes only signed runbooks.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关适用于混合 Runbook 辅助角色的 Az 模块安装说明,请参阅安装 Azure PowerShell 模块For Az module installation instructions on your Hybrid Runbook Worker, see Install the Azure PowerShell Module.

API 版本API versions

下表列出了此模板中使用的资源的 API 版本。The following table lists the API versions for the resources used in this template.

资源Resource 资源类型Resource type API 版本API version
工作区Workspace workspacesworkspaces 2017-03-15-preview2017-03-15-preview
自动化帐户Automation account automationautomation 2015-10-312015-10-31
解决方案Solution solutionssolutions 2015-11-01-preview2015-11-01-preview

使用模板之前Before using the template

如果选择在本地安装和使用 PowerShell,则本文需要 Azure PowerShell Az 模块。If you choose to install and use PowerShell locally, this article requires the Azure PowerShell Az module. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install the Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount 以创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure. 使用 Azure PowerShell 时,部署将使用 New-AzResourceGroupDeploymentWith Azure PowerShell, deployment uses New-AzResourceGroupDeployment.

如果选择在本地安装并使用 CLI,本文要求运行 Azure CLI 2.1.0 或更高版本。If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.1.0 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 使用 Azure CLI 时,此部署将使用 az group deployment createWith Azure CLI, this deployment uses az group deployment create.

配置 JSON 模板时,系统会提示你输入:The JSON template is configured to prompt you for:

  • 工作区的名称The name of the workspace
  • 要在其中创建工作区的区域The region in which to create the workspace
  • 自动化帐户的名称The name of the Automation account
  • 要在其中创建帐户的区域The region in which to create the account

JSON 模板为其他参数指定默认值,这些参数可能会用作环境中的标准配置。The JSON template specifies a default value for the other parameters that are likely to be used for a standard configuration in your environment. 可以将模板存储在 Azure 存储帐户中,以便在组织中共享访问。You can store the template in an Azure storage account for shared access in your organization. 有关使用模板的更多信息,请参阅使用资源管理器模板和 Azure CLI 部署资源For further information about working with templates, see Deploy resources with Resource Manager templates and Azure CLI.

使用 Log Analytics 工作区的默认值设置模板中的以下参数:The following parameters in the template are set with a default value for the Log Analytics workspace:

  • sku - 默认为新的“按 GB”定价层,该层已在 2018 年 4 月的定价模型中发布sku - defaults to the new Per-GB pricing tier released in the April 2018 pricing model
  • 数据保留期 - 默认为 30 天data retention - defaults to thirty days
  • 容量预留 - 默认为 100 GBcapacity reservation - defaults to 100 GB

Warning

如果在订阅中创建或配置 Log Analytics 工作区,而该订阅已加入 2018 年 4 月的新定价模型,则唯一有效的 Log Analytics 定价层为 PerGB2018If creating or configuring a Log Analytics workspace in a subscription that has opted into the new April 2018 pricing model, the only valid Log Analytics pricing tier is PerGB2018.

JSON 模板为其他参数指定默认值,这些参数将会用作环境中的标准配置。The JSON template specifies a default value for the other parameters that would likely be used as a standard configuration in your environment. 可以将模板存储在 Azure 存储帐户中,以便在组织中共享访问。You can store the template in an Azure storage account for shared access in your organization. 有关使用模板的更多信息,请参阅使用资源管理器模板和 Azure CLI 部署资源For further information about working with templates, see Deploy resources with Resource Manager templates and Azure CLI.

如果你不熟悉 Azure 自动化和 Azure Monitor,必须了解以下配置详细信息,以免在尝试创建、配置和使用链接到新自动化帐户的 Log Analytics 工作区时出错。It is important to understand the following configuration details if you are new to Azure Automation and Azure Monitor, in order to avoid errors when attempting to create, configure, and use a Log Analytics workspace linked to your new Automation account.

  • 查看更多详细信息以充分了解工作区配置选项,如访问控制模式、定价层、保留期和容量预留级别。Review Additional details to fully understand workspace configuration options, such as access control mode, pricing tier, retention, and capacity reservation level.

  • 如果你不熟悉 Azure Monitor 日志且尚未部署工作区,应查看工作区设计指南,以了解访问控制,并了解我们建议在组织中使用的设计实施策略。If you are new to Azure Monitor logs and have not deployed a workspace already, you should review the workspace design guidance to learn about access control, and understand the design implementation strategies we recommend for your organization.

