Why Azure Image Builder – Getting Started

You might be familiar with building golden images or templates for use on-premises.  Back in the olden days we used to “ghost” machines and now you may use a VM template with sysprep.  Azure offers the managed service Azure Image Builder so you can configure your image as a template for reuse within your cloud.  Golden or base images are usually built upon governance, standards and best practices within your organization.  These images especially come into play if you have immutable infrastructure, servers or that will not be modified after deployment. To ensure consistency and speed up deployment, you can create golden images or templates.

Azure Image Builder lets you transfer your image customization pipeline to Azure without changing your , commands, and processes. VM Image Builder works with any base operating system image from the Azure Marketplace and uses an config for the build process. Your VM image build artifacts are stored as Azure resources. This feature eliminates the need for offline definitions and the risk of environment drifts due to accidental deletions or updates.

Side note – Azure Image Builder is based on Packer, so you can reuse your existing Packer shell provisioner with it.

Resource: https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershellResource: https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell

Scenarios

Many of these scenarios have code and quickstarts  to get you going on the AZ VM Image builder Github repository.

I encourage you to check it out and you can contribute as well.

What's New

Auto-Image Creation, also known as “triggers”, is a feature that enhances developer productivity by automatically initiating image builds for new base images. This feature allows customers to streamline their image building process by setting up ‘triggers' for the images they want to update automatically. Azure Image Builder also helps internal teams to ensure the security of their images through , reducing the manual work required to patch 1P images.

Isolated Image Builds.  A feature of Azure Image Builder (AIB) is the ability to customize and validate VM images using dedicated Azure Container Instances (ACI) resources in your subscription. This provides compute and isolation from shared infrastructure.

Azure VM Image Builder service DevOps task (preview). Create a virtual machine (VM) image with your application and operating system installed and configured, using the build artifacts.

Azure Portal.  Users have been using CLI/PowerShell to create Azure Image templates but now that availability is in the Azure Portal.  

The Azure Image Builder portal functionality allows the customer to explore the features of Azure Image Builder easily, without spending time on learning make a JSON template from the documentation.  You can create an Azure Image from Bicep or an ARM template using JSON

Getting Started

Permissions

No matter which route you take, using the Portal or using command line you have to grant permissions for the service to work.  The VM Image Builder service needs permissions to create, manage, and delete a staging resource group, which has the prefix IT_*. This resource group contains any resources that the image build requires. You can add these resources after you register for the service successfully. The service creates a service principal name in your subscription when you register.

To distribute images to either the managed images or Compute Gallery, you must create an Azure user-assigned identity that can read and write images. To access Azure Storage, you need permissions to read both private and public containers.

Register providers

If you haven't already done so, register the following resource providers to use with your Azure subscription:

  • Microsoft.Compute
  • Microsoft.KeyVault
  • Microsoft.Storage
  • Microsoft.
  • Microsoft.VirtualMachineImages
  • Microsoft.ManagedIdentity
  • Microsoft.ContainerInstance

I'll go over registering the providers and granting permissions in this first video below.

PowerShell I used:

#Set Subscription
Set-AzContext -SubscriptionId "Your Subscription" 

#Register Providers

Get-AzResourceProvider -ProviderNamespace Microsoft.Compute, Microsoft.KeyVault, Microsoft.Storage, Microsoft.VirtualMachineImages, Microsoft.Network, Microsoft.ManagedIdentity |
  Where-Object RegistrationState -ne Registered |
    Register-AzResourceProvider

# Destination image resource group name
$imageResourceGroup = 'myWinImgBuilderRG'

# Azure region
$location = 'WestUS2'

# Name of the image to be created
$imageTemplateName = 'myWinImage'

# Distribution properties of the managed image upon completion
$runOutputName = 'myDistResults'

# Your Azure Subscription ID
$subscriptionID = (Get-AzContext).Subscription.Id
Write-Output $subscriptionID


##Create Resource Group
 New-AzResourceGroup -Name $imageResourceGroup -Location $location

#Create variables for the role definition and identity names. These values must be unique.
[int]$timeInt = $(Get-Date -UFormat '%s')
$imageRoleDefName = "Azure Image Builder Image Def $timeInt"
$identityName = "myIdentity$timeInt"

#Create a user identity
New-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName -Location $location

#Store the identity resource and principal IDs in variables
$identityNameResourceId = (Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).Id
$identityNamePrincipalId = (Get-AzUserAssignedIdentity -ResourceGroupName $imageResourceGroup -Name $identityName).PrincipalId

#Downlaod JSON config file to assign permissions to the identity
$myRoleImageCreationUrl = 'https://raw.githubusercontent.com/azure/azvmimagebuilder/master/solutions/12_Creating_AIB_Security_Roles/aibRoleImageCreation.json'
$myRoleImageCreationPath = "myRoleImageCreation.json"

Invoke-WebRequest -Uri $myRoleImageCreationUrl -OutFile $myRoleImageCreationPath -UseBasicParsing

#update role definition template
$Content = Get-Content -Path $myRoleImageCreationPath -Raw
$Content = $Content -replace '', $subscriptionID
$Content = $Content -replace '', $imageResourceGroup
$Content = $Content -replace 'Azure Image Builder Service Image Creation Role', $imageRoleDefName
$Content | Out-File -FilePath $myRoleImageCreationPath -Force

#Create role definition
New-AzRoleDefinition -InputFile $myRoleImageCreationPath

#Grant the role definition to the VM Image Builder service principal
$RoleAssignParams = @{
    ObjectId = $identityNamePrincipalId
    RoleDefinitionName = $imageRoleDefName
    Scope = "/subscriptions/$subscriptionID/resourceGroups/$imageResourceGroup"
  }
  New-AzRoleAssignment @RoleAssignParams

In the next post we will go over using the Azure portal to build a golden image and build from it.

Thanks for reading and feel free to comment with any questions.

Amy Colyer

 

This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.