I want to stop my appservices at midnight and want to start them at morning.So i came across two things , runbooks and webjobs .So first i included a runbook which start/stop services in a resource group.But when i tested it out , i faced an error -
And also when i tried using a webjob , i used this code from here , but i was not able to see the result.The webjob was working as a script but was it actually starting/stoping the services i dont know.I am new to powershell scripts so i dont know where to make necessary changes in the code.I dont know whether i am doing it right or wrong , please help me out.Thank You.
If you want to manage Azure ARM Resource with Azure Runbook, you can create Run As accounts in your Azure automation account. When we create it, it will create a new service principal user in Azure Active Directory (AD) and assigns the Contributor role to this user at the subscription level. For more details, please refer to the document and the document.
For example
Create Run As accounts
a. Search for and select Automation Accounts.
b. On the Automation Accounts page, select your Automation account from the list.
c. In the left pane, select Run As Accounts in the account settings section.
d. Depending on which account you require, select either Azure Run As Account or Azure Classic Run As Account.
e. Depending on the account of interest, use the Add Azure Run As or Add Azure Classic Run As Account pane. After reviewing the overview information, click Create.
Create a PowerShell Workflow runbook
Script
workflow START_STOP_APP_SERVICE_BY_RESOURCE
{
Param(
[Parameter (Mandatory= $true)]
[bool]$Stop,
[Parameter (Mandatory= $true)]
[string]$ResourcegroupName
)
try
{
# use Azure As Account to log in Azure
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$status = 'Stopped'
if ($Stop)
{
$status = 'Running'
}
# Get Running WebApps (website_Processings_Running)
$website_Processings_Running = Get-AzureRMWebAPP -ResourceGroupName $ResourcegroupName | where-object -FilterScript{$_.state -eq $status }
foreach -parallel ($website_Processing In $website_Processings_Running)
{
if ($Stop)
{
$result = Stop-AzureRmWebApp -ResourceGroupName $ResourcegroupName -Name $website_Processing.Name
if($result)
{
Write-Output "- $($website_Processing.Name) shutdown successfully"
}
else
{
Write-Output "+ $($website_Processing.Name) did not shutdown successfully"
}
}
else
{
$result = Start-AzureRmWebApp -ResourceGroupName $ResourcegroupName -Name $website_Processing.Name
if($result)
{
Write-Output "- $($website_Processing.Name) start successfully"
}
else
{
Write-Output "+ $($website_Processing.Name) did not started successfully"
}
}
}
}
Today in 2022 you have to use Az module instead of AzureRM. You also have to switch to 7.1 Runtime if you want to succeed.
Param(
[bool]$Stop,
[string]$ResourcegroupName,
[string]$WebAppName
)
try
{
# use Azure As Account to log in Azure
$servicePrincipalConnection=Get-AutomationConnection -Name "AzureRunAsConnection"
Write-Output $servicePrincipalConnection.TenantId
Write-Output $servicePrincipalConnection.ApplicationId
Write-Output $servicePrincipalConnection.CertificateThumbprint
Add-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$status = 'Stopped'
if ($Stop)
{
$status = 'Running'
}
# Get Running WebApps (website_Processings_Running)
$website_Processings_Running = Get-AzWebApp `
-ResourceGroupName $ResourcegroupName] `
-Name $WebAppName | where-object -FilterScript{$_.state -eq $status}
Write-Output "- $($website_Processing.Name) WebApp to manage"
foreach ($website_Processing In $website_Processings_Running)
{
if ($Stop)
{
$result = Stop-AzWebApp -ResourceGroupName $ResourcegroupName -Name $website_Processing.Name
if($result)
{
Write-Output "- $($website_Processing.Name) shutdown successfully"
}
else
{
Write-Output "+ $($website_Processing.Name) did not shutdown successfully"
}
}
else
{
$result = Start-AzWebApp -ResourceGroupName $ResourcegroupName -Name $website_Processing.Name
if($result)
{
Write-Output "- $($website_Processing.Name) start successfully"
}
else
{
Write-Output "+ $($website_Processing.Name) did not started successfully"
}
}
}
Related
I'm trying to get a simple Powershell script working in Azure Automation Accounts; I've tested the script in VS Code and it works fine; the issue is in the Credentials; following this page: https://learn.microsoft.com/en-us/azure/automation/shared-resources/credentials?tabs=azure-powershell, I'm using the following code
# Connect to Azure
$myCredential = Get-AutomationPSCredential -Name 'XXX'
$myUserName = $myCredential.UserName
$mySecurePassword = $myCredential.Password
$myPSCredential = New-Object System.Management.Automation.PSCredential ($myUserName, $mySecurePassword)
Connect-AzureAD -Credential $myPSCredential
The only different to my "local" script is the first of the above lines which uses a local file
$myCredential = Import-CliXml -Path 'C:\Users\<me>\Desktop\credentials.xml'
But it doesn't work; diagnostics seem to be poor in Automation Accounts, but I'm 99% sure is related to credentials; perhaps it's forcing MFA, but that's not happening locally ... any suggestions appreciated
If you are using the older RunAs account then you can use the following:
$connectionName = "connectionName"
