I'm using below script to create a storage account, Key Vault and ADF. I would also like to enable diagnostic logging on both Storage account and Key Vault. Script runs fine and creates the resources however it does not enable the diagnostic logs for KV and Storage account. Would appreciate if you can help.
$subscription="Azure subscription 1"
$rgName = "Test"
$location = "eastus"
$storageaccountName = "tempaccountlogs"
$adfName = "tempdpadf"
$department = "Testtemp"
$kvname = "kvnamAkbt"
$sa = New-AzStorageAccount -ResourceGroupName $rgName -AccountName $storageaccountName -Location $location -SkuName Standard_LRS -Kind BlobStorage -AccessTier Hot -Tag #{department=$department}
$DataFactory = Set-AzDataFactoryV2 -Name $adfName -ResourceGroupName $rgName -Location $location -Tag #{chargecode=$chargeCode;department=$department;environment=$environment;project=$project}
$kv = New-AzKeyVault -VaultName $kvname -ResourceGroupName $rgName -Location $location
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Categories AuditEvent
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90
The problem with your script is that it gives error:
A parameter cannot be found that matches parameter name 'Categories'.
You are using "Categories" parameter instead of "Category". If you check this documentation correct parameter is -Category, use this as shown below:
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -RetentionEnabled $true -RetentionInDays 90
To enable logging for storage account, Please look at this documentation.
$diagname = "storage logs"
$ErrorActionPreference = "SilentlyContinue"
Import-Module -Name Az
Import-Csv "$home\azuresubscription.csv" |`
ForEach-Object{
#CentralLogAnalytics
$workspaceid = "your central logging resource id - exact object"
Select-AzSubscription -Subscription $_.Name
$storageAccounts = Get-AzStorageAccount | Select-Object Id
foreach ($stor in $storageAccounts)
{
Set-AzDiagnosticSetting -Name $diagname -ResourceId $stor.Id -WorkspaceId $workspaceid -Enabled $true
$blobid = -join($stor.id,"/blobServices/default")
$fileid = -join($stor.id, "/fileServices/default")
$queueid = -join($stor.id, "/queueServices/default")
$tableid = -join($stor.id, "/tableServices/default")
$resourcetypeid = #($blobid, $fileid, $queueid, $tableid)
foreach ($item in $resourcetypeid)
{
Set-AzDiagnosticSetting -Name $diagname -ResourceId $item -WorkspaceId $workspaceid -Enabled $true
}
}
}
Prerequisite:
The script expects a list of azure subscription in a CSV file. Putting in CSV is best to easy test in NonProd subscriptions. An object of the subscriptions can also be provided here.
Functionality:
This will enable the metrics for blob, queue, file, and table and at the parent level as well.
You should include -WorkspaceId parameter in the cmd. See reference here.
My example which runs successfully:
set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $true -Category AuditEvent -WorkspaceId {resource id of the Log Analytics workspace}
For how to create a Log Analytics workspace, please refer to Create workspace.
Update:
For how to enable diagnostic logs for ADF, please refer to this sample:
$ws = Get-AzOperationalInsightsWorkspace -Name "testLAW" -ResourceGroupName "test"
$DataFactory = Set-AzDataFactoryV2 -ResourceGroupName "test" -Name "testADF" -Location "WestUS"
set-AzDiagnosticSetting -ResourceId $DataFactory.DataFactoryId -Enabled $true -WorkspaceId $ws.ResourceId
Related
I try to setup and deploy Azure Function by using PowerShell script based on this topic: Setup Azure Function from PowerShell
My script looks like this:
#=============Defining All Variables=========
$location = 'Central US'
$resourceGroupName = 'MyResourceGroup'
$subscriptionId = 'MysubscriptionId'
$functionAppName = 'MyfunctionAppName'
$appServicePlanName = 'ASP-test-8b50'
$tier = 'Dynamic'
$archivePath = 'd:\TestAzureFunc.zip'
Connect-AzAccount
#========Creating Azure Resource Group========
$resourceGroup = Get-AzResourceGroup | Where-Object { $_.ResourceGroupName -eq $resourceGroupName }
if ($resourceGroup -eq $null)
{
New-AzResourceGroup -Name $resourceGroupName -Location $location -force
}
#selecting default azure subscription by name
Select-AzSubscription -SubscriptionID $subscriptionId
Set-AzContext $subscriptionId
#========Creating App Service Plan============
New-AzAppServicePlan -ResourceGroupName $resourceGroupName -Name $appServicePlanName -Location $location -Tier $tier
$functionAppSettings = #{
ServerFarmId="/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/serverfarms/$appServicePlanName";
alwaysOn=$True;
}
#========Creating Azure Function========
$functionAppResource = Get-AzResource | Where-Object { $_.ResourceName -eq $functionAppName -And $_.ResourceType -eq "Microsoft.Web/Sites" }
if ($functionAppResource -eq $null)
{
New-AzResource -ResourceType 'Microsoft.Web/Sites' -ResourceName $functionAppName -kind 'functionapp' -Location $location -ResourceGroupName $resourceGroupName -Properties $functionAppSettings -force
}
#========Defining Azure Function Settings========
$AppSettings =#{}
$AppSettings =#{'FUNCTIONS_EXTENSION_VERSION' = '~2';
'FUNCTIONS_WORKER_RUNTIME' = 'dotnet';}
Set-AzWebApp -Name $functionAppName -ResourceGroupName $resourceGroupName -AppSettings $AppSettings
#========Deploy Azure Function from zip========
Publish-AzWebapp -ResourceGroupName $resourceGroupName -Name $functionAppName -ArchivePath $archivePath
The script works without errors. Resource group and Function App created as needed. But the list of functions of the Function App is empty.
Function details here:
My intuition tells me that I've forgotten something. But I don't know what.
Could you advise me on how to deploy my Azure function properly?
One of the workaround you can follow ,
Looking at your script we need to ensure that we are providing function app configuration as below cmdlts the link you followed:-
$AzFunctionAppSettings = #{
APPINSIGHTS_INSTRUMENTATIONKEY = $AppInsightsKey;
AzureWebJobsDashboard = $AzFunctionAppStorageAccountConnectionString;
AzureWebJobsStorage = $AzFunctionAppStorageAccountConnectionString;
FUNCTIONS_EXTENSION_VERSION = "~4";
FUNCTIONS_WORKER_RUNTIME = "dotnet";
}
And also make sure that the storage account connection string you provided in the function is same as here providing.
And then you can navigate to Kudu API to check the wwwroot folder is exist or not.
For more information please refer the below links:-
SO THREAD|Powershell command Publish-AzWebApp not publishing apllication
BLOG|How to Deploy Azure Function Apps With Powershell.
I've been trying to run a script to create a lock on azure resource to prevent resources being deleted inadvertently.
I get an error message and I can't figure out why it's showing me this error message.
Script:
#Sign in to Azure account
Login-AzAccount
#Select the subscription you want to work on
Select-AzSubscription -Subscription "test.subscription"
#Get All Resources in a resource group
$Resources = Get-AzResource -ResourceGroupName dummy_rg | Format-Table
# Create lock "delete" on each Resource if it doesn't exist
foreach($Resource in $Resources) {
$ResourceName = $Resource.Name
$lck = Get-AzResourceLock -ResourceGroupName $Resource.ResourceGroupName -ResourceName $ResourceName -ResourceType $Resource.ResourceType
if ($null -eq $lck)
{
Write-Host "$ResourceName has no lock"
New-AzResourceLock -resourceGroupName $rg -ResourceName $ResourceName -ResourceType $Resource.ResourceType -LockName "$ResourceName-lck" -LockLevel CanNotDelete -Force
Write-Host "$ResourceName has been locked"
}
else
{
Write-host "$ResourceName already locked"
}
}
Error message:
Gaurav request result:
#Start logging
Start-Transcript -Path "C:\Windows\Logs\Lock - $(((get-date).ToUniversalTime()).ToString("yyyy-MM-dd_hh-mm-ss")).log" -Force
#Connect to Azure account
Login-AzAccount
#Select Azure subscription
Set-AzContext -Subscription "subscription_id_numbers"
#Deny rule on Azure Data Factory and Azure Machine Learning
$Resources = Get-AzResource | Where-Object {$_.Name -NotLike '*adf*' -and $_.Name -NotLike '*aml*'}
# Create lock "delete" on each Resource if it doesn't exist
foreach($Resource in $Resources) {
$ResourceName = $Resource.Name
$lck = Get-AzResourceLock -ResourceGroupName $Resource.ResourceGroupName -ResourceName $ResourceName -ResourceType $Resource.ResourceType
if ($lck -eq $null)
{
Write-Host "$ResourceName has no lock"
Set-AzResourceLock -ResourceGroupName $Resource.ResourceGroupName -ResourceName $ResourceName -ResourceType $Resource.ResourceType -LockName "$ResourceName-lck" -LockLevel CanNotDelete -Force
Write-Host "$ResourceName has been locked"
}
else
{
Write-host "$ResourceName already locked"
}
}
#Stop Logging
Stop-Transcript
This will loop on every ressources except azure data factory in the tenant and create a "delete" type lock to make sure resources aren't deleted inadvertently.
Read comments in each section to understand the code.
I am trying to write a PowerShell script to enable Diagnostic settings for Azure Storage Accounts and send the logs to log analytics. For each storage account you can enable diagnostic for the storage account itself, blob, queue, table and file. I need to enable it for all 5 and configure to log read, write and delete, then send these logs to a Log Analytic workspace.
Here is a quick screenshot of the settings I want to enable.
I found couple examples on how to enable diagnostic using set-azdiagnosticsetting but they don't seem to work.
Set-AzDiagnosticSetting -ResourceId "Resource01" -Enabled $True
Set-AzDiagnosticSetting: Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status code:Forbidden, Reason phrase: Forbidden
Next tried a different set of script, Create the metric, settings then apply. This example was also obtained from the reference link below.