部署模板Deploy template

  1. 将以下 JSON 语法复制并粘贴到该文件中:Copy and paste the following JSON syntax into your file:

    {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaceName": {
            "type": "string",
            "metadata": {
                "description": "Workspace name"
            }
        },
        "sku": {
            "type": "string",
            "allowedValues": [
                "pergb2018",
                "Free",
                "Standalone",
                "PerNode",
                "Standard",
                "Premium"
            ],
            "defaultValue": "pergb2018",
            "metadata": {
                "description": "Pricing tier: perGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
            }
        },
        "dataRetention": {
            "type": "int",
            "defaultValue": 30,
            "minValue": 7,
            "maxValue": 730,
            "metadata": {
                "description": "Number of days of retention. Workspaces in the legacy Free pricing tier can only have 7 days."
            }
        },
        "immediatePurgeDataOn30Days": {
            "type": "bool",
            "defaultValue": "[bool('false')]",
            "metadata": {
                "description": "If set to true when changing retention to 30 days, older data will be immediately deleted. Use this with extreme caution. This only applies when retention is being set to 30 days."
            }
        },
        "location": {
            "type": "string",
            "metadata": {
                "description": "Specifies the location in which to create the workspace."
            }
        },
        "automationAccountName": {
            "type": "string",
            "metadata": {
                "description": "Automation account name"
            }
        },
        "automationAccountLocation": {
            "type": "string",
            "metadata": {
                "description": "Specify the location in which to create the Automation account."
            }
        }
    },
    "variables": {
        "Updates": {
            "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]",
            "galleryName": "Updates"
        }
    },
    "resources": [
        {
        "type": "Microsoft.OperationalInsights/workspaces",
            "name": "[parameters('workspaceName')]",
            "apiVersion": "2017-03-15-preview",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
                    "Name": "[parameters('sku')]",
                    "name": "CapacityReservation",
                    "capacityReservationLevel": 100
                },
                "retentionInDays": "[parameters('dataRetention')]",
                "features": {
                    "searchVersion": 1,
                    "legacy": 0,
                    "enableLogAccessUsingOnlyResourcePermissions": true
                }
            },
            "resources": [
                {
                    "apiVersion": "2015-11-01-preview",
                    "location": "[resourceGroup().location]",
                    "name": "[variables('Updates').name]",
                    "type": "Microsoft.OperationsManagement/solutions",
                    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').name)]",
                    "dependsOn": [
                        "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                    ],
                    "properties": {
                        "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
                    },
                    "plan": {
                        "name": "[variables('Updates').name]",
                        "publisher": "Microsoft",
                        "promotionCode": "",
                        "product": "[concat('OMSGallery/', variables('Updates').galleryName)]"
                    }
                }
            ]
        },
        {
            "type": "Microsoft.Automation/automationAccounts",
            "apiVersion": "2015-01-01-preview",
            "name": "[parameters('automationAccountName')]",
            "location": "[parameters('automationAccountLocation')]",
            "dependsOn": [],
            "tags": {},
            "properties": {
                "sku": {
                    "name": "Basic"
                }
            }
        },
        {
            "apiVersion": "2015-11-01-preview",
            "type": "Microsoft.OperationalInsights/workspaces/linkedServices",
            "name": "[concat(parameters('workspaceName'), '/' , 'Automation')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]",
                "[concat('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]"
            ],
            "properties": {
                "resourceId": "[resourceId('Microsoft.Automation/automationAccounts/', parameters('automationAccountName'))]"
            }
        }
      ]
    }
    
  2. 按要求编辑模板。Edit the template to meet your requirements. 请考虑创建资源管理器参数文件,而不是将参数作为内联值传递。Consider creating a Resource Manager parameters file instead of passing parameters as inline values.

  3. 将此文件以文件名 deployUMSolutiontemplate.json 保存到本地文件夹中。Save this file to a local folder as deployUMSolutiontemplate.json.

  4. 已做好部署此模板的准备。You are ready to deploy this template. 可以使用 PowerShell 或 Azure CLI。You can use either PowerShell or the Azure CLI. 当系统提示你输入工作区和自动化帐户名称时,请提供在所有 Azure 订阅中全局唯一的名称。When you're prompted for a workspace and Automation account name, provide a name that is globally unique across all Azure subscriptions.

    PowerShellPowerShell

    New-AzResourceGroupDeployment -Name <deployment-name> -ResourceGroupName <resource-group-name> -TemplateFile deployUMSolutiontemplate.json
    

    Azure CLIAzure CLI

    az group deployment create --resource-group <my-resource-group> --name <my-deployment-name> --template-file deployUMSolutiontemplate.json
    

    部署可能需要几分钟才能完成。The deployment can take a few minutes to complete. 完成后,会看到一条包含结果的消息,如下所示:When it finishes, you see a message similar to the following that includes the result:

    部署完成后的示例结果

后续步骤Next steps

部署更新管理解决方案后,可以启用 VM 进行管理,查看更新评估,并部署更新以使其合规。Now that you have the Update Management solution deployed, you can enable VMs for management, review update assessments, and deploy updates to bring them into compliance.

  • 可以在 Azure 自动化帐户中启用一个或多个 Azure 计算机,并手动启用非 Azure 计算机。From your Azure Automation account for one or more Azure machines and manually for non-Azure machines.

  • 可以从 Azure 门户中的“虚拟机”页启用单个 Azure VM。For a single Azure VM from the virtual machine page in the Azure portal.

  • 可以从 Azure 门户中的“虚拟机”页选择启用多个 Azure VMFor multiple Azure VMs by selecting them from the Virtual machines page in the Azure portal.