Skip to content

Instantly share code, notes, and snippets.

@davoodharun
Last active July 29, 2018 10:17
Show Gist options
  • Save davoodharun/7afe8666f5bbe087ab0b2ee7846b683a to your computer and use it in GitHub Desktop.
Save davoodharun/7afe8666f5bbe087ab0b2ee7846b683a to your computer and use it in GitHub Desktop.
Script to deploy Azure Automation Account, Storage Account, and Key Vault
#requires -RunAsAdministrator
#requires -Modules AzureRM
<#
.Description
Script needs to be run with elevated priveleges, as it interacts with the local file system (for generation of a certificate)
Executes the initial setup script, creating a dedicated resource group, storage account, and azure automation account.
Optionally uploads arm templtes and ps runbooks to created storage account (if path specified)
Optionally publishes all ps runbooks in specified directory to azure automation account created by the process.
.Example
$BaseSourceControl = 'C:\Users\davoodharun\Desktop'
$MyParams = @{
environmentName = "AzureUSGovernment"
location = "USGov Virginia"
subscriptionId = "eee71d43-1ba6-4da6-a6c4-ab75f599c1dc"
resourceGroupName = "OrchestrationRG"
StorageAccountName = "orchestrationstorage"
armtemplatesLocalDir = "$BaseSourceControl\OD4Gov\Templates"
psrunbooksLocalDir = "$BaseSourceControl\OD4Gov\Scripts\orchestration\automationrunbooks"
scriptsLocalDir = "$BaseSourceControl\OD4Gov\Scripts\DSC"
automationAccountName = "OrchestrationAutomationUser"
keyVaultName = "OrchestrationKeyVault"
serverPrincipalCertPassword = New-QMAlphanumericSecurePassword
}
. "$BaseSourceControl\OD4Gov\Scripts\orchestration\Orchestration_InitialSetup.ps1" @MyParams -verbose
#>
[cmdletbinding()]
Param(
[string]$environmentName = "AzureUSGovernment",
[string]$location = "USGov Virginia",
[Parameter(Mandatory=$true)]
[string]$subscriptionId,
[Parameter(Mandatory=$true)]
[string]$resourceGroupName,
[Parameter(Mandatory=$true)]
[ValidateLength(3, 24)]
[ValidateScript({ if ($PSItem -cmatch '^[a-z0-9]*$') {$true} else { Throw "Must only contain lowercase and number"}}) ]
[string]$storageAccountName,
[string]$armtemplatesLocalDir,
[string]$scriptsLocalDir,
[string]$psrunbooksLocalDir,
[string]$automationAccountName,
[ValidateLength(3, 24)]
[string]$keyVaultName,
[Parameter(Mandatory=$true)]
[SecureString]$serverPrincipalCertPassword,
[bool]$publishAutomationRunbooks = $true
)
$errorActionPreference = 'stop'
try
{
$Exists = Get-AzureRmSubscription -SubscriptionId $SubscriptionId
Write-Host "Using existing authentication"
}
catch {
# Microsoft is completely pathetic with supporting -ErrorAction
}
if (-not $Exists)
{
Write-Host "Authenticate to Azure subscription"
Add-AzureRmAccount -EnvironmentName $EnvironmentName | Out-String | Write-Verbose
}
Write-Host "Selecting subscription as default"
Select-AzureRmSubscription -SubscriptionId $SubscriptionId | Out-String | Write-Verbose
Write-Host "Creating resource group '$($resourceGroupName)' to hold the automation account, key vault, and template storage account."
if (-not (Get-AzureRmResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue)) {
New-AzureRmResourceGroup -Name $resourceGroupName -Location $location | Out-String | Write-Verbose
}
Write-Host "Create storage account '$($storageAccountName)' (this takes a while sometimes. In portal in browser takes 2 mins not sure what the problem is here)"
if (-not (Get-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -ErrorAction SilentlyContinue )) {
New-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $location -SkuName Standard_LRS | Out-String | Write-Verbose
}
Write-Host "Create automation account '$($automationAccountName)' to host deployment runbooks."
if (-not (Get-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -ErrorAction SilentlyContinue)) {
New-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -Location $location -Plan Free | Out-String | Write-Verbose
}
Write-Host "Create a keyVault '$($keyVaultName)' to store the service principal ids, key, certificate"
if (-not (Get-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue )) {
New-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForTemplateDeployment -Location $location | Out-String | Write-Verbose
$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'adminPassword' -Destination 'Software'
$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $secretvalue
$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -Destination 'Software'
$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -SecretValue $secretvalue
}
& "$($PSScriptRoot)\Create-AzureServicePrincipalForServerAutomation.ps1" `
-subscriptionId $subscriptionId `
-ResourceGroup $resourceGroupName `
-AutomationAccountName $automationAccountName `
-ApplicationDisplayName "$($automationAccountName)RunAs" `
-certPassword $serverPrincipalCertPassword `
-backupCertVaultName $keyVaultName
Write-Output "New service principal created for server auth - $($automationAccountName)RunAs."
& "$($PSScriptRoot)\Create-AzureServicePrincipalForClient.ps1" `
-SubscriptionId $SubscriptionId `
-ApplicationDisplayName "$($automationAccountName)Client" `
-backupKeyVaultName $keyVaultName
Write-Output "New service principal created for client auth - $($automationAccountName)Client."
$context = (Get-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName).Context
$armtemplatecontainer = New-AzureStorageContainer -Name "arm" -Context $context -Permission Off
Write-Output "New storage account container created - 'arm'."
$scriptscontainer = New-AzureStorageContainer -Name "scripts" -Context $context -Permission Off
Write-Output "New storage account container created - 'scripts'."
$psrunbookcontainer = New-AzureStorageContainer -Name "psrunbooks" -Context $context -Permission Off
Write-Output "New storage account container created - 'psrunbooks'."
if($armtemplatesLocalDir){
ls –Recurse –Path $armtemplatesLocalDir | Set-AzureStorageBlobContent –Container $armtemplatecontainer.Name –Context $context
Write-Output "Local files uploaded to storage container - 'arm'."
}
if($scriptsLocalDir){
ls -Recurse -Path $scriptsLocalDir | Set-AzureStorageBlobContent -Container $scriptscontainer.Name -Context $context
Write-Output "Local files uploaded to storage container - 'scripts'."
}
if($psrunbooksLocalDir){
if($publishAutomationRunbooks){
#Publish all runbooks in the directory after uploading to storage
ls -Recurse -Path $psrunbooksLocalDir | `
Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context -Force | `
select Name, @{Name="Path";Expression={$psrunbooksLocalDir + "\" + $_.Name}} | `
Import-AzureRMAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName -Type PowerShell -Force | `
Publish-AzureRmAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName
Write-Output "Local files uploaded to storage container - 'psrunbooks'. Runbooks published to Azure automation."
} else
{
#Upload runbooks to storage, do not publish
ls –Recurse –Path $psrunbooksLocalDir | Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context
Write-Output "Local files uploaded to storage container - 'psrunbooks'."
}
}
@AntonyNolan
Copy link

gvu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment