davoodharun/Orchestration_InitialSetup.ps1

## Orchestration_InitialSetup.ps1
	#requires -RunAsAdministrator
	#requires -Modules AzureRM

	<#
	.Description
	Script needs to be run with elevated priveleges, as it interacts with the local file system (for generation of a certificate)
	Executes the initial setup script, creating a dedicated resource group, storage account, and azure automation account.
	Optionally uploads arm templtes and ps runbooks to created storage account (if path specified)
	Optionally publishes all ps runbooks in specified directory to azure automation account created by the process.

	.Example
	$BaseSourceControl = 'C:\Users\davoodharun\Desktop'
	$MyParams = @{
		environmentName = "AzureUSGovernment"
		location = "USGov Virginia"
		subscriptionId = "eee71d43-1ba6-4da6-a6c4-ab75f599c1dc"
		resourceGroupName = "OrchestrationRG"
		StorageAccountName = "orchestrationstorage"
		armtemplatesLocalDir = "$BaseSourceControl\OD4Gov\Templates"
		psrunbooksLocalDir = "$BaseSourceControl\OD4Gov\Scripts\orchestration\automationrunbooks"
		scriptsLocalDir = "$BaseSourceControl\OD4Gov\Scripts\DSC"
		automationAccountName = "OrchestrationAutomationUser"
		keyVaultName = "OrchestrationKeyVault"
		serverPrincipalCertPassword = New-QMAlphanumericSecurePassword
	}
	. "$BaseSourceControl\OD4Gov\Scripts\orchestration\Orchestration_InitialSetup.ps1" @MyParams -verbose


	#>
	[cmdletbinding()]
	Param(
	  [string]$environmentName = "AzureUSGovernment",
	  [string]$location = "USGov Virginia",
	  [Parameter(Mandatory=$true)]
	  [string]$subscriptionId,
	  [Parameter(Mandatory=$true)]
	  [string]$resourceGroupName,
	  [Parameter(Mandatory=$true)]
	  [ValidateLength(3, 24)]
	  [ValidateScript({ if ($PSItem -cmatch '^[a-z0-9]*$') {$true} else { Throw "Must only contain lowercase and number"}}) ]
	  [string]$storageAccountName,
	  [string]$armtemplatesLocalDir,
		[string]$scriptsLocalDir,
	  [string]$psrunbooksLocalDir,
	  [string]$automationAccountName,
	  [ValidateLength(3, 24)]
	  [string]$keyVaultName,
	  [Parameter(Mandatory=$true)]
	  [SecureString]$serverPrincipalCertPassword,
	  [bool]$publishAutomationRunbooks = $true
	)
	$errorActionPreference = 'stop'

	try
	{
		$Exists = Get-AzureRmSubscription  -SubscriptionId $SubscriptionId
		Write-Host "Using existing authentication"
	}
	catch {
		# Microsoft is completely pathetic with supporting -ErrorAction
	}

	if (-not $Exists)
	{
		Write-Host "Authenticate to Azure subscription"
		Add-AzureRmAccount -EnvironmentName $EnvironmentName | Out-String | Write-Verbose
	}

	Write-Host "Selecting subscription as default"
	Select-AzureRmSubscription -SubscriptionId $SubscriptionId | Out-String | Write-Verbose

	Write-Host "Creating resource group '$($resourceGroupName)' to hold the automation account, key vault, and template storage account."

	if (-not (Get-AzureRmResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue)) {
		New-AzureRmResourceGroup -Name $resourceGroupName -Location $location  | Out-String | Write-Verbose
	}

	Write-Host "Create storage account '$($storageAccountName)' (this takes a while sometimes. In portal in browser takes 2 mins not sure what the problem is here)"
	if (-not (Get-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -ErrorAction SilentlyContinue )) {
		New-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $location -SkuName Standard_LRS  | Out-String | Write-Verbose
	}

	Write-Host "Create automation account '$($automationAccountName)' to host deployment runbooks."
	if (-not (Get-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -ErrorAction SilentlyContinue)) {
		New-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -Location $location -Plan Free  | Out-String | Write-Verbose
	}

	Write-Host "Create a keyVault '$($keyVaultName)' to store the service principal ids, key, certificate"
	if (-not (Get-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue )) {
		New-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForTemplateDeployment -Location $location | Out-String | Write-Verbose
		$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'adminPassword' -Destination 'Software'
		$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
		$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $secretvalue

		$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -Destination 'Software'
		$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
		$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -SecretValue $secretvalue
	}

	    & "$($PSScriptRoot)\Create-AzureServicePrincipalForServerAutomation.ps1" `
	        -subscriptionId $subscriptionId `
	        -ResourceGroup $resourceGroupName `
	        -AutomationAccountName $automationAccountName `
	        -ApplicationDisplayName "$($automationAccountName)RunAs" `
	        -certPassword $serverPrincipalCertPassword `
	        -backupCertVaultName $keyVaultName

	    Write-Output "New service principal created for server auth - $($automationAccountName)RunAs."

