Created
May 29, 2020 08:54
-
-
Save JPRuskin/9a1717b7923ca36781bc97d3b4dc5980 to your computer and use it in GitHub Desktop.
Functions to create immutable containers in Azure, for the purpose of log storage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Add-AzStorageAccount { | |
<# | |
.Synopsis | |
This function creates a standardised storage account in the ResourceGroupName | |
.Example | |
Add-QmAzStorageAccount -ResourceGroupName AUSC1-FRG -Name ausc1frgdiagag3249b -Location "uscentral" | |
#> | |
[CmdletBinding()] | |
param( | |
# Resource group to create the storage account in | |
[Parameter(Mandatory)] | |
[string]$ResourceGroupName, | |
# Name of the storage account to create | |
[ValidateScript({ | |
if ($_ -cmatch "[^a-z0-9]") { | |
# TODO: This probably needs to look for _other_ bad chars, too. Maybe see if one of the Az modules exposes a validator? | |
throw "'$_' must contain nothing but lower case alphanumeric characters" | |
} | |
$true | |
})] | |
[Parameter(Mandatory, ValueFromPipeline)] | |
[string]$Name, | |
# Storage account Sku to use | |
[string]$SkuName = "Standard_LRS", | |
# Azure location to create the storage account in | |
[Parameter(Mandatory)] | |
[string]$Location | |
) | |
process { | |
$StorageAccount = @{ | |
ResourceGroupName = $ResourceGroupName | |
Name = $Name | |
} | |
if (-not ($ActualAccount = Get-AzStorageAccount @StorageAccount -ErrorAction SilentlyContinue)) { | |
$StorageRequest = @{ | |
SkuName = $SkuName | |
Location = $Location | |
Kind = "Storage" # V2? It's the new default | |
} | |
Write-Verbose "Creating Storage Account '$($Name)' in '$($ResourceGroupName)'" | |
$ActualAccount = New-AzStorageAccount @StorageAccount @StorageRequest | |
} | |
$ActualAccount = Set-AzStorageAccount @StorageAccount -SkuName $SkuName -StorageEncryption | |
} | |
} | |
function Add-AzLogContainer { | |
<# | |
.Synopsis | |
Creates a storage account container with QM-standardised policies for immutability and retention | |
.Example | |
Add-QmAzLogContainer -StorageAccountName ausc1frgdiagblah -Name sqlmilogs | |
# Creates a sqlmilogs container in the ausc1frgdiagblah account | |
#> | |
[CmdletBinding()] | |
param( | |
# Storage Account to create the container in | |
[Parameter(Mandatory)] | |
[string]$StorageAccountName, | |
# Name of the container | |
[Parameter(Mandatory)] | |
[string]$Name, | |
# Retention Time, in days | |
[uint16]$RetentionTime = 90, | |
# When set, locks the immutability policy | |
[switch]$LockPolicy | |
) | |
end { | |
if (-not ($StorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -eq $StorageAccountName)) { | |
Write-Error "StorageAccount '$($StorageAccountName)' is not found in the current Azure context" -ErrorAction Stop | |
} | |
if (-not ($Container = Get-AzStorageContainer -Context $StorageAccount.Context -Name $Name -ErrorAction SilentlyContinue)) { | |
Write-Verbose "Creating Container '$($Name)' in '$($StorageAccountName)'" | |
$Container = New-AzStorageContainer -Context $StorageAccount.Context -Name $Name | |
} | |
$ContainerID = @{ | |
ResourceGroupName = $StorageAccount.ResourceGroupName | |
StorageAccountName = $StorageAccount.StorageAccountName | |
ContainerName = $Container.Name | |
} | |
if (($ContainerPolicy = Get-AzRmStorageContainerImmutabilityPolicy @ContainerID).ImmutabilityPeriodSinceCreationInDays -ne $RetentionTime) { | |
$ImmutabilityPolicyArgs = @{ | |
ImmutabilityPeriod = $RetentionTime | |
AllowProtectedAppendWrite = $true | |
} | |
Write-Verbose "Adding $($RetentionTime) day Retention Policy to '$($Container.Name)'" | |
$ContainerPolicy = Set-AzRmStorageContainerImmutabilityPolicy @ContainerID @ImmutabilityPolicyArgs | |
} | |
if ($ContainerPolicy.State -eq 'Unlocked' -and $LockPolicy) { | |
Write-Verbose "Locking '$($ContainerPolicy.Etag)' on '$($Container.Name)'" | |
Lock-AzRmStorageContainerImmutabilityPolicy @ContainerID -Etag $ContainerPolicy.Etag -Force | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment