I have an azure subscription that has upwards of 200 appServices where around about half of them have Continuous, always on webJobs attached, some also have slots which also have webJobs.
Is there a way to list all webJobs that are inside a subscription? I was originally tring to use powershell to do this but it was getting rather complex and was wondering if anyone knew of an easy way to achieve the above.
It seems like Get-AzureRmWebApp should be able to help but i cant find a way to list the jobs that reside inside the webapps.
I found the command Get-AzureWebsiteJob which is not in the AzureRM family of commandlets. The following script can get the data that I'm looking for:
$groups = get-AzureRmResourceGroup | where{$_.ResourceGroupName -like "*-prod-*"}
foreach($group in $groups){
Write-Host -ForegroundColor Cyan "processing resourceGroup" $group.ResourceGroupName
$webApps = Get-AzureRmWebApp -ResourceGroupName $group.ResourceGroupName
foreach($webApp in $webApps){
write-host -ForegroundColor Yellow $webApp.Name
$job = Get-AzureWebsiteJob -Name $webApp.Name
if($job){
write-host -ForegroundColor DarkYellow $job.JobName
}
$job = Get-AzureWebsiteJob -Name $webApp.Name -Slot staging
if($job){
write-host -ForegroundColor DarkYellow $job.JobName " -staging"
}
}
}
The above does not filter out the running ones from the stopped, but that can be easily added if need be.
Of course you firstly need to be logged into AzureRM and Azure classic
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionId <<mySubscriptionId>>
Get-AzureRmContext
Add-AzureAccount
Select-AzureSubscription -SubscriptionId <<mySubscriptionId>>
Get-AzureSubscription -Current
Its a very slow script iterating over this number or AppServices though. Any ideas for speeding it up would be appreciated.
You can do it through the ARM APIs, though you still need to call it on each Web App.
You can get the WebJobs with a GET request to:
https://management.azure.com/subscriptions/subscription-id/resourceGroups/resource-group-name/providers/Microsoft.Web/sites/app-name/webjobs?api-version=2016-03-01
But I doubt this will be any more efficient than what you have since you still need to make a call for every Web App. And you will need to get the access token somehow.
Web Jobs are a property of App Service applications and can't be requested all at once from Azure.
I know it's too late but we can try with Azure CLI too these days.
az webapp webjob triggered list --name MyWebApp --resource-group MyResourceGroup
Additionally, you can query the above result and get the desired information you are looking for
az webapp webjob triggered list --name MyWebApp --resource-group MyResourceGroup --query "[].{Name:name, Schedule:settings.schedule}"
I know it's too late but we can try with Azure CLI too these days.
az webapp webjob triggered list --name MyWebApp --resource-group MyResourceGroup
Additionally, you can query the above result and get the desired information you are looking for
az webapp webjob triggered list --name MyWebApp --resource-group MyResourceGroup --query "[].{Name:name, Schedule:settings.schedule}"
But, again you have to run the above query in the for each loop to fetch the results from all resource groups in the subscription.
Related
I've run into a snag with my powershell script that builds an azure function & all its dependencies.
This is what's happening: (i'm doing it manually here to demo...)
I request the storage account information like this:
PS C:\Users\me\> Get-AzStorageAccount -ResourceGroupName widget-resource-group
StorageAccountName ResourceGroupName PrimaryLocation SkuName Kind AccessTier CreationTime ProvisioningState EnableHttpsTrafficOnly LargeFileShares
------------------ ----------------- --------------- ------- ---- ---------- ------------ ----------------- ---------------------- ---------------
widgetx4ge6v27rlgdk widget-resource-group eastus Standard_LRS StorageV2 Hot 2022-03-10 2:00:26 PM Succeeded True
It comes back with the correct information. So then I try to get the connection string like this:
PS C:\Users\me> func azure storage fetch-connection-string widgetx4ge6v27rlgdk
Cannot find storage account with name widgetx4ge6v27rlgdk
But it says it can't find the storage account.