	    & "$($PSScriptRoot)\Create-AzureServicePrincipalForClient.ps1" `
	        -SubscriptionId $SubscriptionId `
	        -ApplicationDisplayName "$($automationAccountName)Client" `
	        -backupKeyVaultName $keyVaultName

	    Write-Output "New service principal created for client auth - $($automationAccountName)Client."

	    $context = (Get-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName).Context

	    $armtemplatecontainer = New-AzureStorageContainer -Name "arm" -Context $context -Permission Off
	    Write-Output "New storage account container created - 'arm'."
			$scriptscontainer = New-AzureStorageContainer -Name "scripts" -Context $context -Permission Off
			Write-Output "New storage account container created - 'scripts'."
	    $psrunbookcontainer = New-AzureStorageContainer -Name "psrunbooks" -Context $context -Permission Off
	    Write-Output "New storage account container created - 'psrunbooks'."

	    if($armtemplatesLocalDir){
	        ls –Recurse –Path $armtemplatesLocalDir | Set-AzureStorageBlobContent –Container $armtemplatecontainer.Name –Context $context
	        Write-Output "Local files uploaded to storage container - 'arm'."
	    }
			if($scriptsLocalDir){
					ls -Recurse -Path $scriptsLocalDir | Set-AzureStorageBlobContent -Container $scriptscontainer.Name -Context $context
					Write-Output "Local files uploaded to storage container - 'scripts'."
			}
	    if($psrunbooksLocalDir){
	        if($publishAutomationRunbooks){
	            #Publish all runbooks in the directory after uploading to storage
	            ls -Recurse -Path $psrunbooksLocalDir | `
	            Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context -Force | `
	            select Name, @{Name="Path";Expression={$psrunbooksLocalDir + "\" +  $_.Name}} | `
	            Import-AzureRMAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName -Type PowerShell -Force | `
	            Publish-AzureRmAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName

	            Write-Output "Local files uploaded to storage container - 'psrunbooks'. Runbooks published to Azure automation."

	         } else
	         {
	            #Upload runbooks to storage, do not publish
	            ls –Recurse –Path $psrunbooksLocalDir | Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context
	            Write-Output "Local files uploaded to storage container - 'psrunbooks'."
	         }
	    }
	#requires -RunAsAdministrator
	#requires -Modules AzureRM

	<#
	.Description
	Script needs to be run with elevated priveleges, as it interacts with the local file system (for generation of a certificate)
	Executes the initial setup script, creating a dedicated resource group, storage account, and azure automation account.
	Optionally uploads arm templtes and ps runbooks to created storage account (if path specified)
	Optionally publishes all ps runbooks in specified directory to azure automation account created by the process.

	.Example
	$BaseSourceControl = 'C:\Users\davoodharun\Desktop'
	$MyParams = @{
	environmentName = "AzureUSGovernment"
	location = "USGov Virginia"
	subscriptionId = "eee71d43-1ba6-4da6-a6c4-ab75f599c1dc"
	resourceGroupName = "OrchestrationRG"
	StorageAccountName = "orchestrationstorage"
	armtemplatesLocalDir = "$BaseSourceControl\OD4Gov\Templates"
	psrunbooksLocalDir = "$BaseSourceControl\OD4Gov\Scripts\orchestration\automationrunbooks"
	scriptsLocalDir = "$BaseSourceControl\OD4Gov\Scripts\DSC"
	automationAccountName = "OrchestrationAutomationUser"
	keyVaultName = "OrchestrationKeyVault"
	serverPrincipalCertPassword = New-QMAlphanumericSecurePassword
	}
	. "$BaseSourceControl\OD4Gov\Scripts\orchestration\Orchestration_InitialSetup.ps1" @MyParams -verbose


	#>
	[cmdletbinding()]
	Param(
	[string]$environmentName = "AzureUSGovernment",
	[string]$location = "USGov Virginia",
	[Parameter(Mandatory=$true)]
	[string]$subscriptionId,
	[Parameter(Mandatory=$true)]
	[string]$resourceGroupName,
	[Parameter(Mandatory=$true)]
	[ValidateLength(3, 24)]
	[ValidateScript({ if ($PSItem -cmatch '^[a-z0-9]*$') {$true} else { Throw "Must only contain lowercase and number"}}) ]
	[string]$storageAccountName,
	[string]$armtemplatesLocalDir,
	[string]$scriptsLocalDir,
	[string]$psrunbooksLocalDir,
	[string]$automationAccountName,
	[ValidateLength(3, 24)]
	[string]$keyVaultName,
	[Parameter(Mandatory=$true)]
	[SecureString]$serverPrincipalCertPassword,
	[bool]$publishAutomationRunbooks = $true
	)
	$errorActionPreference = 'stop'

	try
	{
	$Exists = Get-AzureRmSubscription -SubscriptionId $SubscriptionId
	Write-Host "Using existing authentication"
	}
	catch {
	# Microsoft is completely pathetic with supporting -ErrorAction
	}

	if (-not $Exists)
	{
	Write-Host "Authenticate to Azure subscription"
	Add-AzureRmAccount -EnvironmentName $EnvironmentName \| Out-String \| Write-Verbose
	}

