I am getting "Bad Request" error while transferring the nsg flow log to the storage account in different subscription. My script is working fine while using the storage account of same subscription.
$workspaceResourceId = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxx/resourcegroups/rg-log-mgmt-prd-westeurope-01/providers/microsoft.operationalinsights/workspaces/nbsapucscoms"
$workspaceGUID = "xxxxxxxxxxxxxxxxxx"
$workspaceLocation = "westeurope"
$n = Get-AzureRmNetworkSecurityGroup -ResourceGroupName rg-8kmiles-dfi-westeurope-01 -Name apitst-nsg
$NwName = 'NetworkWatcher_' + $n.Location
$NW = Get-AzureRmNetworkWatcher -ResourceGroupName NetworkWatcherRg -Name $NwName
#enter the storage account details.
$storageAccount="/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/rg-log-mgmt-prd-westeurope-01/providers/Microsoft.Storage/storageAccounts/nvsswelogmgmt001"
$flowLogStatus=Get-AzureRmNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $n.Id
if($false -eq $flowLogStatus.Enabled){
#Configure Version 2 FLow Logs with Traffic Analytics Configured
Set-AzureRmNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $n.Id `
-StorageAccountId $storageAccount -EnableFlowLog $true -EnableTrafficAnalytics `
-WorkspaceResourceId $workspaceResourceId -WorkspaceGUID $workspaceGUID `
-WorkspaceLocation $workspaceLocation -EnableRetention $true -RetentionInDays 365
#Query Flow Log Status
$flowLogStatus=Get-AzureRmNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $n.Id
write-verbose "$($n.Name) Nsg Flow Log Enabled : $($flowLogStatus.Enabled)" -verbose
}
The error which i am getting is this
Set-AzureRmNetworkWatcherConfigFlowLog : Operation returned an invalid status
code 'BadRequest'
At C:\Users\singhniu\Desktop\Pipeline\TestNsgFlowLog.ps1:22 char:5
+ Set-AzureRmNetworkWatcherConfigFlowLog -NetworkWatcher $NW -Targe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmNetworkWatcherConfig
FlowLog], ErrorResponseException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.SetAzureNetwork
WatcherConfigFlowLogCommand
after debugging i came to know that i was using V1 storage account which does not support retention. for retention policy to be applied we need to upgrade it to V2.
bellow is the output after debugging.
Body:
{
"error": {
"code": "UnsupportedStorageAccountVersionWithRetention",
"message": "Storage /subscriptions/xxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/rg-lo
g-mgmt-prd-westeurope-01/providers/Microsoft.Storage/storageAccounts/nvss is a V1 st
orage account and with retention policy. Only V2 storage account are supported with retention po
licy. Read more -> aka.ms/LogsHelp",
"details": []
}
}
Related
I am trying to put in place a Azure Automation Runbook with the intent to purge all the cache when I change is made to a blob storage. So far, if I upload from azure portal 1 file that works just fine. But if I try to upload multiple file, some of them they just fail with the following error.
We can only accept 100 paths for purging concurrently. Please try again in a few minutes.