The actual code looks like this:
# Look up function app name that was dynamically created by ARM template:
$AZ_FUNCTION_APP = Get-AzFunctionApp -ResourceGroupName $currentEnv.AZ_RESOURCE_GROUP_NAME
#look up the storage account name for this resource group.
$AZ_STORAGE_ACCOUNT = Get-AzStorageAccount -ResourceGroupName $currentEnv.AZ_RESOURCE_GROUP_NAME
Write-Output $AZ_STORAGE_ACCOUNT.StorageAccountName
# Get new connection string for the storage account.
func azure storage fetch-connection-string $AZ_STORAGE_ACCOUNT.StorageAccountName
When the code runs, everything works until the call to "func azure storage fetch-connection-string".
Any tips on what I'm missing?
Edit 1
In case it helps, this logic works just fine when I run it against Tenant 1, Subscription A. But for Tenant 1, Subscription B it bombs.
I've made sure the service account principle it runs under is contributor on both subscriptions.
And for what it's worth, the script is able to create the resource group and many of the resources inside. It's just hat when I try to get the connection string, it bombs. It also bombs further down in the script when it tries to deploy the functions in my function app. The error message though is similar - it complains that it can't find the function app that I just finished creating.
Edit 2
So I figured out the problm but not sure how to fix it in a nice / simple way.
For 90% of the script, including login, i'm using the new Az Powershell modules. However, the "func azure" tool relies on login information provided by the az cli. (that seems to be cached??)
To get you on the same page, here's the relevant part of the code in the script:
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $AZ_DEPLOYMENT_CLIENT_ID, $Secure2
#Connect
Connect-AzAccount -ServicePrincipal -TenantId $AZ_TENANT_ID -Credential $Credential
#OPTIONAL - List the subscriptions available to the current User
Get-Azcontext -ListAvailable
#Set the subscription context to subscription 2
Set-Azcontext -Subscription $AZ_SUBSCRIPTION_ID -Tenant $AZ_TENANT_ID
#Create a new resource group
New-AzResourceGroup -Name $AZ_RESOURCE_GROUP_NAME -Location $AZ_RESOURCE_LOCATION -Force
New-AzResourceGroupDeployment -ResourceGroupName $AZ_RESOURCE_GROUP_NAME -TemplateFile (Join-Path $PSScriptRoot "./artifacts/widget-resources.json")
# Look up function app name that was dynamically created by ARM template:
$AZ_FUNCTION_APP = Get-AzFunctionApp -ResourceGroupName $AZ_RESOURCE_GROUP_NAME
#look up the storage account name for this resource group.
$AZ_STORAGE_ACCOUNT = Get-AzStorageAccount -ResourceGroupName $AZ_RESOURCE_GROUP_NAME
Write-Output $AZ_STORAGE_ACCOUNT.StorageAccountName
# this is where it is failing because it is using a subscription that is visible to az cli.
func azure storage fetch-connection-string $AZ_STORAGE_ACCOUNT.StorageAccountName
Here's what I did to troubleshoot from a powershell cli:
az account list
That returns this:
{
"cloudName": "AzureCloud",
"homeTenantId": "asdf-asdf-asdf-asdf-12312312313",
"id": "[guid]",
"isDefault": false,
"managedByTenants": [],
"name": "subscription-1",
"state": "Enabled",
"tenantId": "[our-tenant-id]",
"user": {
"name": "[another-guid]",
"type": "servicePrincipal"
}
}
When I ran the above command, it only returned one subscription called "subscription-1" for discussion purposes. It isn't/wasn't the one that the rest of the script was working with. The rest of script was dealing with subscription 2
As I test, I added the following lines of code just before call func azure storage:
az login --service-principal --username $AZ_APPLICATION_CLIENT_ID --password $AZ_SECRET --tenant $AZ_TENANT --allow-no-subscriptions
#set the subscription we want to use
az account set --subscription $subscription2
func azure storage fetch-connection-string $AZ_STORAGE_ACCOUNT.StorageAccountName
And now it finds the correct subscription and resource group / storage account. And now when I run az account list again, it shows me both subscriptions.
