I am trying to enable diagnostic settings on existing automation accounts in different subscriptions.
So far my script exist out of the following topics.
Retrieve all Automation Accounts
Loop through every single on of them.
Change the value of the parameters in the ARM template to the value of the retrieved automation account
Deploy the ARM template that enable diagnostic settings on that specific automation account.
{
"name": "[parameters('AutomationAccountName')]",
"type": "Microsoft.Automation/automationAccounts",
"apiVersion": "2015-10-31",
"properties": {
"sku": {
"name" : "Basic"
}
},
"location": "[parameters('location')]",
"resources": [
{
"type": "providers/diagnosticSettings"
Enabling all sort of logs in the diagnostic settings ..
This works fine.
But the problem I am facing right now is that the sku is set to basic right here. But I can't be sure that is the case to every single automationaccount I retrieve with the get-AzAutomationAccount command.
I have searched to get the plan value from the get-AzAutomationAccount and save this inside the ARM template but seems to be empty.
Is there any other way to retrieve the sku of each Azure Automation account.
ALSO the SKU object normally is not required if I read the official doc of Microsoft. But whenever I delete the sku object or leave it empty the deployment fails.
Is there anyone who know how to fix this ?
The command Get-AzAutomationAccount will not return the sku property, it just returns the Plan.
If you want to get the sku, you could use the command as below.
$sku = (Get-AzResource -ResourceGroupName "<resource group name>" -ResourceType Microsoft.Automation/automationAccounts -ResourceName "<automation account name>").properties.sku
$sku | ConvertTo-Json
Related
How to link an existing B2C tenant programatically via Azure CLI? Running this line:
az resource create --resource-group <rg> --resource-type Microsoft.AzureActiveDirectory/b2cDirectories --name <tenant>.onmicrosoft.com --location Europe --properties "{\"tenantId\": \"<tenantId>\", \"sku\": { \"name\": \"Standard\", \"tier\": \"A0\" } }"
Returns BadRequestError: The 'sku' property is required for creating a b2c directory resource but it is there
The ARM "B2C Link Resource" looks like this:
{
"type": "Microsoft.AzureActiveDirectory/b2cDirectories",
"apiVersion": "2017-01-30",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"tags": {},
"sku": {
"name": "Standard",
"tier": "A0"
},
"properties": {
"tenantId": "[parameters('tenantId')]"
}
}
Further Information:
I have tried different variations regarding the sku portion such as leaving it out completely or moving it as a dedicated parameter --sku Standard etc but none of them seem to work
Removing an existing link via az resource delete --ids /subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.AzureActiveDirectory/b2cDirectories/<tenant>.onmicrosoft.com works perfectly fine
Why do we need this? We automate our infra deployment with Terraform. We're aware of the limitations automating B2C tenants (see here, here or here) so we aim for removing/adding the b2c link via pipeline to at least keep the subscription clean on destroying/applying infra.
Linking an existing B2C tenant via Azure Portal looks like this
Any advice appreciated. Thanks for your help!
I don't think Azure CLI currently can have the ability to manage B2C tenants.
As you are aware already, there is a detailed discussion done https://github.com/Azure/azure-cli/issues/12058
Other Programmatic Approach:
I had captured Fiddler Traces to understand the flow / or the endpoint that is responsible. I was able point to the below endpoint. I was checking for the create a new Azure B2C Tenant.
PUT https://management.azure.com/subscriptions/SUBSCRIBTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.AzureActiveDirectory/b2cDirectories/contosoorganiztion.onmicrosoft.com?api-version=2019-01-01-preview
{"location":"United States","sku":{"name":"Standard","tier":"A0"},"properties":{"createTenantProperties":{"displayName":"Contoso Organization","countryCode":"US"}}}
However, I was not able to check the "Link to existing the Tenant" (for your requirement) option at my end due to permissions at my end. But I am assuming there should be a similar endpoint responsible for the same. You could capture Fiddler traces with Https decrypted (or any tool that will help capturing the decrypted HTTPS Traffic), trying to link an existing tenant to understand the endpoint and the request body.
Note :
Keep mind this API/endpoint is not supported and subject to change thus not recommended for production environments:
You will need access token in order to hit the endpoint.
To obtain token, resource id of the Azure portal would be :74658136-14ec-4630-ad9b-26e160ff0fc6
az account get-access-token --resource 74658136-14ec-4630-ad9b-26e160ff0fc6
I am needing to check when a key vault (not a key) was created in Azure. Keyvault show does not seem to get me that info. Can anyone point me in the right direction?
az keyvault show --name
thanks
You could use az group deployment show to get the deployment of the keyvault in the resource group, the timestamp is that you want.
az group deployment show --name <keyvualt-name> --resource-group <resource-group-name>
Note: The command above just works for the keyvault created in the portal or via ARM template(need change the name parameter), if you use the powershell or cli command to create the keyvault, there is no deployment information in the group, the option is to use az monitor activity-log list to get the logs of your group, but the log is existing just for 90 days, and the operation will just appear as Update Key vault, so we could not know whether it’s Create or Update actually.
You have to call the REST API directly to get this functionality. You can list resources of type Microsoft.KeyVault/vaults and use $expand=createdTime. See https://learn.microsoft.com/en-us/rest/api/resources/resources/list for more info.
