Last active
January 15, 2021 19:32
-
-
Save bergmeister/9da43d7fd31ef02ea3ea67a6e7b2d5ce to your computer and use it in GitHub Desktop.
Add AAS IP Firewall exception and add currently executing service principal to AAS admin list
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory)] | |
[string] $ResourceGroupName | |
) | |
# Add Firewall exception for current IP address | |
$myIpAddress = Invoke-RestMethod https://ipinfo.io/json | Select-Object -ExpandProperty ip | |
$azAnalysisFirewallRule = New-AzAnalysisServicesFirewallRule -FirewallRuleName "az-devops-hosted-agent-$(New-Guid)" -RangeStart $myIpAddress -RangeEnd $myIpAddress | |
$azAnalysisServicesServer = Get-AzAnalysisServicesServer -ResourceGroupName $ResourceGroupName | |
if ($azAnalysisServicesServer.FirewallConfig.FirewallRules.RangeStart -contains $myIpAddress) { | |
Write-Verbose "IP whitelist exception for '$myIpAddress' already added" | |
} | |
else { | |
if ($null -eq $azAnalysisServicesServer.FirewallConfig) { | |
$azAnalysisServicesFirewallConfig = New-AzAnalysisServicesFirewallConfig | |
$azAnalysisServicesServer.FirewallConfig.FirewallRules = $azAnalysisFirewallRule | |
} | |
else { | |
$azAnalysisServicesServer.FirewallConfig.FirewallRules.Add($azAnalysisFirewallRule) | |
} | |
Write-Verbose "Adding AAS firewall rule '$($azAnalysisServicesServer.FirewallConfig.FirewallRules.FirewallRuleName)' for current IP '$myIpAddress' on server $($azAnalysisServicesServer.Name)" | |
Set-AzAnalysisServicesServer -FirewallConfig $azAnalysisServicesServer.FirewallConfig -Name $azAnalysisServicesServer.Name | |
Write-Verbose "Successfully added AAS firewall rule" | |
} | |
# Add currently executing service principal to AAS admin list | |
$azContext = Get-Azcontext | |
$spApplicationId = ($azContext).Account.Id | |
$aasAdminToAdd = "app:$spApplicationId@$($azContext.Tenant.Id)" | |
$azAnalysisServicesServer.AsAdministrators.Add($aasAdminToAdd) | |
Write-Verbose "Adding '$aasAdminToAdd' (current service principle) to AAS admins" | |
Set-AzAnalysisServicesServer -Administrator ([string]::Join(',', $azAnalysisServicesServer.AsAdministrators)) -Name $azAnalysisServicesServer.Name | |
Write-Verbose "Successfully added current service principle to AAS admins" |
Hi @denis-sch , thanks for the feedback. It seems you encountered the special case where there is no initial firewall config at all (in my case there was always at least one). In that case $azAnalysisServicesServer.FirewallConfig
is $null
, I've updated the script with some if/else code to make it agnostic of that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear Christoph,
I faced situation that if your AS server doesn't yet have any rules, this line of the script $azAnalysisServicesServer.FirewallConfig.FirewallRules.Add($azAnalysisFirewallRule) doesn't work with error "You cannot call a method on a null-valued expression.". Possibly - because $azAnalysisServicesServer.FirewallConfig.FirewallRules returns an empty object (or list with empty elements, I don't clearly get it myself) and method .Add can't be "as is" applied to it.
And this actually happens, because your another script, where you removes the rule, do this in this way:
$azAnalysisServicesServer.FirewallConfig.FirewallRules = $azAnalysisServicesServer.FirewallConfig.FirewallRules | Where-Object { -not $_.FirewallRuleName.StartsWith('az-devops-hosted-agent') },
so if you have only 1 rule, it sets $azAnalysisServicesServer.FirewallConfig.FirewallRules to $null.
For instance, if you'll use .Remove method, like you do for admin membership, everything works perfectly.