Adding feature to control antimalware extension on VMs (#681)

* updates * updates * updates * updates * updates
Azure · Oct 10, 2024 · 63f28ff · 63f28ff
1 parent dad3d7b
commit 63f28ff
Show file tree

Hide file tree

Showing 12 changed files with 72 additions and 8 deletions.
diff --git a/workload/arm/brownfield/deployNewSessionHostsToHostPools.json b/workload/arm/brownfield/deployNewSessionHostsToHostPools.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "2465926344295153346"
+      "templateHash": "7861484256086051414"
     }
   },
   "parameters": {
@@ -413,6 +413,13 @@
       "metadata": {
         "description": "Data collection rule ID."
       }
+    },
+    "deployAntiMalwareExt": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Deploys anti malware extension on session hosts. (Default: true)"
+      }
     }
   },
   "variables": {
@@ -5307,6 +5314,7 @@
         "name": "sessionHostsAntimalwareExtension",
         "count": "[length(range(1, parameters('count')))]"
       },
+      "condition": "[parameters('deployAntiMalwareExt')]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2022-09-01",
       "name": "[format('SH-Antimal-{0}-{1}', sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]",

diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "14398112227498582260"
+      "templateHash": "5937057250547040463"
     },
     "name": "AVD Accelerator - Baseline Deployment",
     "description": "AVD Accelerator - Deployment Baseline",
@@ -936,6 +936,13 @@
       "metadata": {
         "description": "Enable purge protection for the keyvaults. (Default: true)"
       }
+    },
+    "deployAntiMalwareExt": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Deploys anti malware extension on session hosts. (Default: true)"
+      }
     }
   },
   "variables": {
@@ -30390,7 +30397,10 @@
             "value": "[parameters('avdDeployMonitoring')]"
           },
           "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]",
-          "dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]"
+          "dataCollectionRuleId": "[if(parameters('avdDeployMonitoring'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.dataCollectionRuleId.value), createObject('value', ''))]",
+          "deployAntiMalwareExt": {
+            "value": "[parameters('deployAntiMalwareExt')]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
@@ -30399,7 +30409,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "17246082322388360155"
+              "templateHash": "16948281966398873853"
             }
           },
           "parameters": {
@@ -30653,7 +30663,7 @@
             "deployMonitoring": {
               "type": "bool",
               "metadata": {
-                "description": "Deploy AVD monitoring resources and setings. (Default: true)"
+                "description": "Deploy AVD monitoring resources and setings."
               }
             },
             "time": {
@@ -30668,6 +30678,12 @@
               "metadata": {
                 "description": "Data collection rule ID."
               }
+            },
+            "deployAntiMalwareExt": {
+              "type": "bool",
+              "metadata": {
+                "description": "Deploys anti malware extension on session hosts."
+              }
             }
           },
           "variables": {
@@ -34411,6 +34427,7 @@
                 "name": "sessionHostsAntimalwareExtension",
                 "count": "[length(range(1, parameters('count')))]"
               },
+              "condition": "[parameters('deployAntiMalwareExt')]",
               "type": "Microsoft.Resources/deployments",
               "apiVersion": "2022-09-01",
               "name": "[format('SH-Antimal-{0}-{1}-{2}', parameters('batchId'), sub(range(1, parameters('count'))[copyIndex()], 1), parameters('time'))]",

diff --git a/workload/bicep/brownfield/newSessionHosts/deploy.bicep b/workload/bicep/brownfield/newSessionHosts/deploy.bicep
@@ -206,6 +206,9 @@ param ownerTag string = '[email protected]'
 @sys.description('Data collection rule ID.')
 param dataCollectionRuleId string
 
+@sys.description('Deploys anti malware extension on session hosts. (Default: true)')
+param deployAntiMalwareExt bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -382,7 +385,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice
 }]
 
 // Add antimalware extension to session host.
-module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): {
+module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) {
   scope: resourceGroup('${computeSubscriptionId}', '${computeRgResourceGroupName}')
   name: 'SH-Antimal-${i - 1}-${time}'
   params: {

diff --git a/...d/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam b/...d/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.bicepparam
@@ -51,4 +51,6 @@ param workloadCriticalityCustomValueTag = 'Contoso-Critical'
 param workloadSlaTag = 'Contoso-SLA'
 param opsTeamTag = '[email protected]'
 param ownerTag = '[email protected]'
+param deployAntiMalwareExt = true
+
 
diff --git a/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json b/workload/bicep/brownfield/newSessionHosts/parameters/new-session-hosts.parameters.all.json
@@ -121,6 +121,9 @@
         }, 
         "osImage": {
             "value": "win11_23h2"
+        },
+        "deployAntiMalwareExt": {
+            "value": true
         }
     }
 }
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -483,6 +483,9 @@ param enableTelemetry bool = true
 @sys.description('Enable purge protection for the keyvaults. (Default: true)')
 param enableKvPurgeProtection bool = true
 
+@sys.description('Deploys anti malware extension on session hosts. (Default: true)')
+param deployAntiMalwareExt bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -1522,6 +1525,7 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [
             : alaExistingWorkspaceResourceId)
         : ''
       dataCollectionRuleId: avdDeployMonitoring ? monitoringDiagnosticSettings.outputs.dataCollectionRuleId : ''
+      deployAntiMalwareExt: deployAntiMalwareExt
     }
     dependsOn: [
       fslogixAzureFilesStorage

diff --git a/workload/bicep/modules/avdSessionHosts/deploy.bicep b/workload/bicep/modules/avdSessionHosts/deploy.bicep
@@ -127,7 +127,7 @@ param tags object
 @sys.description('Log analytics workspace for diagnostic logs.')
 param alaWorkspaceResourceId string
 
-@sys.description('Deploy AVD monitoring resources and setings. (Default: true)')
+@sys.description('Deploy AVD monitoring resources and setings.')
 param deployMonitoring bool
 
 @sys.description('Do not modify, used to set unique value for resource deployment.')
@@ -136,6 +136,9 @@ param time string = utcNow()
 @sys.description('Data collection rule ID.')
 param dataCollectionRuleId string
 
+@sys.description('Deploys anti malware extension on session hosts.')
+param deployAntiMalwareExt bool
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -243,7 +246,7 @@ module sessionHosts '../../../../avm/1.0.0/res/compute/virtual-machine/main.bice
 }]
 
 // Add antimalware extension to session host.
-module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): {
+module sessionHostsAntimalwareExtension '../../../../avm/1.0.0/res/compute/virtual-machine/extension/main.bicep' = [for i in range(1, count): if (deployAntiMalwareExt) {
     scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}')
     name: 'SH-Antimal-${batchId}-${i - 1}-${time}'
     params: {

diff --git a/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam b/workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam
@@ -66,3 +66,5 @@ param enableAcceleratedNetworking = true
 param diskEncryptionKeyExpirationInDays = 60
 param diskZeroTrust = false
 param deployGpuPolicies = false
+param deployVmssFlex = true
+param deployAntiMalwareExt = true
diff --git a/workload/bicep/parameters/deploy-baseline-parameters-example.json b/workload/bicep/parameters/deploy-baseline-parameters-example.json
@@ -211,6 +211,9 @@
         },
         "deployVmssFlex": {
             "value": true
+        },
+        "deployAntiMalwareExt": {
+            "value": true
         }
     }
 }
diff --git a/workload/docs/deploy-baseline.md b/workload/docs/deploy-baseline.md
@@ -43,6 +43,7 @@
   - **VM count** - Select the number of session hosts to deploy.
   - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and higher SLA.
   - **Zero trust disk configuration** - Check the box to enable the zero trust configuration on the session host disks to ensure all the disks are encrypted, the OS and data disks are protected with double encryption with a customer managed key, and network access is disabled.
+  - **Enable Antimalware extension** -  Enables Azure VM antimalware extension on session hosts
   - **Enable accelerated networking** - Check the box to ensure the network traffic on the session hosts is offloaded to the network interface to enhance performance. This feature is free and available as long a supported VM SKU and [OS](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview?tabs=redhat#supported-operating-systems) is chosen. To check whether a VM size supports Accelerated Networking, see [Sizes for virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes). This feature is recommended as it will decrease CPU utilization for networking (offloading to NIC) and increase network performance/throughput to Azure VMs and Services, like Azure Files.
   - **OS image source** - Select a marketplace image or an image from Azure Compute Gallery (Custom image build deployment will create images in compute gallery).
   - **OS version or image** - Choose the OS version or desired image from the Azure compute gallery.

diff --git a/workload/portal-ui/brownfield/portalUiNewSessionHosts.json b/workload/portal-ui/brownfield/portalUiNewSessionHosts.json
@@ -614,6 +614,14 @@
                                     "label": "Enable vTPM",
                                     "defaultValue": true,
                                     "toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets."
+                                },
+                                {
+                                    "name": "enableAntiMalwareExt",
+                                    "type": "Microsoft.Common.CheckBox",
+                                    "visible": true,
+                                    "label": "Enable Antimalware extension",
+                                    "defaultValue": true,
+                                    "toolTip": "Enables Azure VM antimalware extension on session hosts."
                                 }
                             ]
                         }
@@ -1166,6 +1174,7 @@
                 "securityType": "[steps('sessionHosts').sessionHostsSecuritySection.securityType]",
                 "secureBootEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled]",
                 "vTpmEnabled": "[steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled]",
+                "deployAntiMalwareExt": "[steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt]",
                 "configureFslogix": "[steps('storage').fslogixConfiguration]",
                 "fslogixStorageAccountName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountSelector.id, '')]",
                 "fslogixFileShareName": "[if(steps('storage').fslogixConfiguration, steps('storage').storageFslogix.fslogixStorageAccountFileShare, '')]",

diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json
@@ -874,6 +874,14 @@
                                     "label": "Enable vTPM",
                                     "defaultValue": true,
                                     "toolTip": "Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets."
+                                },
+                                {
+                                    "name": "enableAntiMalwareExt",
+                                    "type": "Microsoft.Common.CheckBox",
+                                    "visible": true,
+                                    "label": "Enable Antimalware extension",
+                                    "defaultValue": true,
+                                    "toolTip": "Enables Azure VM antimalware extension on session hosts."
                                 }
                             ]
                         }
@@ -2401,6 +2409,7 @@
                 "securityType": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.securityType, 'Standard')]",
                 "secureBootEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.secureBootEnabled, false)]",
                 "vTpmEnabled": "[if(and(or(contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'win11'), contains(steps('sessionHosts').sessionHostsOsSection.sessionHostsOsImage, 'g2')), empty(steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage)), steps('sessionHosts').sessionHostsSecuritySection.vTpmEnabled, false)]",
+                "deployAntiMalwareExt": "[if(equals(steps('sessionHosts').deploySessionHosts, true), steps('sessionHosts').sessionHostsSecuritySection.enableAntiMalwareExt, true)]",
                 "avdImageTemplateDefinitionId": "[if(equals(steps('sessionHosts').sessionHostsOsSection.sessionHostsImageSource, true), steps('sessionHosts').sessionHostsOsSection.sessionHostsComputeGalleryImage.id, 'no')]",
                 "avdSessionHostDiskType": "[steps('sessionHosts').sessionHostsSettingsSection.sessionHostDiskType]",
                 "enableAcceleratedNetworking": "[steps('sessionHosts').sessionHostsSettingsSection.acceleratedNetworking]",