I create Azure VM (windows) via arm template from Azure Pipeline. But I have to Add New Property Item to Registry without RDP.
Is there a secure way to do that with ARM template or SDK?
Any advice would be appreciated.
Best
You could do that with many different ways. One method is to perform an ARM deployment and use commandToExecute inside it. You could also perform that using a Powershell task without having to login in the VM through Azure portal using az cli.
An example can be found below:
- task: AzureCLI#2
displayName: execute command inside vm
inputs:
azureSubscription: 'subscription'
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: 'az vm run-command invoke --command-id RunPowerShellScript --name $(vm_name) -g $(vnet_rg_name) --scripts "hostname"'
In the scripts section instead of the hostname you should add a powershell to edit your registry key.
Documented article:
https://medium.com/#geralexgr/execute-powershell-command-without-username-password-on-azure-virtual-machine-8142ade31fd0
Related
In my Azure DevOps pipeline, I'm deploying a logic app on Azure but I get this warning:
##[warning]"ZipDeploy Validation WARNING: It is recommended to set app setting WEBSITE_RUN_FROM_PACKAGE = 1 unless you are targeting one of the following scenarios:
1. Using portal editing.
2. Running post deployment scripts.
3. Need write permission in wwwroot.
4. Using custom handler with special requirements.
NOTE: If you decide to update app setting WEBSITE_RUN_FROM_PACKAGE = 1, you will have to re-deploy your code."
Is it possible to suppress this warning?
Make sure to add the application settings to allow zip deploy like below:-
- task: AzureCLI#2
inputs:
# TODO: Fill in with the name of your Azure service connection
azureSubscription: ''
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings "BLOB_CONNECTION_RUNTIMEURL=$(blobendpointurl)"
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings "WORKFLOWS_RESOURCE_GROUP_NAME=$(resourceGroupName)"
az functionapp config appsettings set --name $(LAname) --resource-group $(resourceGroupName) --settings WEBSITE_RUN_FROM_PACKAGE=1
addSpnToEnvironment: true
useGlobalConfig: true
Powershell task with app service plan
- task: AzurePowerShell#5
inputs:
azureSubscription: 'MyAzureSubscription'
ScriptType: 'InlineScript'
Inline: |
Set-AzWebApp -Name MyWebApp -ResourceGroupName MyResourceGroup -AppSettings #{'WEBSITE_RUN_FROM_PACKAGE'='1'}
azurePowerShellVersion: 'LatestVersion'
Make sure you change the deployment-method in your YAML pipeline to deploymentMethod: ‘runFromPackage’ instead of ‘zipDeploy’ like below:-
To :-
And then run your pipeline to allow zip deployment of Azure Logic app.
Reference:-
AzureFunctionApp#1 Gives a warning about something it removes itself · Issue #17580 · microsoft/azure-pipelines-tasks · GitHub
I'm trying to create an Azure DevOps pipeline to run a few Runbooks by a specific order.
My pipeline currently looks like the following:
trigger: none
pool: <mypool>
jobs:
- job: AzureCLI
steps:
- task: AzureCLI#2
inputs:
azureSubscription: '<mysubscription'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
az config set extension.use_dynamic_install=yes_without_prompt
az automation runbook start --automation-account-name "myaccount" --resource-group "myrg" --name "runbook-1"
az automation runbook start --automation-account-name "myaccount" --resource-group "myrg" --name "runbook-2"
Thing is, when I run it like that what it does is triggering both runbooks in parallel. It triggers runbook-1 and then triggers runbook-2 without waiting for runbook-1 to finish.
In the Az CLI Docs there is no parameter like --wait-for-compellation or something like that.
There is a different command: 'az automation runbook wait' which I thought might wait after triggering the runbook with 'az automation runbook start' but it doesn't, it just exits immediately.
Anyone knows a different way to make the command hang until compellation?
I am trying to create a pipeline in which I'll run terraform configs against an Azure subscription from Azure DevOps pipelines. All works fine, but when I am trying to log in as user with az cli it fails with:
ERROR: Authentication failed due to error of 'Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.' This typically happens when attempting a Microsoft account, which requires interactive login. Please invoke 'az login' to cross check. More details are available at https://github.com/AzureAD/microsoft-authentication-library-for-python/wiki/Username-Password-Authentication
ERROR: Please run 'az login' to setup account.
Although from cli on my local it works to do az log in -u user -p pass
Command was executed from a script, because after log in I'll move to terraform commands which requires those creds:
- script: |
az login -u $(u) -p $(p)
terraform init
terraform plan
I know it's not a best practice to use an user instead of a service principal, but for now I have to stick with this method. So is there a way to automate az login from Azure DevOps pipelines?
The Azure CLI task can be used instead of the Script task
It works like the normal script tasks and you select what scripting language you want to run with the scriptTypeproperty:
Type of script: PowerShell/PowerShell Core/Bat/Shell script. Select
bash/pscore script when running on Linux agent or batch/ps/pscore
script when running on Windows agent. PowerShell Core script can run
on cross-platform agents (Linux, macOS, or Windows)
It also takes a service connection reference in the azureSubscription input. The service connection should be of type Azure Resource Manager and can be created either automatically or by using an existing service principal.
The azure connection details are safely stored in the service connection and when your script starts executing Azure CLI has already been logged in using the service connection
Below is an example of how your pipeline task would look
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
terraform init
terraform plan
az login -u $(secretUser) -p $(secretPassword)
Put the user ID and password into Azure Key Vault, named secretUser and secretPassword, and then use the AzureKeyVault#1 task to populate it
- task: AzureKeyVault#1
inputs:
ConnectedServiceName: Your Service Connection Name
KeyVaultName: Your Key Vault Name
SecretsFilter: 'secretUser,secretPassword'
RunAsPreJob: true
- script: |
az login -u $(secretUser) -p $(secretPassword)
terraform init
terraform plan
I have a small test project with a crude start of a pipeline at https://github.com/veikkoeeva/dockerservice/blob/main/azure-pipelines.yml. It's currently just to check it's possible to connect to the Azure, so
trigger:
- master
pool:
vmImage: windows-latest
steps:
- task: AzureCLI#2
displayName: Az --version
inputs:
azureSubscription: 'TestManagedIdentityConnection'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az --version
- task: AzureCLI#2
inputs:
azureSubscription: 'TestManagedIdentityConnection'
scriptType: 'pscore'
scriptLocation: 'scriptPath'
scriptPath: '$(System.DefaultWorkingDirectory)\devops.ps1'
But this fails on login step like so
The service connection scope is on subscription level. It appears the hosted image tries to connect to an Internal Azure token endpoint. Is there a way to use managed identity that can sign in the CLI using hosted images? What could it look like using self-hosted and managed identity?
This seem to work with "the usual" service principal. But it appears developers are often forbidden to create SPNs to company AD so creating a service connections fails. It appears often it's possible to create a service connection using managed identity, but here we are with this problem. :)
<edit: Reading from https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest the options could be either az login --identity or a certificate. With az login --identity it appears there is still the same problem of calling the same endpoint as earlier and it errors with the same reason.
<edit 2: Duh! In the image it's called with --identity switch already!
I want to get the vnet id of an azure vnet into a variable using azure cli.
i then want to use this variable in the azure devops pipeline and populate a variable there?
How can i do this?
You can use the Azure CLI task making use of the az network vnet commands, e.g.
- task: AzureCLI#2
displayName: Azure CLI
inputs:
azureSubscription: <Name of the Azure Resource Manager service connection>
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az network vnet show -g MyResourceGroup -n MyVNet
In the same task's inline script you're free to use any powershell, so could also set variables in that script for use in subsequent steps. Hope this helps!