I'm deploying Azure app services with Git continuous deployment and using post deployment action hooks to log the deployment to a Slack channel. My action hooks are written as PowerShell scripts.
From within my PowerShell scripts how do I access Azure or Kudu environmental variables or app settings? It's clear how to do this via deploy.cmd but I'm having no luck from PowerShell.
Ideally I'd like to be able to access things like:
Azure app service name
Deployment slot name
Deployment source/target paths
App settings and/or connection strings
Ok figured this out, apparently all of the Azure environment variables available within your website app service are available to PowerShell scripts running as post deployment actions.
To get the site name within PowerShell:
$siteName = [environment]::GetEnvironmentVariable("WEBSITE_SITE_NAME");
In addition to site name there are dozens of other Azure environment variables plus your app settings and connection strings.
Related
We Have Automated scripts that we would like to build and Test on Azure DevOps but our pipeline cannot run our Test Scripts on Azure
We have a Database Service Account that we want to configure on Azure but we don't know how to go about it. Please assist.
Here is a well explained video (by Hassan Habib from Microsoft) on exactly how to run a console app (you create) in an Azure Pipeline that securely gets credentials to immediately do stuff in Azure (https://youtu.be/ht0xhQyF1x4?t=1688)
He basically, in a handful of minutes shows exactly how to:
Link Pipeline Variables to KeyVault Secrets, so when accessed, the variables do a get() from KeyVault and return that value.
Securely links Pipeline Variables to Azure Environment Variables.
As a step in the release pipeline the console app reads the Azure Environment Variables to get credentials to do stuff in Azure.
In his case he created an Azure Resource Group in Azure.
In your case if I’m understanding correctly. You could possibly make a simple console app that runs in the pipeline, that gets creds\connections strings for your database to do whatever in the DB and could possibly test your scripts.
I have one release pipeline where i am deploying latest/selected artifacts to one web app.
I want to release the same artifacts to multiple web app in single release pipeline.
I have two option in my mind.
Create a multiple task with each web app. (this is achievable but every time pipeline changes requires whenever there is new web app getting in picture)
using Power shell but not sure why my command is not working here . getting error as The term 'Publish-AzWebApp' is not recognized as the name of a cmdlet, Though this command is working fine in local system but not in pipeline.
Publish-AzWebApp -ResourceGroupName gggroup -Name $app -ArchivePath $(System.DefaultWorkingDirectory)/**/*.zip
this command will run in loop.
Any suggestion!!!
For option 2, Publish-AzWebApp is a step for classic deployment. However, modules for classic deployment are not supported in PowerShell task of Azure DevOps services any more.
Instead, you can use the Azure PowerShell task.
Also, you can deploy ZIP file with REST APIs then invoke the REST APIs using PowerShell.
POST https://<app_name>.scm.azurewebsites.net/api/zipdeploy
The POST request must contain the .zip file in the message body. The deployment credentials for your app are provided in the request by using HTTP BASIC authentication. Click this document for detailed information.
We were originally using Start-AzureWebsite and Stop-AzureWebsite in a powershell script to start and stop web apps in Azure before publishing. In the VSO build it was using Azure Powershell, the connection type was Azure Classic. Microsoft recommended switching to Start-AzureRmWebApp and Stop-AzureRmWebApp which uses the Azure Resource Manager. We modified the Azure Powershell step in the build to have a connection type of Azure Resource Manager, and selected the correct subscription. When it calls our external script using the script path, it appears as though the authentication is not being passed on to the script, we get the error "Run Login-AzureRmAccount to login." when it tries to execute the command to start/stop the websites. How do we get the authentication to persist down to the script being called?
Not sure why the connection get lost, it should work if you dotsource the script to invoke it. However:
I would suggest to create a service principal within the AAD that is linked to your subscription and grant it access to your web app. Then you should use the existing Azure App Service Manage Task to start / stop your app:
By the way, starting / stopping / deploying a web app should be part of a Release Definition / Step - not build.
-
Turns out instead of using Connect-AzureRMAccount i needed to be using Add-AzureRmAccount, once i changed that i can now connect and start/stop App Services! Thank you for the help. – Link
I am trying to publish to a service fabric cluster secured using Azure Active Directory from PowerShell calling Deploy-FabricApplication.ps1 as part of a TeamCity build configuration.
I have been unable to find how you provide credentials in this situation.
I did notice in Deploy-FabricApplication.ps1 that there is a SecurityToken parameter for Active Directory.
Is this what you need to pass to authenticate, and if so how can you generate the security token within PowerShell?
I have set up a user within my Azure Active Directory for TeamCity that I am hopping to authenticate as.
The token can be acquired by making use of the Active Directory Authentication Library (ADAL), specifically by calling the method AcquireToken in Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.
A good example of this being used can be seen in the code for the VSTS Service Fabric Deploy task at: https://github.com/Microsoft/vsts-tasks/blob/master/Tasks/ServiceFabricDeploy/utilities.ps1.
There's a function in that file called Get-AadSecurityToken which shows the call to the AuthenticationContext.AcquireToken method.
You need to ensure that you have both the cluster app ID and the client app ID. Both of these are retrievable from the cluster by calling Connect-ServiceFabricCluster with the -GetMetadata switch (this is also done in the Get-AadSecurityToken function).
I have some powershell scripts in my CI server to check the state of some WebJobs.
But I have few problems.
I'm using publish settings file, but it expires and my build starts to fail.
I don't want to use a Management Certificate that will expose all management features.
And I don't want to put my user credentials on the CI server that will also expose all management features.
There is any way to create a CI user or credential with restricted permissions?
Thanks!
Azure Functions provides a good solution to this problem. You can create a Service Principle account, with certificate login and then restrict that account to whatever actions you need it to allow (via RBAC)
You can then have an Azure PowerShell script running in Functions, that is called from a webhook from your CI engine. That way the only credentials that are stored on your CI are the webhook secret, and if your CI engine has a static IP you can verify that commands only come from that address, and drop anything else.