	Write-Host "Selecting subscription as default"
	Select-AzureRmSubscription -SubscriptionId $SubscriptionId \| Out-String \| Write-Verbose

	Write-Host "Creating resource group '$($resourceGroupName)' to hold the automation account, key vault, and template storage account."

	if (-not (Get-AzureRmResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue)) {
	New-AzureRmResourceGroup -Name $resourceGroupName -Location $location \| Out-String \| Write-Verbose
	}

	Write-Host "Create storage account '$($storageAccountName)' (this takes a while sometimes. In portal in browser takes 2 mins not sure what the problem is here)"
	if (-not (Get-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -ErrorAction SilentlyContinue )) {
	New-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $location -SkuName Standard_LRS \| Out-String \| Write-Verbose
	}

	Write-Host "Create automation account '$($automationAccountName)' to host deployment runbooks."
	if (-not (Get-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -ErrorAction SilentlyContinue)) {
	New-AzureRmAutomationAccount -ResourceGroupName $resourceGroupName -Name $automationAccountName -Location $location -Plan Free \| Out-String \| Write-Verbose
	}

	Write-Host "Create a keyVault '$($keyVaultName)' to store the service principal ids, key, certificate"
	if (-not (Get-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue )) {
	New-AzureRMKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnabledForTemplateDeployment -Location $location \| Out-String \| Write-Verbose
	$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'adminPassword' -Destination 'Software'
	$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
	$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $secretvalue

	$key = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -Destination 'Software'
	$secretvalue = ConvertTo-SecureString 'adfadf$%TR$#t' -AsPlainText -Force
	$secret = Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name 'sqlServerServiceAccountPassword' -SecretValue $secretvalue
	}

	& "$($PSScriptRoot)\Create-AzureServicePrincipalForServerAutomation.ps1" `
	-subscriptionId $subscriptionId `
	-ResourceGroup $resourceGroupName `
	-AutomationAccountName $automationAccountName `
	-ApplicationDisplayName "$($automationAccountName)RunAs" `
	-certPassword $serverPrincipalCertPassword `
	-backupCertVaultName $keyVaultName

	Write-Output "New service principal created for server auth - $($automationAccountName)RunAs."

	& "$($PSScriptRoot)\Create-AzureServicePrincipalForClient.ps1" `
	-SubscriptionId $SubscriptionId `
	-ApplicationDisplayName "$($automationAccountName)Client" `
	-backupKeyVaultName $keyVaultName

	Write-Output "New service principal created for client auth - $($automationAccountName)Client."

	$context = (Get-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $resourceGroupName).Context

	$armtemplatecontainer = New-AzureStorageContainer -Name "arm" -Context $context -Permission Off
	Write-Output "New storage account container created - 'arm'."
	$scriptscontainer = New-AzureStorageContainer -Name "scripts" -Context $context -Permission Off
	Write-Output "New storage account container created - 'scripts'."
	$psrunbookcontainer = New-AzureStorageContainer -Name "psrunbooks" -Context $context -Permission Off
	Write-Output "New storage account container created - 'psrunbooks'."

	if($armtemplatesLocalDir){
	ls –Recurse –Path $armtemplatesLocalDir \| Set-AzureStorageBlobContent –Container $armtemplatecontainer.Name –Context $context
	Write-Output "Local files uploaded to storage container - 'arm'."
	}
	if($scriptsLocalDir){
	ls -Recurse -Path $scriptsLocalDir \| Set-AzureStorageBlobContent -Container $scriptscontainer.Name -Context $context
	Write-Output "Local files uploaded to storage container - 'scripts'."
	}
	if($psrunbooksLocalDir){
	if($publishAutomationRunbooks){
	#Publish all runbooks in the directory after uploading to storage
	ls -Recurse -Path $psrunbooksLocalDir \| `
	Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context -Force \| `
	select Name, @{Name="Path";Expression={$psrunbooksLocalDir + "\" + $_.Name}} \| `
	Import-AzureRMAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName -Type PowerShell -Force \| `
	Publish-AzureRmAutomationRunbook -ResourceGroupName $resourceGroupName -AutomationAccountName $automationAccountName

	Write-Output "Local files uploaded to storage container - 'psrunbooks'. Runbooks published to Azure automation."

	} else
	{
	#Upload runbooks to storage, do not publish
	ls –Recurse –Path $psrunbooksLocalDir \| Set-AzureStorageBlobContent –Container $psrunbookcontainer.Name –Context $context
	Write-Output "Local files uploaded to storage container - 'psrunbooks'."
	}
	}