try {
# Get the connection "AzureRunAsConnection" You can't use the Az module version for reasons.
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
$connectAzAccountSplat = #{
ServicePrincipal = $true
TenantId = $servicePrincipalConnection.TenantId
ApplicationId = $servicePrincipalConnection.ApplicationId
CertificateThumbprint = $servicePrincipalConnection.CertificateThumbprint
}
Connect-AzAccount #connectAzAccountSplat -ErrorAction Stop | Out-Null
}
catch {
if (!$servicePrincipalConnection) {
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else {
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Automation Accounts have recently been updated to use system assigned identities however. You can find the docs of that here:
https://learn.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation
I'm creating a Azure Automation runbook to generate a report on the patch status of the virtual machines under a management group.
The query used is as below
union Update , workspace('xxxx').Operation,workspace('yyyy').Operation
| where TimeGenerated > ago(10d)
| where Classification in ("Security Updates", "Critical Updates", "Critical and security updates") and ResourceType == "virtualMachines"
| summarize updates=makeset(Title) by Computer,Classification, UpdateState,Product, PublishedDate, MSRCSeverity
| order by UpdateState
$result = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query
here I need to query log analytics workspace from different subscriptions under the same management group..
Run As Account has RBAC set to "Log Analytics Reader" at management group level.
But the query results is empty record set, Same query fetches records when its executed on the Log Analytics workspace directly.
Any guidance on what I'm missing here will be a great help.
Thank you
This command Invoke-AzOperationalInsightsQuery can just do operations against one subscription, so in your case, you need to use a loop to set the subscription with Set-AzContext -Subscription <subscription-id>, to get all the subscriptions your RunAs account can access, use Get-AzSubscription.
Sample:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$query = "xxxxxx"
$subs = Get-AzSubscription
foreach($sub in $subs){
Set-AzContext -Subscription $sub.Id
#do the things you want e.g. $result = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query
}
This is just a sample, to make it work, also remember to loop the different $WorkspaceID in the script.
Need your help to find a runbook/automation script through which I could start/stop the VM's in Azure at a specific schedule & then in case we have to delay the shutdown schedule for a particular VM, it allows us to do so. Ideally, it should notify the end user, VM is going to shutdown in 30 min or so & gives option to delay the shutdown if need be.
Is there any existing runbook available in runbook gallary within automation account? Can anyone please advise or confirm?
You can simply do this by creating power shell runbook . This is for Starting VM for working hours. you can attached this to schedule inside workbook as required.
param (
[Parameter(Mandatory=$false)]
[String] $AzureConnectionAssetName = 'AzureRunAsConnection',
[Parameter(Mandatory=$false)]
[String] $ResourceGroupName = 'Your-VM-RG'
)
#Check for Weekends
$dayOfWeek = (Get-Date).DayOfWeek
if($dayOfWeek -eq 'Saturday' -or $dayOfWeek -eq 'Sunday'){
exit
}
# Get the connection
$Conn = Get-AutomationConnection -Name $AzureConnectionAssetName -ErrorAction Stop
$null = Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $Conn.TenantId `
-ApplicationId $Conn.ApplicationId `
-CertificateThumbprint $Conn.CertificateThumbprint `
-ErrorAction Stop `
-ErrorVariable err
if($err) {
throw $err
}
# Vet all VMs in the resource group
$VMs = Get-AzureRmVM -ResourceGroupName $ResourceGroupName
# Start each of the VMs
foreach ($VM in $VMs)
{
$StartRtn = $VM | Start-AzureRmVM -ErrorAction Continue
if ($StartRtn.IsSuccessStatusCode -ne $True)
{
# The VM failed to start, so send notice
Write-Output ($VM.Name + " failed to start")
Write-Error ($VM.Name + " failed to start. Error was:") -ErrorAction Continue
Write-Error (ConvertTo-Json $StartRtn) -ErrorAction Continue
}
else
{
# The VM stopped, so send notice
Write-Output ($VM.Name + " has been started")
}
}
I have three subscription in same tenant say Sub1, Sub2 and Sub3. I have created Automation Account is in Sub1 and my VMs are in Sub3. (Cant create Automation account in Sub3 due to some restrictions). I want to write a powershell script which will start Sub3 VM.
When I ran Get-AzureRmSubscription it is giving me only my current subscription i.e. Sub1
My azure automation script is as below -
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzureRmSubscription
# $context = Get-AzureRmSubscription -SubscriptionId {subId}
# Set-AzureRmContext $context
# Start-AzureRmVM -ResourceGroupName "ResourceName" -Name "VMName"
Can you please guide how can I go this?
