I need specify one app setting as "deployment slot setting" so as to assign different value in Prod and Staging slots and keep the value stick to slot when swapping the slots. I know I can do it on azure portal as below screen shot. But how to do it using powershell?
I tried the powrshell cmd Set-AzWebAppSlot:
Set-AzWebAppSlot -AppSettings $newAppSettings -Name $webAppName -ResourceGroupName $resourceGroupName -Slot "Staging"
But the settings set with above command are not marked as "Deployment slot setting"
If you want to configure an app setting or connection string to stick to a specific slot (not swapped),
use Set-AzWebAppSlotConfigName:
Set-AzWebAppSlotConfigName -ResourceGroupName <group-name> -Name <app-name> -AppSettingNames <setting-name1>,<setting-name2>,...
Reference link: https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=ps#configure-app-settings
Related
I have an application hosted in Azure, and I use Azure DevOps to manage my build and release pipelines. As part of the release, I warm up the application by making a request to the root url (e.g. https://myapp.azurewebsites.net). In order to make this request I must first make sure the hosted build agent running the deployment has access to that url (or I will get a 403). I have written a short powershell script to achieve this, and put it in an Azure Powershell task. It adds the IP of the build agent to the IpSecurityConfiguration of the app service. So far so good. It works perfectly for apps that are just apps. Where it falls down is when I try to use it against a staging environment. When we release to production we first push the code to a staging slot, then flip it over to live when we've run our tests and made sure everything is good. The powershell script that correctly handles the IpSecurityConfiguration for the app services does not work on the staging slot. To access a staging slot, we use myappname/slots/staging for the variable $(WebApiName), normally it would just be the name of the app service itself. Again, this works perfectly if I run the script from my local environment, it only fails in the pipeline. The code is below:
# Whitelist Azure Agent IPs
$agentIP = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
Write-Host "Connecting to Azure"
$APIVersion = ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Web).ResourceTypes | Where-Object ResourceTypeName -eq sites).ApiVersions[0]
Write-Host "API Version is $APIVersion. Getting web app config for $(WebApiName) in $(ResourceGroupName)"
$WebApiConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $(WebApiName) -ResourceGroupName $(ResourceGroupName) -ApiVersion $APIVersion)
Write-Host "Got web app config: $WebApiConfig"
$webIP = [PSCustomObject]#{
ipAddress = "$agentIP/32";
action = "Allow";
tag = 'Default';
priority = 300;
name = $agentIP.ToString();
description = $agentIP.ToString()
}
Write-Host "Adding $agentIP to security restrictions"
$WebApiConfig.Properties.ipSecurityRestrictions += $webIP
Write-Host "Updating security restrictions"
# update app restrictions, do not prompt for confirmation
$result = Set-AzureRmResource -ResourceId $WebApiConfig.ResourceId -Properties $WebApiConfig.Properties -ApiVersion $APIVersion -Force
To muddy the water somewhat, I can get the exact same code to work perfectly with the staging slot locally by changing
$WebApiConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/config -ResourceName $(WebApiName) -ResourceGroupName $(ResourceGroupName) -ApiVersion $APIVersion)
to
$WebApiConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites -ResourceName $(WebApiName)/config -ResourceGroupName $(ResourceGroupName) -ApiVersion $APIVersion)
but this doesn't work in the Azure Powershell task. Instead I can't deploy to any environment because the task fails while trying to access IpSecurityRestrictions on the $WebApiConfig object. The exception is "Exception setting "ipSecurityRestrictions": "The property 'ipSecurityRestrictions' cannot be found on this object. Verify that the property exists and can be set."
As I said earlier, if I run the script in exactly this form locally, it works perfectly. Obviously I have to manually replace the variables that come from the build pipeline, but otherwise there is no difference between code that works exactly as I want it to on my local machine and code that fails in the release. You can verify this by swapping out $(WebApiName) for a valid app service name and $(ResourceGroupName) for the resource group that app service is in. I put a line in about halfway down that outputs $WebApiConfig so that I can see what it is, and on my local machine I see a valid object, while in the output of the task I get nothing. The line just says "Got web app config:"
Anyone got any ideas?
