Azure DSC deployment using a JSON template

There’s a couple of ways to do DSC on Azure, you can deploy a template and use the DSC extension resource to deploy DSC configuration to your VM (simple for quick simple deployments), or you can leverage Azure Automation as a DSC Pull server (subject of this blog), where you store all your DSC configuration scripts, MOF files and manage all your DSC nodes, to see drift, compliance etc.

This blog post discusses my github repo, which:

  • Deploys an Azure VM
  • Deploys a vNet into a separate Resource Group (Cross Resource Group Deployment), a resource group used for shared resources
  • Leverages the Custom Script extension which runs a script as the local computer account at the time of deployment. This script copies a script from the artifcats location to the local C:\ drive to be used as a user logon script. The DSC sets up a scheduled task to call the script at the time of any user logon.
  • This blog post:
    • leverages the DSC extension to run the configuration on the VM. The JSON template also feeds parameter values into a DSC configuration script via the DSC extension
  • My other blog post
    • leverages the DSC extension only to register the VM with the Azure Automation pull server in order for DSC to run the configuration on the VM.

Note, this blog post focuses on my Github repo where I have full repo of a working demo of deploying a VM to Azure using an ARM (Azure Resource Manager) based JSON template along with further configuration with the Windows OS itself using Configuration as Code, my favourite is PowerShell DSC (Desired State Configuration).

Before moving on, you should be somewhat familiar with all the GIT, VS Code, Fork, Branch, Push, Commit, Clone terms as well as have all the tools – to get started setting up all the tooling to start using VS Code & GIT, my other blog post walks you through setting up all the tooling you need. Do this and have a play, it’s seriously addictive.

Back to this, as for my GitHub repo, you should:

  • Fork my repo to your own GitHub account from GitHub’s website.
  • Using Github desktop, clone your newly forked repository to your local computer.2018-07-23_2258
  • Then open the repository in VS Code Open Folder

Source Files – artifacts

Source Files / Build Files / Artifacts used in the process of DSC configuration has always been a challenge. Where to place them centrally so they’re accessible for all deployments. Source files can be other scripts, files, or software packages to install on your machines.

The best place I have found to store source files is in the local repo folder itself as part of the ARM deployment. At the time of deployment, all the files/folders will be uploaded as artifacts to a temporary blob storage account and a necessary blog storage SAS token is created automatically along with parameters, $artifacts & $artifactsSasToken.

Keys, passwords & Secrets – Azure Key Vault

Sensitive information like passwords etc or Software licence keys used as part of a DSC initiated software installation, you would need to store these in Azure’s Key Vault.

Create a Key Vault of you don’t have one already. Then for the purpose of this blog, add the two secrets below, adding your own values.


To allow Azure services to be able to access Azure Key Vault, you’ll need to open it up to allow access.

Logon to same as your Azure logon. Navigate through the levels to where your Key Vault is located…. Subscriptions > {Your Subscription} > resourceGroups > {Your Resource Group} > providers > vaults……

Select your Key Vault, then on the right select both ReadWrite & Edit.


At the very bottom, change the 3 items to say ‘true‘, then press the PUT button at the top to apply the settings.


How are these passwords & secrets accessed by using a JSON template?

To create two parameters adminPassword & VNCKey as per my GIT repo, in the parameters section at the top of WindowsVirtualMachine.json, add in these parameters.


In the WindowsVirtualMachine.parameters.json file, add the same parameters while referencing the Secret name & Resource ID of your Key Vault.



This template in this blog post has the ability to import in a .PFX certificate.


Certificates are also kept in Azure’s Key Vault under Certificates.


Simply export a .PFX (Private Key) certificate from your computer.


Then upload this certificate to Azure’s Key Vault.


You need to then click on the newly imported certificate in Azure Key Vault, then copy the Secret Identifier to the clipboard of your computer.


Changes to the JSON Template

Make sure you have the local copy of the GitHub repo folder open in VS Code….


Select the JSON template, in VS Code you need to run through all the parameters at the top and in the parameters file, change the settings as you see fit to suite your environment. For instance the Azure Automation parameters.

You also need to change specifically the Secret Identifier as per the step above.


Once you’re happy everything looks good | Save, commit the file locally, then sync to your GitHub repo.

Deployment – Setup a Build definition in VSTS

You need to use VSTS to do the deployment of your GitHub repo JSON template to Azure. For the Build Definition in VSTS, use the GitHub repo as the source, this will be the same GitHub repo you forked from me, your own GitHub account.


You want to start with an empty pipeline:


Add both Azure Resource Group DeploymentAzure PowerShell tasks and configure the obvious stuff along with the not so obvious stuff as per further below.


Configure Azure Resource Group Deployment as per:



Configure Azure PowerShell as per:

Script Path:


Script Arguments:

-ResourceGroupName 'RG-Name-ChangeThis' -ResourceGroupLocation 'australiaeast' -TemplateFile '$(Build.SourcesDirectory)\WindowsVirtualMachine.json' -TemplateParametersFile '$(Build.SourcesDirectory)\WindowsVirtualMachine.parameters.json' -UploadArtifacts -ArtifactStagingDirectory '$(Build.SourcesDirectory)'

That’s it, go and hit build.

Azure PowerShell

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: