This question refers to the application slots feature for Azure Server Manager (ASM) WebSites that enables the ability to create a staging website under an existing one. I'd like to swap my site's staging and production environments using Powershell, but I haven't found the way to do it with the currently available commands. Does anyone have an idea how to do it?
Switch-AzureWebsiteSlot -Name "your web site name" -Force
You can use this PowerShell cmdlet:
Switch-AzureWebsiteSlot [[-Name] ] [[-Slot1] ] [[-Slot2] ] [-Force] [-Confirm] [-WhatIf] [ ]
[-Force] parameter is used in order to not confirm the swap operation and directly execute
An Example:
C:\PS>Switch-AzureWebsiteSlot -Name YourWebsite
Related
I'm trying to implement a fairly simple PowerShell query, hosted in Azure Automation, to manage External Identities
I've set up a System Managed Identity and have successfully connected using Connect-AzAccount -Identity
But when I run it, it says You must call the Connect-AzureAD cmdlet before calling any other cmdlets
The next cmdlet is Get-AzureADPolicy, which I think triggered the above message
Following this blog, I tried this:
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext -ErrorAction Stop
Connect-AzureAD -TenantId $AzureContext.Tenant.TenantId -AccountId $AzureContext.Account.Id
and I get this: Unable to find an entry point named 'GetPerAdapterInfo' in DLL 'iphlpapi.dll'
Am not at all sure now what to do; any help appreciated
PS: I'm aware there are quite few related questions, but I have not been able to find an answer to this particular query ...
I was having the same issue and I resolved it by using the below commands. I have added comments to underline what each statement is meant for.
# Ensures you do not inherit an AzContext in your runbook. Out-Null is used to disable any output from this Cmdlet.
Disable-AzContextAutosave -Scope Process | Out-Null
# Connect to Azure with system-assigned managed identity.
$AzureContext = (Connect-AzAccount -Identity).context
# set and store context. Out-Null is used to disable any output from this Cmdlet.
Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext | Out-Null
With help from M/S support, I can now clarify the issue. The core point is that it is not possible to authenticate for AzureAD (with Connect-AzureAD) using Managed Identity; a Run As account must be used, at least currently
Further, for our use case, the Run As account had to have "Global Admin" role; "Owner" was not sufficient
It is of course possible to use Managed Identity for managing other Azure Resources (using Connect-AzAccount)
I try to perform a swap between 2 Azure slots (Staging and Production) on a QA environment. For that I use PowerShell and use Switch-AzureWebsiteSlot cmdlet.
Below what I execute:
*`
Switch-AzureWebsiteSlot -Name "http://qa-2.cloudapp.net/" -Slot1
"Production" -Slot2 "Staging" -Force -Verbose -Debug
`*
But I got the following error:
Switch-AzureWebsiteSlot : The website must have at least two slots to
apply swap At
C:\PrivateAgents\agent2_work\r6\a\MyCompany-CI-Template\drop#1129\mycompany-swapslots-azure.ps1:222
char:2
+ Switch-AzureWebsiteSlot -Name "http://qa-2.cloudapp.net/" -Slot1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Switch-AzureWebsiteSlot], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Websites.SwitchAzureWebsiteSlotCommand
DEBUG: AzureQoSEvent: CommandName - Switch-AzureWebsiteSlot; IsSuccess
- False; Duration - 00:01:02.5624486; Exception - System.Management.Automation.PSInvalidOperationException: The website
must have at least two slots to apply swap at
Microsoft.WindowsAzure.Commands.Websites.SwitchAzureWebsiteSlotCommand.ExecuteCmdlet()
at
Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
I use Debug mode to have more details but I don't understand what does it mean. I am a newbie in Azure and Powershell as well.
I made sure the right AzureSubscription is set as current one before to execute my cmdlet.
Anyone got the same issue as me before?
I have a doubt about the "-Name" value I used. I use site URL I found on the Azure portal. I don't know if it is correct.
To get the name of your websites in the subscription use the below PowerShell cmdlet:
Get-AzureWebsite
Note: The website should be something like this "constosoweb" and azure website looks like contosoweb.cloudapp.net.
For more details, you may refer "Swap Slots in Azure Web Site when there are 2 or more staging slots using Azure PowerShell".
I have a doubt about the "-Name" value I used. I use site URL I found
on the Azure portal. I don't know if it is correct.
-Name is the name of the website, we can use ARM powershell to get it:
Get-AzureRmWebApp -ResourceGroupName <resourcegroupname> -Name <webappname>
Like this:
Switch-AzureWebsiteSlot : The website must have at least two slots
According to this error message, we should add at least two slots to that website:
Then we can run Switch-AzureWebsiteSlot -Name jasonapp3 -Slot1 jasonapp32 -Slot2 jasonapp4, here is the result:
Hi Pradeep and Jason,
Thanks a lot for your help.
Thanks to your advices I figured out where was my issue. In fact we use Azure Cloud Service and not WebSite. That's why my cmdet failed.
I looked for cmdlet suit to Cloud Service and I found Move-AzureDeployment that works perfectly for me.
