Azure Machine Configuration, Linux, and DSC Configuration

Source: Dev.to

Introduction

Azure Machine Configuration supports Linux VMs, allowing you to apply PowerShell DSC configurations (or Chef InSpec) to Linux workloads.
To run DSC configurations on Linux, the VM must have the AzurePolicyForLinux extension and a managed identity. The extension installs PowerShell in a dedicated folder without adding it to the system PATH, so PowerShell can only be invoked by the policy engine.

DSC Resources for Linux

The most feature‑complete DSC resource set for Linux is the NxTools module. It provides a POSIX‑style wrapper around common Linux commands and includes the following DSC resources:

• nxFiles – manage files and folders
• nxGroup – manage groups and group membership
• nxUser – manage users
• nxPackages – manage packages (supports only apt)
• nxService – manage services (systemd)
• nxScript – execute arbitrary scripts within DSC configurations

The module is recommended for use with Azure Machine Configuration.
GitHub: (link omitted in original)

Demo DSC Configuration

The example below creates a user DevTo, adds it to a group publishers, and ensures a file /home/DevTo/publisher.txt exists using an nxScript resource.

configuration demoDSCLinux
{
    Import-DscResource -ModuleName 'nxtools'

    nxUser ensureDevToUser {
        Ensure        = 'Present'
        UserName      = 'DevTo'
        FullName      = 'Dev To Demo user'
        HomeDirectory = '/home/DevTo'
        Description   = 'Ensure that DevTo user is present on the system'
    }

    nxGroup ensurePublishersGroup {
        # The group must be present and have DevTo as a member
        Ensure    = 'Present'
        GroupName = 'publishers'
        Members   = @('DevTo')
    }

    nxScript ensurePublisherFilePresent {
        GetScript = {
            $Reason = [Reason]::new()
            $Reason.Code   = "Script:Script:FileMissing"
            $Reason.Phrase = "File does not exist"

            if (Test-Path -Path "/home/DevTo/publisher.txt") {
                $Reason.Code   = "Script:Script:Success"
                $Reason.Phrase = "File exists"
            }

            return @{ Reasons = @($Reason) }
        }

        TestScript = {
            Test-Path -Path "/home/DevTo/publisher.txt"
        }

        SetScript = {
            $null = New-Item -Path "/home/DevTo/publisher.txt" -ItemType "File" -Force
        }
    }
}

• The first two resources create the DevTo user and the publishers group, adding the user to the group.
• The nxScript resource ensures the presence of the file and provides a Reason object that Azure Portal displays when the configuration is non‑compliant.

Compiling and Packaging the Configuration

DSC configurations must be compiled on a Linux host (or in a Linux CI runner) because the AzurePolicyForLinux extension requires PowerShell for Linux.

# Verify the script is running on Linux
if ($IsLinux -eq $false) {
    Write-Error "This script must be run on a Linux system."
    exit 1
}

# Install required modules
Install-Module -Name nxtools -Force
Install-Module -Name PSDesiredStateConfiguration -RequiredVersion 3.0.0-beta1 -Force -AllowPrerelease
Install-Module -Name GuestConfiguration -RequiredVersion 4.1.0 -Force

# Load the DSC configuration script
. ./DSC-Linux/demolinux.dsc.ps1

# Compile the configuration
demoDSCLinux

# Rename the generated MOF file
Rename-Item -Path .\demoDSCLinux\localhost.mof -NewName demoDSCLinux.mof -Force

# Create the Guest Configuration package for Azure Machine Configuration
New-GuestConfigurationPackage `
    -Name "demoDSCLinux" `
    -Type AuditAndSet `
    -Configuration .\demoDSCLinux\demoDSCLinux.mof `
    -Force $true

The script:

1. Confirms it is running on Linux.
2. Installs nxtools, PSDesiredStateConfiguration, and GuestConfiguration.
3. Imports the DSC configuration file and compiles it, producing a MOF file.
4. Packages the MOF into a Guest Configuration package that can be deployed to a Linux VM via Azure Machine Configuration.