When returning all disks within a subscription, I noticed that not all resources are listed. When comparing to the GUI I can see more resources than there are returned in my API call.
Does Azure 'Hide' resources from the API when created by certain people with certain permission? Or is there something I'm missing?
Related
In azure, there are multiple services like audit logs, azure access advisor but none of them provides exactly the information I need. How to get any of the below information for azure users:
Last services accessed list by the user. (which services are accessed by the user in past and which services are still unused but he has the permission to access them).
Detailed last services accessed data(what services are accessed by which azure user and when was it last accessed).
PS: by access, I mean any type of access: Be it read operation or write operation or update operation or any other operation specific to the service.
In AWS there is this thing:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html.
can anyone help if there is something similar to this is present in azure as well?
This question may sound a little odd, but here it goes: A customer of ours would like to get access to certain metrics of his environment of our product which we host on Azure for the customer. It's a pretty complicated deployment, but in the end it consists of an Application Gateway, some virtual machines and a dedicated Azure SQL database.
The customer now would want to get select metrics from this deployment forward to their own DataDog subscription, e.g. VM CPU metrics, database statistics and those things. DataDog obviously supports all this information (which is good), but as a default would slurp in information from all resources within our subscription (which is not OK).
Is there a way to fine-granularly define which data is forwarded to DataDog, e.g. the resources and also which type of metrics to forward for each resource? What are my options here? Is it enough to create a service principal with a limited reading right, or can I configure this somewhere else? I am unfortunately not familiar with DataDog.
The main thing which must be prevented is that the customer due to the metrics forwarding could get access to other metrics in our subscription - we need to control the exact scope of the metrics.
The pretty straightforward solution to this issue is to create a service principal via command line, and then to assign the monitoring role to this service principal only exactly for the resources you need. This even works down to a level of specific databases for example.
Kicker: This is not possible to do in such a granularity from the UI, but the az command line accepts assigning the monitoring reader permission on a deep resource ID level, even if the UI for this is not there. By finding the resource ID from the UI, and then using the resource ID from the command line, it's possible to achieve exactly this behaviour.
Goal: Move all the necessary, and only the necessary, function apps and their dependencies from one resource group to another. This resource group they are currently in contains an App Configuration, 2 App Services (Function Apps), their Application Insights, a Storage account, and an App Service Plan.
The resource group I want to move them into already has things like Storage accounts, other Function apps, Logic apps, etc.
I have tried consulting the docs, maybe I am consulting the wrong ones. I am still puzzled about the dependencies Function Apps may have, and why this resource group needed to spin up a Storage account and what azure-webjobs-host and what the files populating within it mean or do.
Q1: How can I move them to the new resource group? I am thinking of using their ARM templates, but am vague on details.
Q2: Do I need to bring their Storage account with them?
Q3: Could I instead integrate them with the Storage account in their new resource group, after I moved them? How?
Q4: Can I simply delete Function Apps' Application Insights if I have no further use for them?
Q5: Any good resources or knowledge you want to share about Logic Apps / Function Apps being dependent on other resource types?
Thank you.
Are my Function Apps dependent on Storage Accounts?
Yes, function app on azure needs you to specified a storage account. This is because triggers other than httptrigger needs storage emulator.(This is built-in feature.)
How can I move them to the new resource group?
If you dont have too many function apps to move, just click 'Move' -> 'Move to another resource group' in the overview of your resource group and then select the function app you want to move.
Do I need to bring their Storage account with them?
No. No matter built-in feature or your function app need to deal with some storage accounts, it just needs you to offer connection string to link to.
Could I instead integrate them with the Storage account in their new
resource group, after I moved them? How?
Yes.(If you are talking about built-in feature.) But you need to change this value:
And the value is getting from this place:
Can I simply delete Function Apps' Application Insights if I have no
further use for them?
Yes, you can. It is just a way to monitor your function app. You can delete or re-create it whenever you want.
Any good resources or knowledge you want to share about Logic Apps /
Function Apps being dependent on other resource types?
One thing I want to remind. Please keep your resources in the same region if you dont have some special requirement. This is not only because of some built-in restrictions, but it can also help you save costs. (For resources in Azure, data transmission between resources located in different regions requires additional bandwidth fees.)
I want to create an Azure Function that would retrieve the Sources Groups List, I found related question
here, but I'm wondering if there could be another alternative as this function will be hosted in the same Azure subscription, without making REST requests.
It is not possible to have it without a call. Having something in the resource group does not grant access out of the box to list other resources in that resource group. That could be a security issue.
There are a couple of different ways to get the desired information. It could be done via a REST API call, Powershell, Azure CLI etc.
There is a way to use Powershell in Azure Functions, but it is currently in the preview. I have not tried this before, but maybe you can try to leverage this to call the simple PowerShell command to get the resources. That way you are not calling the rest API, at least not directly.
If you ask me, and if you really need an Azure function to do this, going with REST API call is the safest bet.
Is it possible to mange an azure account within code? Like
var ac = new AzureAccount(name, password);
ac.CreateStorageAccount(name);
ac.CreateCoAdmin(name);
...
I already know about the Azure cmdlets, but that doesn't help.
You'll need to look at the Service Management API. There is an operation that allows you to create a storage account for example (comes with a C# example): Create Storage Account.
Adding a co-admin on the other hand won't be that simple. I believe there's support in the Service Management API to manage co-admins. If this is really important to you you can try to look at how the portal does it. You'll see that it executes 2 requests to add a co-admin to a subscription:
Call https://manage.windowsazure.com/Users/GetPrincipalId with the email address of the new admin. This will return a "LiveID" (like 00053ACD9A5B316C).
Call https://manage.windowsazure.com/Users/AddCoAdministrator with the email address, the LiveId, and information about the subscription to add the user.
This isn't documented and before even calling these services you'll need to manage authentication first.
Windows Azure accounts are created when user provide their personal information along with a financial source (i.e. Credit Card) which can pay the balance incurred by the services used by the specified user. Once you are logged into your account you can add more administration. This process is managed upto certain degree of control directly by the Windows Azure team and there is no API to automate these functionality for various reasons.
However once you have got a new Subscription to Windows Azure, you certainly can use REST API to exactly create new services (i.e Cloud Service, VM, Storage etc) which are available within your Subscription. To make it happen just create a new reference dll (or class) and add all the REST API to in and then use that reference (or class) to exactly call they way you want.