Here is the code I am using in the automation Runbook process:
param (
[Parameter (Mandatory = $false)]
[object] $WebHookData
)
## Authentication ##
# Runbook must authenticate to purge content
# Connect to Azure with RunAs account
$conn = Get-AutomationConnection -Name "AzureRunAsConnection"
# Connect to Azure Automation
$null = Add-AzAccount `
-ServicePrincipal `
-TenantId $conn.TenantId `
-ApplicationId $conn.ApplicationId `
-CertificateThumbprint $conn.CertificateThumbprint
## declarations ##
# Update parameters below
# CDN Profile name
$profileName = "<CDNProfileName>"
# CND Resource Group
$resourceGroup = "<Resource-Group>"
# CDN Endpoint Name
$endPointName = "<EndPointName>"
# Set Error Action Default
$errorDefault = $ErrorActionPreference
## Execution ##
# Convert Webhook Body to json
try {
$requestBody = $WebHookData.requestBody | ConvertFrom-json -ErrorAction 'stop'
}
catch {
$ErrorMessage = $_.Exception.message
write-error ('Error converting Webhook body to json ' + $ErrorMessage)
Break
}
# Convert requestbody to file path
try {
$ErrorActionPreference = 'stop'
$filePath = $requestBody.data.url -replace "https://<storageaccountname>.blob.core.windows.net",""
}
catch {
$ErrorMessage = $_.Exception.message
write-error ('Error converting file path ' + $ErrorMessage)
Break
}
finally {
$ErrorActionPreference = $errorDefault
}
# Run the purge command against the file
try {
Unpublish-AzCdnEndpointContent -ErrorAction 'Stop' -ProfileName $profileName -ResourceGroupName $resourceGroup `
-EndpointName $endPointName -PurgeContent '/*'
}
catch {
$ErrorMessage = $_.Exception.message
write-error ('Error purging content from CDN ' + $ErrorMessage)
Break
}
Anyone can help with this or clarify to me what could be the reason why the Purge is failing with that error ("BadRequest")
Thank you so much for your help
From the bottom of the article about CDN purge enpoint:
Purge requests take approximately 10 minutes to process with Azure CDN
from Microsoft, approximately 2 minutes with Azure CDN from Verizon
(standard and premium), and approximately 10 seconds with Azure CDN
from Akamai. Azure CDN has a limit of 100 concurrent purge requests
at any given time at the profile level.
There is a limit of 100 concurrent purge requests at any given time at the profile level.
I am receiving a failure while trying to download blob (JSON file) from Azure storage account from my Azure Automation account. It looks like an authorization issue.
This works on my local laptop, but does not work on Azure Automation Account. Does not work even if I make the container "public"
I have assigned OWNER privileges for the Automation accounts's service principle on the Resource Group (Automation account + Storage account stay in this RG) and specifically on the Storage Account as well:
Below is the code:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$config_file_resource_group_name = "vg-datalake-manjunath"
$config_file_storage_account_name = "datalakelog"
$primary_key = (Get-AzureRmStorageAccountKey -ResourceGroupName $config_file_resource_group_name -AccountName $config_file_storage_account_name).value[0]
$config_file_context = New-AzureStorageContext -StorageAccountName $config_file_storage_account_name -StorageAccountKey $primary_key
Get-AzureStorageBlobContent -Blob "mw_services.json" -Container "fwconfigfiles" -Destination "C:\temp\mw_services.json" -Context $config_file_context
get-content "C:\temp\mw_services.json" | write-output
ERROR:
Get-AzureStorageBlobContent : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error
Message: This request is not authorized to perform this operation.
At line:30 char:2
+ Get-AzureStorageBlobContent -Blob "mw_services.json" -Container "fwc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureStorageBlobContent], StorageException
+ FullyQualifiedErrorId :
StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.GetAzureStorageBlobContentCommand
The possible reason is that you may configure to selected networks to access.
If you enable this option, and whether you tick "allow trusted microsoft services to access", you would get this error, since automation is not listed under MS trusted services. see https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services.
I'm trying to do a runbook/webhook that return a status of machine. What I finally notices is that
Get-AzureRmVM
is only returning 2 resource groups. Where
Get-AzureRmResource
Does return many more but not all of them again!
I'm sure about my Resource Group Name but still it says resource group 'groupName' could not be found. when I try to run with specific name
Get-AzureRmVM -ResourceGroupName groupName
While my other start and stop runbook works just fine, so i'm confused I can't see the difference between the groups.
PS: I'm using Azure Run As Connection
param
(
[Parameter (Mandatory = $false)]
[object] $WebhookData
)
if ($WebhookData) {
$vms = (ConvertFrom-Json -InputObject $WebhookData.RequestBody)
Write-Output "Authenticating to Azure with service principal and certificate"
$ConnectionAssetName = "AzureRunAsConnection"
Write-Output "Get connection asset: $ConnectionAssetName"
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
if ($Conn -eq $null)
{
throw "Could not retrieve connection asset: $ConnectionAssetName. Check that this asset exists in the Automation account."