I've tried changing the version of powershell used by the task to
match the version I've got.
I've tried using the preview version of the task (v4, otherwise I've been using v3).
I've tried every permutation of /sites/config everywhere I can think of in the call to Get-AzureRmResource (since that was what allowed it to work locally on the slot).
Just one final thing in case anyone wonders. I'm doing it this way instead of whitelisting all the IPs in Microsoft's list (https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653) for two reasons, firstly it's a lot easier to maintain a short list of our own IPs, and secondly there seems to be a bug somewhere in the way Azure handles those CIDR definitions because IPs that are categorically in those ranges are frequently blocked during our deployments even when we have the entire file whitelisted. This way I just add whichever IP is currently being used dynamically to the whitelist, and remove it after we're done. Assuming I can get it to work...
Finally figured out the solution to this. In order to work with slots the resource type has to be subtly different. This line works in an Azure Powershell task:
$WebApiConfig = (Get-AzureRmResource -ResourceType Microsoft.Web/sites/slots/config -ResourceName $(WebApiName) -ResourceGroupName $(ResourceGroupName) -ApiVersion $APIVersion)
Posting in case it helps anyone else with the same issue. I can confirm that the approach I've taken works great in managing access to Azure sites by build agents, and saves a lot of messing around with Microsoft's build agent xml file.
How do I add an application from the AAD Gallery programmatically and configure it? I checked AAD Powershell commands but I could not find out how to use it to provision a pre-integrated applications from the Azure AD gallery. There is the New-AzureRmADApplication -DisplayName "NewApplication" -HomePage "http://www.microsoft.com" -IdentifierUris "http://NewApplication" for example but not an Add-AzureRmADApplication or similar. The application I need is already available under the "Developer Services" category in the AAD Applications Gallery and all I need is to add it and configure its Single-sign on and Provisioning attributes. Is that even possible or do I have to create a new app? Even if I created a new application how do I configure it past the just adding the HomePage and IdentifierUris parameters which is all I can do using the New-AzureRmADApplication cmndlt?
Any help would be appreciated. Thank you
There is currently no way to configure the applications from the AAD Application Gallery programmatically. You can refer to the following post:
https://social.msdn.microsoft.com/Forums/en-US/42f262e2-150e-48bd-a741-cbabf42fcf77/how-to-add-and-configure-aad-application-from-the-gallery-programatically?forum=WindowsAzureAD
In case anyone come's across this question again, this is now possible, with the AzVm modules, instead of AzRm.
First you get the "Gallery Application Version"
$galleryApp = Get-AzGalleryApplicationVersion -GalleryName $GalleryName `
-GalleryApplicationName $AppName `
-ResourceGroupName $ResourceGroupName
Then create a new app instance for your current PowerShell Session
$appInstance = New-GalleryApplication -PackageReferenceId $galleryApp.Id
You'll also need to set the order parameter after you create the instance. There's no parameter to set it when it's defined.
$appInstance.Order = $int32Value
Finally, add the application to your Virtual Machine
Add-AzVmGalleryApplication -VM $VirtualMachineObjet `
-GalleryApplication $appInstance
-ResourceGroupName $ResourceGroupName
Once the application(s) are added, you need to push the update with "Update-AzVm", otherwise they won't actually deploy.
Here's the full example:
$galleryApp = Get-AzGalleryApplicationVersion -GalleryName $GalleryName `
-GalleryApplicationName $AppName `
-ResourceGroupName $ResourceGroupName
$appInstance = New-GalleryApplication -PackageReferenceId $galleryApp.Id
$appInstance.Order = $int32Value
Add-AzVmGalleryApplication -VM $VirtualMachineObjet `
-GalleryApplication $appInstance `
-ResourceGroupName $ResourceGroupName `
-Order $int32Value
Update-AzVm -ResourceGroupName $ResourceGroupName -VM $VirtualMachineObject
I want to change the deployment password of an existing Azure Web (or Azure Function to be exact, but I think it 's the same) using Powershell.
