PowerShell How-To

How To Create and Invoke Your First DSC Configuration in Azure

Using Azure Automation DSC gives administrators the same benefits of PowerShell DSC, but with some bonus tooling.

• By Adam Bertram
• 02/14/2018

Introduced with PowerShell v4, Desired State Configuration (DSC) was a significant shift in the way that changes are made with PowerShell. Administrators now could declare configuration declaratively rather than procedurally to make changes to their environment.

Although DSC is a powerful tool, Microsoft didn't include much tooling around it. Microsoft has traditionally said that DSC is a platform, rather than a toolset.

Microsoft recognized the benefit, however, of DSC and saw that this technology could be leveraged in the cloud with Azure. Although PowerShell DSC wouldn't work quite right in Azure, another team took on the responsibility to create a different "version" of DSC called Azure Automation DSC. This DSC implementation would provide the same benefits of PowerShell DSC but also give administrators some tooling around DSC such as the pull server.

Integrating DSC into Azure and creating some management tooling around it transformed DSC into something that was easier to use and worked great in the Azure cloud environment.

Automation Automation DSC works with Azure Infrastructure as a Service (IaaS) virtual machines (VMs), so we'll need to create one if you don't have one already. I have a VM created called LABDC that I will use for this demonstration. Also, you will need an Azure Automation account to perform all of these tasks. You will also need to have that VM onboarded with Azure Automation DSC first.

The DSC Configuration
We need a DSC configuration to apply to our Azure node. For demonstration purposes, we'll use this small script that enables the XPS-Viewer Windows feature and save it as C:\Temp\AddWindowsFeature.ps1.

```PowerShell configuration AddWindowsFeatures { Import-DscResource -ModuleName PSDesiredStateConfiguration
Node 'localhost'
{
    WindowsFeature $_
    {
        Ensure = 'Present'
        Name = $_
    }
}
} ```

Sending the DSC Configuration to Azure
Next, we'll need to send the DSC configuration we'd like to apply to the VM up to Azure Automation DSC. We can do this using the Import-AzureRmAutomationDscConfiguration command. Below, I'm using the Azure Automation account I have previously created and specifying the path to the DSC configuration script.

$params = @{
    AutomationAccountName = 'adamautomation'
    ResourceGroupName = 'Group'
    SourcePath = 'C:\Temp\AddWindowsFeatures.ps1'
    Published = $true
    Force = $true
}

$null = Import-AzureRmAutomationDscConfiguration @params

Starting the DSC Compilation Job
Once the DSC configuration is on the Azure Automation DSC pull server, I then need to build an MOF file for our node. This is done in the background using the Start-AzureRmAutomationDscCompilationJob command.

$compParams = @{
    AutomationAccountName = 'adamautomation'
    ResourceGroupName = 'Group'
    ConfigurationName = 'AddWindowsFeatures'
}
$CompilationJob = Start-AzureRmAutomationDscCompilationJob @compParams

## Wait for the DSC compile
while($CompilationJob.EndTime -eq $null -and $CompilationJob.Exception -eq $null)
{
    $CompilationJob = $CompilationJob | Get-AzureRmAutomationDscCompilationJob
    Start-Sleep -Seconds 3
}

Notice that I have another step in this process below the compilation job above. Because the compilation job takes a little bit and the Start-AzureRmAutomationDscCompilationJob command immediately returns to the console even if not finished, I've chosen to incorporate my own Wait functionality by checking the compilation job's status every three seconds until finished. By doing this, I can ensure that no further action is taken until the compilation job is complete.

Assigning the DSC Configuration to the Node
Once the MOF has been created on the pull server, we now need to assign the DSC configuration to the node. We do this using the Set-AzureRmAutomationDscNode command. This sets up the link between our Azure VM and the DSC configuration we'd like to apply to it.

$nodeId = (Get-AzureRmAutomationDscNode -AutomationAccountName 'adamautomation' -ResourceGroupName 'Group' -Name $azrVmName).Id
$nodeParams = @{
    NodeConfigurationName = "AddWindowsFeatures.LABDC"
    ResourceGroupName = 'Group'
    Id = $nodeId
    AutomationAccountName = 'adamautomation'
    Force = $true
}
$node = Set-AzureRmAutomationDscNode @nodeParams

Invoking the new DSC Configuration
At this point, we could wait until the Azure VM pulls the new DSC configuration itself, but I'm impatient, so let's go ahead and force it to pull the new configuration right away. Because the VM is public, I'll need to get the public IP address to connect via PowerShell remoting. Since it's also in a workgroup, I have to configure my local system to trust the VM's public IP address. Once this is done, I can connect via PowerShell remoting and update the DSC configuration.

## Find the public IP of the VM
$vm = Get-AzureRmVm -Name 'LABDC' -ResourceGroupName 'Group'
$ipAddress = (Get-AzureRmPublicIpAddress -ResourceGroupName 'Group' -Name "LABDC-ip").IpAddress

## Since the VM isn't in the same domain, need to trust it to connect via PS Remoting
Set-Item -Path wsman:\localhost\Client\TrustedHosts -Value $ipAddress -Force

## Create the credential with the local administrator username and password of the VM
$adminUsername = $vm.osProfile.AdminUsername
$adminPwd = ConvertTo-SecureString 'localadminpasswordhere' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($adminUsername, $adminPwd)

## Force the DSC update to run with Update-DscConfiguration
Invoke-Command -ComputerName $ipAddress -ScriptBlock { Update-DscConfiguration -Wait -Verbose } -Credential $cred

Once this finishes, our LABDC VM will have the XPS-Viewer Windows feature installed!