}
Write-Output "Authenticating to Azure with service principal."
Add-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint | Write-Output
# Start each virtual machine
foreach ($vm in $vms)
{
$vmName = $vm.Name
Write-Output "Checking $vmName"
$vmstatus = Get-AzureRmVM -Name $vm.Name -ResourceGroupName $vm.ResourceGroup -Status# | Select-Object -ExpandProperty StatusesText | ConvertFrom-Json
#select code index and convert to $vmpowerstate
$vmPowerState = $vmstatus#[1].Code
#Write-Output "Resource Group: $vmResourceGroupName", ("VM Name: " + $VM.Name), "Status: $VMStatusDetail" `n
Write-Output ("VM Name: " + $vmName), "Status: $vmPowerState" `n
}
}
else {
write-Error "This is webhook only."
}
Because your resource groups are in the different subscriptions.
As #et3rnal mentioned,
I have 2 subscriptions and Get-AzureRmVM returning 2 vms only because the rest are classics. The automation account I created this runbook at is the other one and I can see that in the overview? its the same one I use to start/stop machines in the other subscription!
Update:
If you want to get the PowerState of the VM, you could try the command below, in your case, just put it in the loop, the $PowerState is the PowerState.
$status = Get-AzureRmVM -Name <VM Name> -ResourceGroupName <Resource Group Name> -Status
$PowerState = ($status.Statuses | Where-Object {$_.Code -like "PowerState/*"}).DisplayStatus
Update2:
1.For the classic VM, we need to use azure ASM powershell module command, you could try Get-AzureVM, may be the Example 3: Display a table of virtual machine statuses in that link will help.
2.Another option is to migrate the classic VM(ASM) to ARM, then use the ARM command Get-AzureRmVM.
References:
Platform-supported migration of IaaS resources from classic to Azure Resource Manager
Migrate IaaS resources from classic to Azure Resource Manager by using Azure PowerShell
I'm having issues executing a runbook aon a subscription in a different tenant.
This is what I have done so far:
1) Created a keyvault cert.
2) Exported .cer and .PFX of certificate.
3) Created a Service Principal on the rpgorch-aad account (300eab96-4619-4b6b-af42-8eb66506ab04)
4) Created a connection in Automation with that service principal's information
5) Uploaded password protected PFX to Automation certificate store
First, a working example from within the same tenant:
$connectionName = 'AzureRunasConnection'
"Getting Azure Connection $connectionName"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure using Add-AzureRmAccount"
Add-AzureRmAccount -ServicePrincipal `
-Tenant $servicePrincipalConnection.TenantID `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -Verbose
"Setting Context with Set-AzureRmContext"
Set-AzureRmContext -Tenant $servicePrincipalConnection.TenantID -SubscriptionId $servicePrincipalConnection.SubscriptionId -Verbose
"Writing Output of the Service Principal Connection"
write-output $servicePrincipalConnection
"Testing getting resource groups."
Get-AzureRmResourceGroup
Results:
Getting Azure Connection AzureRunasConnection
Logging in to Azure using Add-AzureRmAccount
PSComputerName : localhost
PSSourceJobInstanceId : Redacted
Environments : {AzureCloud, AzureChinaCloud, AzureUSGovernment}
Context : Microsoft.Azure.Commands.Profile.Models.PSAzureContext
Setting Context with Set-AzureRmContext
PSComputerName : localhost
PSSourceJobInstanceId : Redacted
Account : Redacted
Environment : AzureCloud
Subscription : Redacted
Tenant : Redacted
Writing Output of the Service Principal Connection
Name Value
---- -----
SubscriptionId Redacted
TenantId Redacted
ApplicationId Redacted
CertificateThumbprint Redacted
Testing getting resource groups.
PSComputerName : localhost
PSSourceJobInstanceId : Redacted
ResourceGroupName : Redacted
Location : eastus
Resources :
ResourcesTable :
ProvisioningState : Succeeded
Tags : {}
TagsTable :
ResourceId : /subscriptions/Redacted/resourceGroups/Redacted
Now the SAME code, but for the other tenant.