So in the Azure Portal,
MyWebApp > resource Explorer Tab > Go > Powershell
I have found that command :
Invoke-AzureRmResourceAction
-ResourceGroupName MyGroup
-ResourceType Microsoft.Web/sites
-ResourceName MyWebApp
-Action newpassword
-ApiVersion 2015-08-01
-Force
But where is the password ?
How do I provide it ?
First, make sure you understand the difference between User (aka deployment) credentials and Site (aka publishing) credentials. See here for details.
The PowerShell command you have in your question refers to Site credentials, and is the equivalent of clicking 'Reset Publishing Profile' from the portal. The Site credential is always a randomly generating string, and is not something that you set to your own value. That is why that command does not take any parameters.
I am using VSTS Release Management. In my release flow I add a task 'Azure PowerShell(Run a PowerShell script within an Azure environment)' to run a simple script to set some key vaues in the web.config of a web app:
Set-AzureWebsite -Name $AzureWebsiteName -AppSettings $appsettings
When I run the deployment, I get the following error (related to the script):
[error]No default subscription has been designated. Use Select-AzureSubscription -Default to set the default subscription.
The task is configured to use the connection type "Azure Resource Manager" and so far I understood that 'Set-AzureWebsite' should be used in classic mode?
Is there another way to set the AppSettings with the Azure Ressource Manager Mode=
The name Azure websites changes to Azure App Service Web Apps in the ARM, so you can use: Set-AzureRmWebApp
Replace below command:
Set-AzureWebsite $webAppName -AppSettings $appSettingsHash
With this command:
Set-AzureRmWebApp -AppSettings $appSettingsHash -Name $webAppName -ResourceGroupName $resourceGroupName
Normally, I integrate the deployment source to webapp, and then run the 'Sync' button found in the webapp dashboard as and when required to sync the Azure webapp with my onedrive folder.
But, if I want to give a non-Azure user, I mean , who need not be logged in to Azure portal itself, rather could invoke with a demo credential or sort, what should I do? Or, If I want to run it myself from shell, how to approach?
Would it be possible to run the sync from power-shell with service principal or similar ways ( runbooks, http trigger with azure functions for sync ) without actually giving the user a login credential itself?
Update:
1. I read this blog on Kudu but not sure whether it is what I am actually looking for. Please suggest. https://dzimchuk.net/post/azure-web-apps-continuous-deployment
Update 31/Aug:
My workflow got 3 slots dev/stage/mirror. I aim to integrate dev with source repo. So, Sync is enabled at lowest environment.
SiteName : YourWebApp(dev)
State : Running
DefaultHostName : YourWebApp-dev.azurewebsites.net
Id : /subscriptions/1234567890-{my}-{subscription}_{id}/resourceGroups/Default-Web/providers/Microsoft.Web/sites/YourWebApp/slots/dev
Name : YourWebApp/dev
Location : East US
Type : Microsoft.Web/sites/slots
If you install the latest Azure PowerShell, you can run this command to trigger a sync:
Invoke-AzureRmResourceAction -ResourceGroupName {YourResourceGroup} -ResourceType Microsoft.Web/sites -ResourceName YourWebApp -Action sync -ApiVersion 2015-08-01 -Force
Or if you're dealing with a slot, it will look like this:
Invoke-AzureRmResourceAction -ResourceGroupName {YourResourceGroup} -ResourceType Microsoft.Web/sites/slots -ResourceName YourWebApp/YourSlot -Action sync -ApiVersion 2015-08-01 -Force
As far as letting some other user authenticate, you have a couple options:
You can make them a Contributor on that Web App (using RBAC - Role Based Access Control)
You can set up a Service Principal