One addition comment / observation. Once the az login / az account set has been run with the desired subscription id, i've noticed that I can remove the az login and account set logic from the script and it just uses the cached values. I'm not saying this is what I want to do ... cuz I think it' best to be explicit. But just an observation which explains what bit me in the first place.
So my question is... is there anyway to avoid having to log in twice - once with az cli and another time with the Az Powerhsell modules?
I'm thinking of just abandoning the Az Powershell module and just rewriting everything in just az cli.
But asking the community to see if there's a better way to do this.
EDIT 3
Based on the docs for the azure core functions tools, technically I should be able to use the powershell modules or the cli:
https://learn.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=v4%2Cwindows%2Ccsharp%2Cportal%2Cbash#publish
"You must have the Azure CLI or Azure PowerShell installed locally to be able to publish to Azure from Core Tools."
Yes, using a mix of azcli and azure powershell, as they are their seperate entities in their own right, you would need to login to each of them individually.
And yes, you are right its better to ditch of them and choose one or the other ! Just much cleaner that way
The issue was that the azure core functions tool is using the cached az account list to find my resources.
So in other words, unbeknownst to me, the func method was using az cli, whereas the rest of the script is using the new Az Powershell modules.
For now, I've just rewritten everything in az cli syntax, and am happy with that. But per the docs it seems that the azure core functions tools should be able to work with either az cli or az powershell. Will open a separate question that addresses that point. For now, my script is working again.
I am trying to get the subscription keys for my products as well as default subscription key using cli. I have gone through the documentation https://learn.microsoft.com/en-us/cli/azure/apim/api?view=azure-cli-latest , but right now I don't see any commands to get me the subscription key.
While I can see there are powershell way of getting it, we run the tasks in ubuntu pipeline, and the commands listed below is not working in the linux agent. It says Set-AzContext is not a known command
$subscriptionId = "id"
$RG = "rg"
$service = "apim-name"
Set-AzContext -Subscription $subscriptionIdÂ
$apimContext = New-AzApiManagementContext -ResourceGroupName $RG -ServiceName $service
Get-AzApiManagementSubscriptionKey -Context $apimContext -SubscriptionId "master"
Update
I am able to fetch the details through powershell task for Azure in the DevOps pipeline. If there is no option in azure cli I will use this as a workaround.
Using az rest it is possible:
APIMID=`az apim show -n apimname -g resourcegroup --query id -o tsv`
az rest --method post --uri ${APIMID}/subscriptions/test-subscription/listSecrets?api-version=2021-08-01 --query primaryKey -o tsv
where test-subscription is the name of the subscription.
Currently it is not possible to fetch subscription key using AZ CLI commands. The PowerShell command used is the correct way to go. Just in case if it helps another way to get the subscription key is by using Management API call
I'm a bit of an Azure & Powershell newbie.
I'm trying to write PowerShell scripts to create an environment that can be published to from Azure DevOps.
As part of that, I'm creating a Service Bus with multiple topics. Each of the topics will have multiple Authorization Rules - one for publication and one for subscription.
I have the scripts for this working. However, I need to get the connection strings for these rules and save them to a key vault, to make them available to apps.
This is where I have become stuck.
This is similar to my existing code:
New-AzServiceBusTopic -ResourceGroupName myResourceGroup -Namespace myServiceBus -EnablePartitioning $false -Name myTopic
New-AzServiceBusAuthorizationRule `
-ResourceGroupName myResourceGroup `
-Namespace myServiceBus `
-Topic myTopic`
-Name myTopic.pub `
-Rights #("Send")
In the Azure Portal, I would click into the Service bus and Topic, select Shared Access Policies and click on the policy. It would show me the SAS Policy with the Primary Connection String.
Is there any way in PowerShell to get the Primary Connection String?