$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metrics
Set-AzDiagnosticSetting -InputObject $setting
The only reference I found was:
https://learn.microsoft.com/en-us/powershell/module/az.monitor/set-azdiagnosticsetting?view=azps-6.0.0
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=PowerShell
Any one have better references or experience doing this??
The storage account and each storage(blob, file, queue, table) have different resource ids, so you need to use a loop to set the DiagnosticSettings for them, just use the script below, replace the values of yours, it works fine on my side.
$ResourceId = "/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joystoragev2"
$WorkspaceId = "/subscriptions/xxx/resourcegroups/xxx/providers/microsoft.operationalinsights/workspaces/joyana"
$DiagnosticSettingName = "testdia123"
$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $ResourceId -WorkspaceId $WorkspaceId -Setting $metric
Set-AzDiagnosticSetting -InputObject $setting
$metric = New-AzDiagnosticDetailSetting -Metric -RetentionEnabled -Category AllMetrics -Enabled
$readlog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageRead -Enabled
$writelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageWrite -Enabled
$deletelog = New-AzDiagnosticDetailSetting -Log -RetentionEnabled -Category StorageDelete -Enabled
$Ids = #($ResourceId + "/blobServices/default"
$ResourceId + "/fileServices/default"
$ResourceId + "/queueServices/default"
$ResourceId + "/tableServices/default"
)
$Ids | ForEach-Object {
$setting = New-AzDiagnosticSetting -Name $DiagnosticSettingName -ResourceId $_ -WorkspaceId $WorkspaceId -Setting $metric,$readlog,$writelog,$deletelog
Set-AzDiagnosticSetting -InputObject $setting
}
My liquid files are in git_hub repo and I want to upload liquid files in an integration account via powershell or cli
I'm using "New-AzResource"
New-AzResource -Location $ResourceLocation -PropertyObject $PropertiesObject -ResourceGroupName $ResouceGroupname -ResourceType Microsoft.Logic/integrationAccounts/maps -ResourceName "$IntegrationAccountName/$ResourceName" -ApiVersion 2016-06-01 -Force
Login-AzureRmAccount
$IntegrationAccountName = "Integration Account name"
$ResouceGroupname = "ResourcegroupName"
$ResourceLocation = "westus" # location
$ResourceName = "liquid name"
$Content = Get-Content -Path "C:\Tom\simple.liquid" | Out-String
Write-Host $Content
$PropertiesObject = #{
mapType = "liquid"
content = "$Content"
contentType = "text/plain"
}
New-AzureRmResource -Location $ResourceLocation -PropertyObject $PropertiesObject -ResourceGroupName $ResouceGroupname -ResourceType Microsoft.Logic/integrationAccounts/maps -ResourceName " $IntegrationAccountName/$ResourceName" -ApiVersion 2016-06-01 -Force
source: https://stackoverflow.com/a/49063466/1384539
In powershell and using the new-azwebapp to create a website in our app service plan. But it only ever seems to create a type of app
I'm trying to create it with the type of api like you can when you select from the Azure Portal UI, but I can't see a setting in the configuration to do this.
After creating I set the AppSettings and then try to update the Type, but it doesn't seem to matter.
Hoping that I'm missing something simple.
$siteName = "namegoeshere"
$sitePlan = "myplanname"
$siteLocation = "Australia East"
$siteResourceGroup = "resourcegroupname"
$createdSite = new-azWebApp -Name $siteName -ResourceGroupName $siteResourceGroup -AppServicePlan $sitePlan -Location $siteLocation
$newAppSettings = #{ "name"="value"}
Set-AzWebApp -Name $siteName -ResourceGroupName $siteResourceGroup -AppSettings $newAppSettings -AppServicePlan Grower #-PhpVersion 0
$p = #{ 'type' = "api" }
$r = Set-AzResource -Name $siteName -ResourceGroupName $siteResourceGroup -ResourceType Microsoft.Web/sites -PropertyObject $p -ApiVersion 2016-03-01 -Kind "app"
echo $r.Properties
The type api is not set with type, in the New-AzureRmResource parameters there is a parameter to set it, it's [-Kind <String>]. You could check it here.
Here is an example.
# CREATE "just-an-api" API App
$ResourceLocation = "West US"
$ResourceName = "just-an-api"
$ResourceGroupName = "demo"
$PropertiesObject = #{
# serverFarmId points to the App Service Plan resource id
serverFarmId = "/subscriptions/SUBSCRIPTION-GUID/resourceGroups/demo/providers/Microsoft.Web/serverfarms/plan1"
}
New-AzureRmResource -Location $ResourceLocation `
-PropertyObject $PropertiesObject `
-ResourceGroupName $ResourceGroupName `
-ResourceType Microsoft.Web/sites `
-ResourceName "just-an-api/$ResourceName" `
-Kind 'api' `
-ApiVersion 2016-08-01 -Force