I want to run powershell scripts to create users and usergroups in Azure AD . Is it possible to call ps scripts in ARM Template?
Update:
Now it is possible to do some operations with a new feature (still in Preview)
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template
Use deployment scripts in templates (Preview)
Learn how to use deployment scripts in Azure Resource templates. With
a new resource type called Microsoft.Resources/deploymentScripts,
users can execute deployment scripts in template deployments and
review execution results. These scripts can be used for performing
custom steps such as:
add users to a directory
create an app registration
perform data plane operations, for example, copy blobs or seed database
look up and validate a license key
create a self-signed certificate
create an object in Azure AD
look up IP Address blocks from custom system
The benefits of deployment script:
Easy to code, use, and debug. You can develop deployment scripts in your favorite development environments. The scripts can be embedded in
templates or in external script files.
You can specify the script language and platform. Currently, only Azure PowerShell deployment scripts on the Linux environment are
supported.
Allow specifying the identities that are used to execute the scripts. Currently, only * * Azure user-assigned managed identity is
supported.
Allow passing command-line arguments to the script.
Can specify script outputs and pass them back to the deployment.
Remember that ARM templates should be idempotent. You should write code that can be executed multiple times, even on environments where your code was already executed.
For example, if you are going to configure a setting, or create a resource, your powershell should probably check if the resource is already in place and properly configured.
No, Azure ARM could not execute scripts directly. Executing scripts need host, Azure template does not provide such host.
One solution, you could select Azure Custom Script Extension.
The Custom Script Extension downloads and executes scripts on Azure virtual machines.
Related
I have a large PowerShell script that creates a machine and performs a bunch of configurations and it relies on Az module together with some custom modules I have written. I can run it from my machine, but I am exploring the possibility to run it from Azure and letting others run it without the need to fetch the latest version of the script and the dependent modules.
I have looked into Azure Functions, Logic Apps and Pipelines, but I don't really even know where to start and which one is the most suitable.
The workflow I would like to achieve is this:
A teammate would specify a machine name and trigger the script.
The script would then use Az modules and pull some modules from a git repo to create and configure a VM.
The teammate would receive some sort of feedback to show if the script was successful, maybe a log or an email notification.
Did you look at Runbook running over Automation Account? You can manage your source with DevOps and use Automation Account' Source Control. You can also use Azure Arc Agent on VM to run your script.
I've written a PowerShell script and Linux bash script that I run to setup a management account inside Azure VMs and configures WMI or SNMP so I can monitor them properly. Works great! I just push out a new VM and then either run the PowerShell/Bash script via an extension during or after creation, all good.
However, I have other admins that also create VMs in the subscription that keep forgetting to run the extension and then I have to pick it up afterwards when I notice the monitoring system can't connect to them properly. How can I either:
Automatically enforce either the Linux or Windows extension to any new VMs that are created by other admins
Create some kind of automated policy that checks for VMs that haven't had the extension run and runs the extension in them
Or something else that will achieve what I need
Does anyone have any hints or links to articles that I could follow?
Thanks!
Azure Policy has a built-in policy that only allows a set list of extension: found here, https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute. However, you are able to do a custom policy with a DeployIfNotExist policy that will deploy an arm template with those extensions. Here is another customer sample on that: https://github.com/Azure/azure-policy/blob/master/samples/Compute/deploy-oms-vm-extension-windows-vm/azurepolicy.rules.json
I would like to publish an Azure Managed Application to the Azure Marketplace. Is it possible to add to the "app.zip" an own PowerShell Script, which executes some additional deployment steps besides the Azure Resource Manager Template?
The Script would invoke the arm template and handle some outputs of the Template
The way to think about these is that you can only do tasks that can be done in a template. Today, there's no way to run an arbitrary script in an ARM template.
That help?
After some research and contacting the MS Support I found two possible solutions:
Using a VM with a Custom Script Extension. Downside: VM needs long to startup and is expensive if we do not delete it afterwards.
