Azure Automation is a service that allows you to automate tasks in Azure. Azure Automation allows you to run runbooks in the cloud or on-premises. It is a standard command-and-control architecture, where the Azure Automation service sends jobs to workers. The workers perform the jobs. Sometimes these jobs require access to Azure resources that are not accessible from the public internet. In this case, you can use a Hybrid Worker.
-
A Hybrid Worker is a virtual machine that is deployed in your Azure subscription. The Hybrid Worker is registered with the Azure Automation service.
-
This demo shows how to deploy a disposable Hybrid Worker using Terraform and Packer without any interaction with the actual virtual machines. All software is installed via Packer into a Golden Image or on after creation with Cloud Init.
-
The Hybrid Workers are registered with the Azure Automation service using the new Azure VM Extension. The traditional agent installation model is set to expire in later 2024/2025.
- The extension takes one argument - the Hybrid Service URL - which is a property of the Automation Account.
- The new extension allows the machine to be registered with the Azure Automation service without any interaction with the actual virtual machines.
- Please see Azure Automation Hybrid Worker Extension for more information around the benefits of the extension model.
- The extension is configured to automatically update when new versions are released.
- The extensions are deployed with Terraform when the Hybrid Workers are created using the azurerm_virtual_machine_extension resource.
-
Each deployment creates a unique resource group based on a random ID. Virtual Machines are given a random ID based on the resource group ID and another unique ID.
-
The machines are registered with Azure Update Manager by setting
patch_modeandpatch_assessment_modetoAutomaticByPlatformin the azurerm_virtual_machine resource. -
The machines are assigned a Managed Identity. Role assignments can be created to this identity to allow the Hybrid Worker to access Azure resources.
-
An Expiration tag is defined that will be used to destroy the resources after a certain period of time.
-
The Hybrid Workers are intended to be short-lived and to be destroyed within a week of creation, replaced by a new set of workers.
NOTE: As always, this repo is for demonstration purposes only. It is not intended for production use as is..
| Component | Usage |
|---|---|
| Azure Automation | Automation Account for Runbooks |
| Azure Virtual Machine | Hybrid Workers |
| Azure Virtual Network | Virtual Network for Hybrid Workers |
| Azure Shared Image Gallery | Golden Image for Hybrid Workers |
| Azure Update Management | Patching for Hybrid Workers |
| Pros | Cons |
|---|---|
| Azure Automation can run any existing Python or PowerShell Script without (any?) customizations | Machines still must be managed and patched. Azure Update Manager can assist and does not require interactive login to the machine. |
| Extension-based automatically updates when new versions are released | VM-based model does not automatically scale out. Requires an execution of the Terraform command to create additional workers. |
| Azure Automation provides a built-in Python and PowerShell module repository | Azure Container Apps Jobs require each job/script to provide all dependencies in the container image. |
| Does not execute Containers easily | Azure Container Apps Jobs execute containers automatically and can scale out using event triggers. |
| Azure Automation integrated with Azure Monitor and Log Analytics | Azure Container Apps Jobs integrated with Azure Monitor and Log Analytics |
| Azure Automation schedules jobs by Cron syntax | Azure Container Apps Jobs schedule jobs by Cron syntax |
| Azure Automation has extensive logging and auditing | Azure Container Apps Jobs have some degree of logging and auditing |
NOTE: This setup is an example of the architecture below using Taskdev
