Azure Automation is one of the most popular automation tools, designed specifically for resolving day to day operational challenges around process automation, configuration management and update management.
Some of the useful scenarios of Azure Automation are:
- If you ever want to automate the process of creating virtual machines on Azure.
- Or updating/ patching the VMs
- De-allocating the VMs at the end of the day
- Scaling down and scaling up various Azure services to different SKUs to help you reduce operational costs and save time.
I will focus on how to create Automation account using managed identity and how to create and run Azure Automation PowerShell Runbooks programmatically.
PowerShell runbooks are based on Windows PowerShell. You directly edit the code of the runbook using the text editor in the Azure portal. You can also use any offline text editor and import the runbook into Azure Automation.
Azure Automation account using Run-As account vs Managed Identity
Whenever run as account is created, a new application is registered under App Registration in Azure Ad and self signed certificate will be generated which will be valid for one year.
So there is an overhead of renewing the certificate every year before it expires to prevent the Automation account to stop working.
Some of the permissions needed for Run-as accounts are,
- User Access Administrator at subscription level (needed for created Run-As account and renewing certificates)
- At Azure AD, Application Administrator (for creating Service Principal)
- Contributor access to Automation account
Now Microsoft has the ability to have Automation accounts to be configured to use Managed Identity which is default option when account is created. With is feature, Automation account can authenticate to Azure as itself without the need to exchange any credentials. And this removes the overhead of renewing the certificate or managing the service principal.
Managed identity can be system assigned or user assigned. By default, now, whenever a new Automation account is created, system assigned managed identity is enabled.
Programmatically creating Automation Account and Importing Runbooks
- Creating Automation Account using system assigned managed identity
- Create Role Assignment to give permissions to Automation account
- Creating Automation Schedule (Once/ Recurring)
- Create and Import Runbooks
- Scheduling Runbooks
GitHub Repository
Creating Automation Account using system assigned managed identity
This can be done simply in one line of code:
New-AzAutomationAccount -Name $AutomationAccountName -Location $Location -ResourceGroupName $ResourceGroupName -AssignSystemIdentity
The complete script is located at my GitHub repository:
https://github.com/Pujago/AzureRunbooks/tree/main/templates
Script Name: createAutomationAccount.ps1
The above script will create Automation account with system assigned managed identity enabled:
Create Role Assignment to give permissions to Automation account
Before you can use your system-assigned managed identity for authentication, you need to assign the appropriate role to that identity on the target Azure resource. For e.g. to start or stop an Azure VM, managed identity should be assigned the appropriate permission for starting or stopping VM.
In the previous screen shot, if you click on "Azure role assignments", you will see there are no role assignments found as in the screen below:
To create a role assignment, I used the command below:
New-AzRoleAssignment -ObjectId $automationObject -RoleDefinitionName $RoleDefinition -Scope $Scope
where objectId can be obtained using the command below:
$automationObject = (Get-AzAutomationAccount -Name $AutomationAccountName -ResourceGroupName $ResourceGroupName).Identity.PrincipalId
For e.g. for giving contributor access on a resource group, you can use:
New-AzRoleAssignment -ObjectId $automationObject -RoleDefinitionName "Contributor" -Scope /subscriptions/<subscriptionId>/resourceGroups/<your resourcegroup name>
Note: In real world scenario, follow the principal of least privilege and carefully assign permissions only required to execute your runbook.
The complete script is located at my GitHub repository:
https://github.com/Pujago/AzureRunbooks/tree/main/templates
Script Name: createRoleAssignment.ps1
Once the role is assigned, you will see the role in the Azure Portal as:
Create and Import Runbooks
Creating Automation Schedule (Once/ Recurring)
Now the Automation account is created with appropriate permission to managed identity. Also runbooks are created imported and published.
Next, lets create a Automation schedule, that will be used by runbooks that were created in the previous step.
Schedule can be "recurring" or "once".
Below code snippet, creates the "recurring" schedule:
This will create schedule that will run every evening on Monday to Friday.
For non-recurring schedule, only hour interval is provided in the command:
New-AzAutomationSchedule -AutomationAccountName $AutomationAccountName -Name $ScheduleName -StartTime $startTime -HourInterval 1 -ResourceGroupName $ResourceGroupName -TimeZone $TimeZone
The complete script is located at my GitHub repository:
https://github.com/Pujago/AzureRunbooks/tree/main/templates
Script Name: createSchedule.ps1
Once script is executed successfully, recurring schedule will be created as below:
Adding Runbook(s) to a schedule
Using Azure DevOps pipeline to run the scripts
While these scripts can be executed from your local machine, I prefer to automate to run the scripts via pipeline.
For this section, I would have to assume, you are familiar and experienced with Azure DevOps pipelines.
To create pipeline:
- Create repository in the Azure DevOps (Or you can use your own Git-Hub repository)
- Create Service Connection in Azure DevOps
- Create YAML pipeline using the repository
0 comments:
Post a Comment