Thanks
If you have azure powershell Az.ServiceBus module installed, you can directly use this command: Get-AzServiceBusKey.
For example:
Get-AzServiceBusKey -ResourceGroup Default-ServiceBus-WestUS -Namespace SB-Example1 -Name AuthoRule1
I have created an alert rule and associated it with a VM. Now trying to fetch the alert rule through Powershell, but getting null. What's wrong with this code ?
Get-AzAlertRule -ResourceGroupName 'pacbldnew'
see the alert rule
powershell code returning null
That is just a warning. The command should work, make sure the alert rule is existing.
Update1:
Try the command below to get what you want.
Get-AzResource -ResourceGroupName joywebapp -ResourceType microsoft.insights/metricAlerts
Update2:
If you want to get the details, try the script as below.
$names = (Get-AzResource -ResourceGroupName joywebapp -ResourceType microsoft.insights/metricAlerts).Name
foreach($name in $names){
Get-AzResource -ResourceGroupName joywebapp -Name $name -ResourceType microsoft.insights/metricAlerts | ConvertTo-Json
}
Joy is right in the way that the cmdlet should still execute as what you see is just a warning. However, this could be happening as Powershell support for newer metric alerts is still in the works as mentioned in the Official docs.
Also, as an alternative, if it helps, you could use Azure CLI to list newer Metric Alerts, as it now supports fetching elaborate results of queries belonging to the Microsoft.Insights/metricAlerts resource type.
For example:
az monitor metrics alert list -g <Resource group name> --output yaml
The result would look something like this:
You also get to choose out of the many output formats (json, jsonc, yaml, table, tsv) available with Az CLI.
Hope this helps!
Go to Azure- home security center and settings and filter and extract all rules
This query has worked for me:
Get-AzResource -ResourceType "microsoft.insights/scheduledqueryrules" -ResourceGroupName "Alert-RG"
I can use the azure portal to add a web app to a virtual network for communications between various services hosted on it. However I have everything else in the environment scripted via Powershell and would like to automate the WebApp/VNET integration too.
I have read the following article so far:
https://azure.microsoft.com/en-gb/documentation/articles/web-sites-integrate-with-vnet/
However that is just how to do it via the portal. I am thinking that the Set-AzureRMWebApp cmdlet is the right thing to use, but i can't see any parameters that might help.
https://msdn.microsoft.com/en-us/library/mt652487.aspx
I had the same issue and couldn't find a way to do this using a PS modules. However functionality has now been added to azure CLI. So you can just involke this from a script.
az webapp vnet-integration add -g "resource group name" -n "app service name" --vnet "vnet name" --subnet "subnet name"
First you need an existing VNet with P2S configured as per my post at http://www.techdiction.com/2016/01/12/creating-a-point-to-site-vpn-connection-on-an-azure-resource-manager-virtual-network/
Then use the below PowerShell to connect the AppService to the VNet using P2S VPN:
$subscription_id = "<Subscription_ID>"
$NetworkName = "<Network_Name>"
$location = "<Region>"
$netrgname = "<Resource_Group_VNet_is_in>"
$AppServiceName = "<AppService_Name>"
$props = #{
"vnetResourceId" = "/subscriptions/$subscription_id/resourcegroups/$netrgname/providers/Microsoft.ClassicNetwork/virtualNetworks/$NetworkName";
"certThumbprint"= "<Client_cert_thumbprint>";
"certBlob"= "<Base64_Cert_Data>";
"routes" = $null;
}
New-AzureRMResource -ResourceName "$AppServiceName/$AppServiceName-to-$NetworkName" -Location $location -ResourceGroupName MarcusWebsites -ResourceType Microsoft.Web/sites/virtualNetworkConnections -PropertyObject $props -ApiVersion "2015-08-01" -force
You can configure custom routes if you require by modifying the routes property. Let me know how you get on and if it resolves the situation please mark this post as the answer.
Marcus
This is currently not supported, we have it on our to-do list, unfortunately I don't have an eta right now