Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to deploy Azure Automation Account, Storage Account, and Key Vault
#requires -RunAsAdministrator
#requires -Modules AzureRM
<#
.Description
Script needs to be run with elevated priveleges, as it interacts with the local file system (for generation of a certificate)
Executes the initial setup script, creating a dedicated resource group, storage account, and azure automation account.
Optionally uploads arm templtes and ps runbooks to created storage account (if path specified)
Optionally publishes all ps runbooks in specified directory to azure automation account created by the process.
.Example
$BaseSourceControl = 'C:\Users\davoodharun\Desktop'
$MyParams = @{
environmentName = "AzureUSGovernment"
location = "USGov Virginia"
subscriptionId = "eee71d43-1ba6-4da6-a6c4-ab75f599c1dc"
resourceGroupName = "OrchestrationRG"
StorageAccountName = "orchestrationstorage"
armtemplatesLocalDir = "$BaseSourceControl\OD4Gov\Templates"
psrunbooksLocalDir = "$BaseSourceControl\OD4Gov\Scripts\orchestration\automationrunbooks"
scriptsLocalDir = "$BaseSourceControl\OD4Gov\Scripts\DSC"
automationAccountName = "OrchestrationAutomationUser"
keyVaultName = "OrchestrationKeyVault"
serverPrincipalCertPassword = New-QMAlphanumericSecurePassword
}
. "$BaseSourceControl\OD4Gov\Scripts\orchestration\Orchestration_InitialSetup.ps1" @MyParams -verbose
#>
[cmdletbinding()]
Param(
[string]$environmentName = "AzureUSGovernment",
[string]$location = "USGov Virginia",
[Parameter(Mandatory=$true)]
[string]$subscriptionId,
[Parameter(Mandatory=$true)]
[string]$resourceGroupName,
[Parameter(Mandatory=$true)]
[ValidateLength(3, 24)]
[ValidateScript({ if ($PSItem -cmatch '^[a-z0-9]*$') {$true} else { Throw "Must only contain lowercase and number"}}) ]
[string]$storageAccountName,
[string]$armtemplatesLocalDir,
[string]$scriptsLocalDir,
[string]$psrunbooksLocalDir,
[string]$automationAccountName,
[ValidateLength(3, 24)]
[string]$keyVaultName,
[Parameter(Mandatory=$true)]
[SecureString]$serverPrincipalCertPassword,
[bool]$publishAutomationRunbooks = $true
)
$errorActionPreference = 'stop'
try
{
$Exists = Get-AzureRmSubscription -SubscriptionId $SubscriptionId
Write-Host "Using existing authentication"
}
catch {
# Microsoft is completely pathetic with supporting -ErrorAction
}
if (-not $Exists)
{
Write-Host "Authenticate to Azure subscription"
Add-AzureRmAccount -EnvironmentName $EnvironmentName | Out-String | Write-Verbose
}
Write-Host "Selecting subscription as default"
Select-AzureRmSubscription -SubscriptionId $SubscriptionId | Out-String | Write-Verbose
Write-Host "Creating resource group '$($resourceGroupName)' to hold the automation account, key vault, and template storage account."
if (-not (Get-AzureRmResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue)) {
New-AzureRmResourceGroup -Name $resourceGroupName -Location $location | Out-String | Write-Verbose
}
Write-Host "Create storage account '$($storageAccountName)' (this takes a while sometimes. In portal in browser takes 2 mins not sure what the problem is here)"
if (-not (Get-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -ErrorAction SilentlyContinue )) {
New-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $location -SkuName Standard_LRS | Out-String | Write-Verbose
}
Write-Host "Create automation account '$($automationAccountName)' to host deployment runbooks."
if (-not (Get-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -ErrorAction SilentlyContinue)) {
New-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -Location $location -Plan Free | Out-String | Write-Verbose
}
Write-Host "Create a keyVault '$($keyVaultName)' to store the service principal ids, key, certificate"
if (-not (Get-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue )) {
New-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForTemplateDeployment -Location $location | Out-String | Write-Verbose
$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'adminPassword' -Destination 'Software'
$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $secretvalue
$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -Destination 'Software'
$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -SecretValue $secretvalue
}
& "$($PSScriptRoot)\Create-AzureServicePrincipalForServerAutomation.ps1" `
-subscriptionId $subscriptionId `
-ResourceGroup $resourceGroupName `
-AutomationAccountName $automationAccountName `
-ApplicationDisplayName "$($automationAccountName)RunAs" `
-certPassword $serverPrincipalCertPassword `
-backupCertVaultName $keyVaultName
Write-Output "New service principal created for server auth - $($automationAccountName)RunAs."
& "$($PSScriptRoot)\Create-AzureServicePrincipalForClient.ps1" `
-SubscriptionId $SubscriptionId `
-ApplicationDisplayName "$($automationAccountName)Client" `
-backupKeyVaultName $keyVaultName
Write-Output "New service principal created for client auth - $($automationAccountName)Client."
$context = (Get-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName).Context
$armtemplatecontainer = New-AzureStorageContainer -Name "arm" -Context $context -Permission Off
Write-Output "New storage account container created - 'arm'."
$scriptscontainer = New-AzureStorageContainer -Name "scripts" -Context $context -Permission Off
Write-Output "New storage account container created - 'scripts'."
$psrunbookcontainer = New-AzureStorageContainer -Name "psrunbooks" -Context $context -Permission Off
Write-Output "New storage account container created - 'psrunbooks'."
if($armtemplatesLocalDir){
ls –Recurse –Path $armtemplatesLocalDir | Set-AzureStorageBlobContent –Container $armtemplatecontainer.Name –Context $context
Write-Output "Local files uploaded to storage container - 'arm'."
}
if($scriptsLocalDir){
ls -Recurse -Path $scriptsLocalDir | Set-AzureStorageBlobContent -Container $scriptscontainer.Name -Context $context
Write-Output "Local files uploaded to storage container - 'scripts'."
}
if($psrunbooksLocalDir){
if($publishAutomationRunbooks){
#Publish all runbooks in the directory after uploading to storage
ls -Recurse -Path $psrunbooksLocalDir | `
Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context -Force | `
select Name, @{Name="Path";Expression={$psrunbooksLocalDir + "\" + $_.Name}} | `
Import-AzureRMAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName -Type PowerShell -Force | `
Publish-AzureRmAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName
Write-Output "Local files uploaded to storage container - 'psrunbooks'. Runbooks published to Azure automation."
} else
{
#Upload runbooks to storage, do not publish
ls –Recurse –Path $psrunbooksLocalDir | Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context
Write-Output "Local files uploaded to storage container - 'psrunbooks'."
}
}
@AntonyNolan

This comment has been minimized.

Copy link

@AntonyNolan AntonyNolan commented Jul 29, 2018

gvu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment