问题
I've found the solution after much testing, see updates below
I've got a bunch (a lot) of PaaS services sitting in Azure, and I need to install Microsoft Antimalware across the board.
"Thats easy!" I hear you say, "Just call Set-AzureServiceAntimalwareExtension", and that's what I'm currently doing (after using Set-AzureServiceDiagnosticsExtension to enable Diagnostics), and it's very tedious as it has to update the whole service (twice if it's running a newer version of the SDK and diagnostics have moved to the service!).
Ideally, I would like to just bundle this into the service deployments, since we do that a lot, and messing about with deploying diagnostics and antimalware is just muddying the waters. From what I can tell, there is a parameter on the New-AzureDeployment/Set-AzureDeployment CmdLet that allows you to pass in an ExtensionConfiguration, in fact it's an array of configurations!
Does this mean I can pass in both the diagnostics and antimalware setup as part of a package deployment? It sounds crazy, and I like it, but can I get it to work? Not currently...
For the moment, this is my method for each service that needs it:
Set-AzureServiceDiagnosticsExtension –ServiceName $serviceName -DiagnosticsConfigurationPath $diagnosticConfig -StorageContext $storageContext
Set-AzureServiceAntimalwareExtension -ServiceName $serviceName -AntimalwareConfiguration $malwareConfig -StorageContext $storageContext
But it would be a lot easier to simply do this while we're already deploying/upgrading a deployment, something like:
$extensionConfiguration = New-AzureServiceExtensionConfig ... ?
Set-AzureDeployment -ServiceName $serviceName ... -ExtensionConfiguration $extensionConfiguration
Now it looks like we're getting closer, but the New-AzureServiceExtensionConfig needs a bunch of params, ExtensionName and ProviderNamespace should be ok to work out (simply look at what is there from the current method), but what goes into the PublicConfiguration and PrivateConfiguration? I've got a .wadcfgx for the diagnostics, and an XML snippet for the Antimalware configuration, are these the public configs? I can see this is so for existing services, but PrivateConfiguration is required.
Update 1: I found how to add the Diagnostics as part of the package deploy, we get the keys, create a Storage Context, and pass this in with our .wadcfgx (which has no private config/StorageAccount defined in it):
$keys = Get-AzureStorageKey -StorageAccountName $storageAccount
$storageContext = New-AzureStorageContext –StorageAccountName $storageAccount –StorageAccountKey $keys.Primary
$serviceExtensionDiags = New-AzureServiceDiagnosticsExtensionConfig -StorageContext $storageContext -DiagnosticsConfigurationPath "C:\path\to\diagnostics.wadcfgx"
Then it's a matter of passing in the $serviceExtensionDiags created above to the package deployment step like this:
Set-AzureDeployment -Configuration $configPath -Package $packagePath -Upgrade -Label $label -ServiceName $serviceName -Slot "Production" -ExtensionConfiguration $serviceExtensionDiags
Update 2: The final piece of the puzzle, getting the Microsoft Antimalware installed as part of the deployment... I used a couple of here-string's but YMMV:
$publicConfig = @"
<?xml version="1.0" encoding="utf-8"?>
<AntimalwareConfig>
<AntimalwareEnabled>true</AntimalwareEnabled>
<RealtimeProtectionEnabled>true</RealtimeProtectionEnabled>
<ScheduledScanSettings isEnabled="true" day="1" time="60" scanType="Full" />
<Exclusions>
<Extensions>
<Extension></Extension>
</Extensions>
<Paths>
<Path></Path>
</Paths>
<Processes>
<Process></Process>
</Processes>
</Exclusions>
</AntimalwareConfig>
"@
$privateConfig = @"
<?xml version="1.0" encoding="utf-8"?>
<PrivateConfig>
<StorageAccountName>xxx</StorageAccountName>
<StorageKey>yyy</StorageKey>
</PrivateConfig>
"@
$serviceExtensionMalware = New-AzureServiceExtensionConfig -ExtensionName "PaaSAntimalware" -ProviderNamespace "Microsoft.Azure.Security" -PublicConfiguration $publicConfig -PrivateConfiguration $privateConfig -Version 1.0
And finally to wrap it all up, we add the Malware config to our update deployment:
Set-AzureDeployment -Configuration $configPath -Package $packagePath -Upgrade -Label $label -ServiceName $serviceName -Slot "Production" -ExtensionConfiguration @($serviceExtensionDiags, $serviceExtensionMalware)
And we're done!
来源:https://stackoverflow.com/questions/33420385/powershell-add-diagnostics-antimalware-to-azure-paas-cloud-service-using-extens