Using a Azure Container Instance to run the script. Starts up in about 45 seconds and doesn't cost anything if we don't use it. -> Tutorial
I have several .NET applications that are hosted In Azure on virtual machines IIS. I want to automate deployment process directly from my machine or visual studio without using Azure portal because we are doing several deliveries each day. The biggest challenge for me now is to do backup before deployment. So I need to backup specific folder on VM remotely. Could anyone tell me how I can do it?
Are there any best practices for automation delivery from visual studio to Azure VM? Backup of app is required.
First, I'm assuming that you would like to back up some specific folders in your VM to an Azure Blobs or Azure Files storage. There are two parts you'd need to complete your continuous deployment:
Automate backing up some folders in your virtual machine.
Integrate task #1 into a CICD (Continuous Integration Continuous Deployment) tool, which I'd suggest VSTS (Visual Studio Team Services) for your beginning.
Approach #1
You can expose Windows Remote Management (WinRM) endpoint publicly and use PowerShell to perform a folder backup task. You will also need to invoke some scripts to write/copy your backup to Azure Blobs Storage. Your script must be authenticated silently so you don't need to key in Azure subscription admin or VM admin.
Once you have a PowerShell script, you can invoke this PowerShell by creating a new PowerShell task in your Build or Release definition. I'd suggest to define in Release definition.
Approach #2
It's more Cloud native and you don't have to expose WMI of your virtual machine which would lead to security threat. Instead, you utilize Azure Automation Worker to automate the entirely backup & copy to another Azure services (Blobs, Files, another backup/file server virtual machine..). In your run book, you need to use PowerShell DSC (Desired State Configuration) to interact with resources inside your virtual machine.
In VSTS, you have two ways to start your runbook
Invoke runbook's webhook: you can create a webhook for your runbook and call this webhook by creating a Http Task
Start runbook by PowerShell: similar to the approach #1, just create PowerShell task then use Start-AzureAutomationRunbook cmdlet with sample here.
Build an ARM template for your Runbook then define in Build definition. Here is the sample reference to deploy an ARM template in VSTS,
The reason I have to give several references because you might not have familiarity with CICD and DevOps concept, as well as some useful tools in Azure and VSTS which supports your continuous deployment. There are some awesome CICD solutions in the market you should also explore, such as Chef, Ansible, Puppet. They support CICD very well. Below are some references to get started with DevOps on Azure:
https://learn.microsoft.com/en-us/vsts/deploy-azure/
https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview
https://learn.microsoft.com/en-us/vsts/build-release/apps/cd/azure/azure-devops-project-aspnetcore
I want to run tests using real SQL databases. The SQL server and the databases would be on Azure. I'm trying to configure a build definition on VSTS where the tasks would set up an Azure resource group with the databases, set the connection strings on my solution and run the Entity Framework Core migrations to the databases. After the tests a task should delete the resource group.
I created an Azure resource group with the databases I need and downloaded the PowerShell deployment files, the script, template.json and so on.
The PowerShell script task can have an inline script or a path to the script. Should I add the Powershell scripts to the solution so that the VSTS could access them? The inline script option seems to be for small few line scripts and the Azure deployment is quite big with multiple files.
Setting up the connection strings shouldn't be too difficult. Several people suggest using the Replace Tokens task from the market place.
I'm not sure how to run the database migrations after that. Can I run the migrations on PowerShell script task? How can I ensure that the needed cmdlets work?
Since the script is quite big, you can’t use Inline script, you can add it to the project or other path of server (Add additional mapping for different path).
Regarding database migration, if you enabled EF migration in a web app, you can create a publish profile (web deploy package) with database migration enabled, then publish/deploy with /p:DeployOnBuild=true /p:PublishProfile=[profile name];DesktopBuildPackageLocation="$(build.artifactstagingdirectory)\webEF.zip" MSBuild arguments, then deploy package to Azure Web APP through Azure Web Deploy task.