Skip to main content

ALZ Windows and Linux Virtual Machine patching facility

The ALZ patch repository here contains Terraform code that allows spoke owners to create patch schedules (hereafter referred to as maintenance configurations) to patch their Windows and Linux Operating System based Virtual Machines hosted in Azure.

Overview of the technology can be found here.

Warning Only follow the process below if you want control over your update scheduling. To let Azure manage the patching of your VMs then just ensure the patch orchestration mode is set to `Azure Managed - Safe Deployment` in the `Azure Update Manager` blade. If this is set, you can stop right here, your updates are being scheduled and controlled by the Azure platform and do not need further configuration.

Pre-requisites

The VMs to be added to the maintenance configurations will need to have their patch orchestration mode set to Customer Managed Schedules. As a spoke owner you will have access to the Azure Update Manager blade in Azure Portal to set this patch mode for VMs in your Spoke.

Warning If you do not configure this, the maintenance configurations you define will have no effect

Also note, If you have used Azure Landing Zone VM Module here to create the VMs, they are set to be Azure Managed - Safe Deployment for automatic patching.

Quick-Start

  • Clone this repository and create a new branch.
  • Make amendments to the relevant files (fully explained below).
  • Open a PR against main
  • Wait for a member of the ALZ team to approve and deploy.

The Maintenance setup consists of two elements:

  • One or more Maintenance (patch) configurations
    • Defines the schedule settings e.g. Start time, recurring interval and patch classifications to deploy per application or in any other way as deemed appropriate by spoke owners.
  • One or more Virtual Machines
    • The VMs to apply the defined schedule to!
      • Both Windows and Linux Vms can be added to the same maintenance configuration if they are subjected to the same patch timings.

Add a new Maintenance Configuration

It is recommended to configure the maintenance configurations per MOJ Patch guidelines laid out here.

To add a new maintenance configuration, an entry can be added to the appropriate maintenance configuration block in the relevant maintenance_config.auto.tfvars file.

Each ALZ Spoke/Workload has a dedicated maintenance_config.auto.tfvars per environment.

As an example, to add a maintenance configuration for a group of virtual machines contained within the EUCS Production Subscription, the correct maintenance_config.auto.tfvars would be located at terraform/environments/prod/eucs/maintenance_config.auto.tfvars.

To add a maintenance configuration for virtual machines located in the Hub subscription in the Development environment, the correct file would be terraform/environments/dev/hub/maintenance_config.auto.tfvars.

The maintenance configuration object contains several configurable settings - changing reboot setting, picking the patch dates, choosing patch types i.e. critical , security etc…

Add virtual machines to the Maintenance Configuration

The next step is to add the virtual machines into the appropriate maintenance configurations. This will associate the VM’s to the maintenance configuration. We can add one or more virutal machines by editing the relevant maintenance_config.auto.tfvars file. The virtual machines are nested inside the maintenance configuration thereby linking the two.

As an example, to add the virtual machines of EUCS Production Subscription, the correct maintenance_config.auto.tfvars would be located at terraform/environments/prod/eucs/maintenance_config.auto.tfvars.

Onboarding and ALZ Support

We’re gradually expanding this repository to cover more Spokes and environments but this is based on demand. If your Spoke/Environment is missing i.e. there’s no folder for it, or the folder is empty then please get in touch with the ALZ team.

Example Usage

I have two Windows VMs in the Testing subscription in the Development environment namely vmtest01 and vmtest02.

These vms already have the patch orchestration mode set to Customer Managed Schedules.

The vms are part of an application app1 which is load balanced across these vms.

It is determined that the patches to the first vm vmtest01 should be installed once every month , on the next day when Microsoft releases their monthly patches.

Microsoft release their monthly patches on the 2nd Tuesday of every month. This day is also known as Patch Tuesday.

It is also determined that the patches to the other vm vmtest02 for the same application app1 should be installed on the next day from the patch date of the first vm to ensure redundancy.

So I create two Maintenance configuration objects with the schedule set to 2nd Wednesday of every month and 2nd Thursday of every month.

  1. Locate the appropriate files based on the environment and the subscription. As mentioned, our VM are in the Testing subscription in the Dev environment, so I know the files I will need to make changes to are:

terraform/environments/dev/testing/maintenance_config.auto.tfvars
  1. The content of the file looks like this:
maintenance_configurations = {
    "config_2ndTuesday" = {
        name = "config_2ndTuesday"
        start_date_time = "2021-08-21 18:00"
        recur_every = "1Month Second Tuesday"
        reboot_setting = "IfRequired"
        virtual_machines = {}
    },
}

As can be seen there is a configuration object config_2ndTuesday. This can be copied to form the basis of the new config object as per specific requirements.

I can copy the majority of what exists already as the basis for my new entry. I add a new entry to the maintenance_configurations object.

In this example I am adding two objects , one for 2nd Wednesday scheule and another for 2nd Thursday schedule. I am keeping the default 2nd Tuesday schedule as is. If required I can remove it as well.

Now the file looks like this:

maintenance_configurations = {
    "config_2ndTuesday" = {
        name = "config_2ndTuesday"
        start_date_time = "2021-08-21 18:00"
        recur_every = "1Month Second Tuesday"
        reboot_setting = "IfRequired"
        virtual_machines = {}
    },

    "config_2ndWednesday" = {
        name = "config_2ndWednesday"
        start_date_time = "2021-08-21 18:00"
        recur_every = "1Month Second Wednesday"
        reboot_setting = "IfRequired"
        virtual_machines = {
            "vmtest01" = {
                resource_group_name = "rg-hub-poltest-01"
            },
        }
    },

    "config_2ndThursday" = {
        name = "config_2ndThursday"
        start_date_time = "2021-08-21 18:00"
        recur_every = "1Month Second Thursday"
        reboot_setting = "IfRequired"
        virtual_machines = {
            "vmtest02" = {
                resource_group_name = "rg-hub-poltest-01"
            },
        }
    }
}

The virual machines are also added to their respective maintenance configs. Each vm needs its name as the key of the object and its resource group as one of the attributes to uniquely identify the vm.

Breakdown of the maintenance configurations variable:

Name Description Type Required
maintenance_configurations Maintenance configurations. https://learn.microsoft.com/en-us/azure/virtual-machines/maintenance-configurations 
map(object({
 name = string
 start_date_time = string
 expiration_date_time = optional(string)
 duration = optional(string, "02:00")
 time_zone = optional(string, "UTC")
 recur_every = string
 reboot_setting = optional(string, "IfRequired")
 win_classifications_to_include = optional(list(string), [
 "Critical",
 "Definition",
 "FeaturePack",
 "Security",
 "ServicePack",
 "Tools",
 "UpdateRollup",
 "Updates"
 ])
 linux_classifications_to_include = optional(list(string), [
 "Critical",
 "Security",
 "Other",
 ])
 kb_numbers_to_exclude = optional(list(string))
 kb_numbers_to_include = optional(list(string))
 package_names_mask_to_exclude = optional(list(string))
 package_names_mask_to_include = optional(list(string))
 virtual_machines = optional(map(object({
 resource_group_name = string
 })),) {})
 }))
 default = {}
 }
 Yes
resource_group_name Resource Group the resources will belong to. string yes

Reporting and Observability

The Azure Update Manager logs events and statuses using Azure Resource Graph. Microsoft supply a Workbook that is pre-loaded with useful queries relating to Azure Update Manager. This can be used as-is, or further customised.

To find this workbook, navigate to the [Azure Update Manager monitoring blade](https://portal.azure.com/#view/Microsoft_Azure_Automation/UpdateCenterMenuBlade/~/workbook and select the workbook template named Overview. Populate the drop-down boxes at the top of the Workbook as appropriate. To save your drop-down selections and make your own copy of this Workbook for future reference, you can click the Edit pencil icon and select Save As, providing a name and Resource Group to save the Workbook in. Going forwards, you can access your saved copy of the workbook, make further customisations, share it with others etc…

This page was last reviewed on 22 November 2024. It needs to be reviewed again on 22 May 2025 .
This page was set to be reviewed before 22 May 2025. This might mean the content is out of date.