Since your subscriptions are in the same tenant, you can directly assign an Azure RABC role to your Azure Automation connection(service principal ) in your Sub3. Then you can manage Azure resource in Sub3
For example
Get the Connection Application ID
Assign role
Connect-AzAccount
$sp=Get-AzADServicePrincipal -ApplicationId < the appId you copy>
Set-AzContext -SubscriptionId <the id of sub3>
#assign Contributor role to the connection at subsciprion level
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionName Contributor
Test
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzureRmSubscription
Cloned a sample non classic runbook and attempted to set the subscription as default. This gives me following error:
Select-AzureSubscription : The subscription name {nameofsubscription} doesn't exist.
Parameter name: name
At step1_validate:18 char:18
+
+ CategoryInfo : CloseError: (:) [Select-AzureSubscription], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.SelectAzureSubscriptionCommand
How would it be possible to select or set a particular subscription as default? Below approaches throw above mentioned error:
Approach 1
Select-AzureSubscription -SubscriptionName $defaultSubscriptionname –Default
Get-AzureSubscription -SubscriptionId 123XXXXXXXXXXXXXXXXXX96eXX58 | Select-AzureSubscription
Approach 2
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title 'Select Azure Subscription:' -PassThru).Id
Select-AzureRmSubscription -SubscriptionId $subscriptionId
Trying : To get particular resource name and make configurational changes, or to use Get-Azurewebsite cmdlet, setting a subscription appears mandatory.
Note: Hoping adding Service Principal used in the automation account to default subscription might help, I also tried to add the ApplicationId to Access control of Subscription as contributor. Though my Runbook being mentioned here and WebApps are in same subscription. Reference: https://blogs.technet.microsoft.com/knightly/2017/05/26/using-azure-automation-with-multiple-subscriptions/#comment-1555 ( Scenario for me is both are in same subscription )
EDIT: Pasting Code
<#
This PowerShell script was automatically converted to PowerShell Workflow so it can be run as a runbook.
Specific changes that have been made are marked with a comment starting with “Converter:”
#>
<#
.DESCRIPTION
To watch php version old in app, and if found turn it off and apply 5.6
.NOTES
AUTHOR: HBala
LASTEDIT: Jan 04, 2018
#>
workflow step1_validate {
# Converter: Wrapping initial script in an InlineScript activity, and passing any parameters for use within the InlineScript
# Converter: If you want this InlineScript to execute on another host rather than the Automation worker, simply add some combination of -PSComputerName, -PSCredential, -PSConnectionURI, or other workflow common parameters (http://technet.microsoft.com/en-us/library/jj129719.aspx) as parameters of the InlineScript
inlineScript {
$connectionName = "AzureRunAsConnection"
$myResourceGroupName = "DevstorageRG"
$defaultSubscriptionname = "StandardDevStaging"
$newPhpVersion = "5.6"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
#Get all ARM resources from all resource groups
$ResourceGroups = Get-AzureRmResourceGroup
foreach ($ResourceGroup in $ResourceGroups)
{
Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName)
if( $ResourceGroup.ResourceGroupName -eq $myResourceGroupName ){
$Resources = Find-AzureRmResource -ResourceGroupNameContains $ResourceGroup.ResourceGroupName | Select ResourceName, ResourceType
ForEach ($Resource in $Resources)
{
Write-Output ($Resource.ResourceName + " of type " + $Resource.ResourceType)
Write-Output ($Resource.ResourceName + " of type " + $Resource.ResourceType)
#Switch-AzureMode AzureServiceManagement
# Local powershell connects and works perfect with what I wanted to achieve.
# On Automation account, Runbook migration, it threw Azure subcription not set error for Set-AzureWebsite.
# so remove rest of the code and focused on few options to get the default as below
# which led me to post the thread.
#
# Approach 1
Select-AzureSubscription -SubscriptionName $defaultSubscriptionname –Default
Get-AzureSubscription -SubscriptionId 1238XXXXXXXXXXXe5XXXX8 | Select-AzureSubscription
# Approach 2
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title 'Select Azure Subscription:' -PassThru).Id
Select-AzureRmSubscription -SubscriptionId $subscriptionId
Write-Output ( "==============Subscription ID :===========")
Write-Output( $subscriptionId)
# Wants to update config / php version parameters.
Set-AzureWebsite -Name $Resource.ResourceName -HttpLoggingEnabled 1 -PhpVersion 5.6
# Had tried this as well which was suggested by Jason. But appears not working..
# looks like I have messed it up.
Get-AzureRmWebApp -ResourceGroupName $myResourceGroupName -Name $Resource.ResourceName
Set-AzureRmWebApp -ResourceGroupName $myResourceGroupName -Name $Resource.ResourceName -HttpLoggingEnabled 1 -PhpVersion 5.6
}
}
Write-Output ("Completed!#Line83")
}
}
}
Hoping adding the serviceprincipal type addition for the
automationaccount to default subscription might help
You are right, we can use Azure automation account connections to select subscription.
For example, we can new a connection and the type is Azure service principal.
like this:
Then use this powershell script to select the connection:
$connectionName = "jason"
try
{
# Get the connection "jason "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
In this way, we can use connection to select subscription.
By the way, we can follow this article to create service principal.