Here is an example at subscription scope, but you can also do it at resource group scope if you know where your target Key Vault exists.
az rest --method GET --uri "https://management.azure.com/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resources?$expand=createdTime&$filter=resourceType eq 'Microsoft.KeyVault/vaults'&api-version=2020-06-01"
{
"value": [
{
"createdTime": "2019-11-07T22:02:10.6437781Z",
"id": "/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resourceGroups/CSSAutomation-xxx/providers/Microsoft.KeyVault/vaults/CSSAutomationVault-xxx",
"location": "centralus",
"name": "CSSAutomationVault-xxx",
"resourceGroup": "CSSAutomation-xxx",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
},
{
"createdTime": "2019-11-04T14:57:25.8974771Z",
"id": "/subscriptions/1237f4d2-3dce-4b96-ad95-677f764e7123/resourceGroups/rgKeyVault/providers/Microsoft.KeyVault/vaults/KeyVaultTestyyy",
"location": "northcentralus",
"name": "KeyVaultTestyyy",
"resourceGroup": "rgKeyVault",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
]
}
I have sample ARM template given below. The fields subscription, resource group and location are provided in first section ARM template to user while deploying and parameters section is provided after this. Resource group is drop down field provided by Azure ARM itself, where I need to provide any one resource group as default resource group present in list. How can this possible?
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"writePermission": {
"defaultValue": "No",
"allowedValues": [
"No",
"Yes"
],
"type": "String",
"metadata": {
"description": "the permission type"
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"templateUri": "[deployment().properties.templateLink.uri]"
},
"resources": [
],
"outputs": {
"result": {
"type": "String",
"value": "[variables('templateUri')]"
}
}
}
This is how template is rendered.
Expected solution:
Instead of blank value in resource group, it should be pre-populated with first field from drop-down of resource group.
A deployment with ARM templates is always providing the deployment resource group outside the template. A deployment is always based in a resource group that you provide as a parameter outside the template. The name of the command to deploy using PS is: New-AzResourceGroupDeployment indicating that you have the provided resource group as a base and the argument to choose the Resource Group is named: -ResourceGroup
So basically you can't choose the base resource group inside your ARM template since that's provided outside for the API to know where to start the deployment.
This is the PS command to do the deployment:
New-AzResourceGroupDeployment
[-Name <String>]
-ResourceGroupName <String>
[-Mode <DeploymentMode>]
[-DeploymentDebugLogLevel <String>]
[-RollbackToLastDeployment]
[-RollBackDeploymentName <String>]
[-Tag <Hashtable>]
[-WhatIfResultFormat <WhatIfResultFormat>]
[-WhatIfExcludeChangeType <String[]>]
[-Force]
[-AsJob]
-TemplateFile <String>
[-SkipTemplateParameterPrompt]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
The PS command is using the ARM Rest API which is the same API used by the Azure Portal, looking at the Rest API you can also see that ResourceGroup is a parameter that needs to be provided outside the ARM template:
https://learn.microsoft.com/en-us/rest/api/resources/deployments/createorupdate
So what I'm saying is that you can't use the template to manipulate the drop down box for the base Resource Group, the only way you can do this is by limiting the access for the users using RBAC so that the user only can see the resource groups the user is supposed to be able to deploy to.
I am trying to configure a VPN in Azure Powershell following the procedure here. When running the following command
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name <myconnectionname> -ResourceGroupName <myresourcegroupname>
I receive the error
Get-AzVirtualNetworkGatewayConnection: Resource group '' could not be found.
But when I run the command:
az group show --name "<myresourcegroupname>"
The return value is the object description of the resource group:
> {
> "id": "/subscriptions/<active subscription id>/resourceGroups/<myresourcegroupname>",
> "location": "<mylocation>",
> "managedBy": null,
> "name": "<myresourcegroupname>",
> "properties": {
> "provisioningState": "Succeeded" },
> "tags": null,
> "type": "Microsoft.Resources/resourceGroups"
>}
Clearly, the resource group exists and is accessible to powershell through the active subscription (and I confirmed that the active subscription does contain this resource group).
How can I properly identify the resource group for this command to run?
Thank you to the people who commented. I ended up speaking with Azure support -- the network engineer initially ran into the same problem, and tried a few different options.
Ultimately, the solution ended up being fairly simple, as the issue was the fact that multiple subscriptions were under the account. The solution was just to run
Select-azsubscription -SubscriptionID <subscriptionid>
with the proper parent subscription id. As #Joy Wang suggested, updating all the cmdlets to the newer az versions also helped clear up errors.
Is there any way to retrieve the Instrumentation Key for an Application Insights instance in an Azure Resource Group template ?
I've tried the instructions here to retrieve the list of list* operations available on Azure resources, but Microsoft.Insights/components doesn't appear in the list anywhere. It's making me think that retrieving an Instrumentation Key in the template isn't currently possible
After some digging and experimenting, this is what I found works:
"outputs": {
"MyAppInsightsInstrumentationKey": {
"value": "[reference(resourceId('Microsoft.Insights/components', variables('myAppInsightsInstanceName')), '2014-04-01').InstrumentationKey]",
"type": "string"
}
}
Try it (using azure cli)
az resource show -g $RESOURCE_GROUP -n $APP_INSIGHTS --resource-type "microsoft.insights/components" --query properties.InstrumentationKey
Instrumentation Key belongs to resource, you can find it in Azure Resource manager template. If you want to find Instrumentation Key, you need to define ResourceType to Microsoft.Insights/components. Try the below code:
$resourcevalue=Get-AzureRmResource -ResourceGroupName Default-ApplicationInsights-*** -ResourceType Microsoft.Insights/components -ResourceName **hdinsights -ApiVersion 2015-05-01
$resourcevalue.Properties.InstrumentationKey