$connectionName = 'Redacted'
"Getting Azure Connection"
$connectionName
$Conn = Get-AutomationConnection -Name $connectionName
"Logging in to Azure using Add-AzureRmAccount"
Add-AzureRmAccount -ServicePrincipal `
-Tenant $Conn.TenantID `
-ApplicationId $Conn.ApplicationId `
-CertificateThumbprint $Conn.CertificateThumbprint -Verbose
"Setting Context with Set-AzureRmContext"
Set-AzureRmContext -Tenant $Conn.TenantID -SubscriptionId $Conn.SubscriptionId -Verbose
"Selecting subscriptionID "
$Conn.SubscriptionID
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
"Testing getting resource groups."
Get-AzureRmResourceGroup
Results:
Getting Azure Connection
RPGOrchResourceManagement
Logging in to Azure using Add-AzureRmAccount
Results:
PSComputerName : localhost
PSSourceJobInstanceId : Redacted
Environments : {AzureCloud, AzureChinaCloud, AzureUSGovernment}
Context : Microsoft.Azure.Commands.Profile.Models.PSAzureContext
Setting Context with Set-AzureRmContext
Set-AzureRmContext : Provided subscription Redacted does not exist
At ManageSingleVM:52 char:52
+
+ CategoryInfo : CloseError: (:) [Set-AzureRmContext], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand
PSComputerName : localhost
PSSourceJobInstanceId : Redacted
Environments : {AzureCloud, AzureChinaCloud, AzureUSGovernment}
Context : Microsoft.Azure.Commands.Profile.Models.PSAzureContext
Setting Context with Set-AzureRmContext
Set-AzureRmContext : Provided subscription Redacted does not exist
At ManageSingleVM:52 char:52
+
+ CategoryInfo : CloseError: (:) [Set-AzureRmContext], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand
I figured out the answer to this. For anyone else looking, I needed to run this command on the Application ID:
New-AzureRMRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $ApplicationId | Write-Verbose -ErrorAction SilentlyContinue
For a given Azure subscription I want to assign custom role to Service Principal. In order to achieve this, I first check if the custom role definition exists in the subscription. If the role does not exists I update the role definition's assignable scope to include this subscription. I am facing 'RoleDefinitionDoesNotExist' error intermittently when I try to assign role. How do I fix this?
My code:
$roleDef = Get-AzureRmRoleDefinition -Name $azureRmRole
if($roleDef -eq $null)
{
Select-AzureRmSubscription -SubscriptionName $prodSubscription
#Role definition exists in $prodSubscription
$newRole = Get-AzureRmRoleDefinition -Name $azureRmRole
#$scope = '/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
$newRole.AssignableScopes.Add($scope)
$def = Set-AzureRmRoleDefinition -Role $newRole
# I have verified that role definition is updated
}
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId $SPNid -Scope $scope
Error:
New-AzureRmRoleAssignment : The specified role definition with ID 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' does not exist.
At C:\Untitled1.ps1:71 char:1
+ New-AzureRmRoleAssignment -RoleDefinitionName $azureRmRole -ObjectId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
You should define your custom role like below:
{
"Name": "Virtual Machine Power Manager",
"IsCustom": true,
"Description": "Can monitor, stop, start and restart v2 ARM virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/c25b1c8e-xxxx-1111-abcd-1a12d7012123"
]
}
According to your description, you role's definition maybe wrong, you had better check it.
If you want to give custom role to a service principal, please try to use the following cmdlet.
New-AzureRmRoleAssignment -ServicePrincipalName "https://shuiweb.azurewebsites.net" `
-RoleDefinitionName 'Virtual Machine Power Manager' `
-Scope '/subscriptions/*******'
The blog:AZURE AUTOMATION RUNBOOKS WITH AZURE AD SERVICE PRINCIPALS AND CUSTOM RBAC ROLES will be helpful.