Thanks
New-AzureWebsite Cmdlet -
New-AzureWebsite [[-Name] <String> ] [[-Location] <String> ] [[-Hostname] <String> ] [[-PublishingUsername] <String> ] [-Git] [-GitHub] [-GithubCredentials <PSCredential> ] [-GithubRepository <String> ] [-Slot <String> ] [ <CommonParameters>]
What is the difference between Name and HostName? In what situations we can use them?
Both parameters will determine the addresses of your website.
The Name represents the website name, and it will determine the default website address allocated by Azure (it is a subdomain of azurewebsites.net).
So having the next comand:
New-AzureWebsite -Name MySite
Will generate an azure website with the next address: MySite.azurewebsites.net.
The Hostname represents additional domain name to be attached to your website. You can use it in case you have your own domain name.
So modifying the previous command:
New-AzureWebsite -Name MySite -Hostname MyWebsite.com
It will generate an azure website with the next addresses: MySite.azurewebsites.net and MyWebsite.com.
The Azure Portal equivalent operation for Hostname parameter is explained here - Web Sites Custom Domain Names
I'm looking for a way to use Azure PowerShell commands to do a deployment swap for an Azure App Service (previously Azure Websites). All of the posts I've seen say to use the command
Move-Deployment -ServiceName
but that appears to only be valid for cloud services and swapping between Production and Staging predefined slots.
I have a website with deployment slots that I've defined and I can use the following command to get information about the website site, but I don't see how to swap it:
Get-AzureWebsite -Name "sitenamehere" -Slot test
Could this be what you're looking for?
Switch-AzureWebsiteSlot [[-Name] <String> ] [[-Slot1] <String> ] [[-Slot2] <String> ] [-Force] [-Confirm] [-WhatIf] [ <CommonParameters>]
The solution is to use the command
Switch-AzureWebsiteSlot -Name "sitenamehere"
More details are provided in this blog post http://blogs.msdn.com/b/harikharan/archive/2015/01/01/swap-slots-in-azure-web-site-when-there-are-2-or-more-staging-slots-using-azure-powershell.aspx
My MSMQ queue gets created by PowerShell DSC engine. I can see queues created. Since DSC engine runs from SYSTEM account, then queue owner also gets set to SYSTEM.
When I try to set MSMQ ACL from PowerShell console I constantly get following error:
PS C:\Users\Administrator.DOMAIN> whoami; Get-MsmqQueue queue1 | Set-MsmqQueueACL -UserName "Everyone" -Allow FullControl
DOMAIN\administrator
Set-MsmqQueueACL : Failed to set security descriptor. Error code: 3222143013
At line:1 char:50
+ whoami; Get-MsmqQueue incredipay_atm_processor | Set-MsmqQueueACL -UserName "Eve ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (FullControl:MessageQueueAccessRights) [Set-MsmqQueueACL], Win32Exception
+ FullyQualifiedErrorId : Failed to set security descriptor. Error code: 3222143013,Microsoft.Msmq.PowerShell.Commands.SetMSMQQueueACLCommand
I also can't set MSMQ ACL using custom DSC resource, which is basically doing the same thing only from SYSTEM account.
So the question is are there any way to set MSMQ permissions from within PowerShell DSC engine using Set-MSMQQueueACL cmdlet. Or at least if I'll be able to solve previously mentioned mentioned error, then maybe I'll be able to solve also DSC problem.
I'm running Windows 2012 and WMF 4.0.
Thanks in advance.
I did something similar recently and hit the same problem. You have to take ownership of the queue first (admin rights required), and then you can change the permissions.
Try these manual steps in the Computer Management snap-in first to check it solves your error, and then work out how to reproduce it via PowerShell.
Start -> Run -> compmgmt.msc
Expand "Computer management (Local) -> Services and Applications -> Message Queuing -> Private Queues"
Right click -> Properties -> Security -> Advanced -> Owner -> Other users or groups...
Enter your user name (DOMAIN\administrator)
Click OK, then OK again
You should now be able to edit security via script
I ended up writing some PInvoke code to take ownership of the queue using C#, which I compiled on the fly with Add-Type in PowerShell. I can't share it unfortunately as it's proprietary, but this question might give you some pointers:
How do I set the owner of a message queue?
P.S. error code 3222143013 is 0xC00E0025, which translates to MQ_ERROR_ACCESS_DENIED (see http://msdn.microsoft.com/en-us/library/ms700106%28v=vs.85%29.aspx)
I've managed to overcome this issue by using following code in my custom DSC resource:
$ScriptBlock={
param(
[String] $QueueName,
[String] $Username,
[String[]] $MessageQueueAccessRight,
[ValidateSet("Allow","Deny")]
[String] $MessageQueueAccessType
)
$params = #{}
$queue = Get-MSMQQueue -Name $QueueName
$params.Add("InputObject",$queue)
$params.Add("Username",$Username)
switch ($MessageQueueAccessType)
{
"Allow" {$params.Add("Allow","$MessageQueueAccessRight"); Break;}
"Deny" {$params.Add("Deny","$MessageQueueAccessRight"); Break;}
}
Set-MsmqQueueACL #params
}
Foreach($MessageQueueAccessRight in $MessageQueueAccessRights)
{
Invoke-Command -ScriptBlock $ScriptBlock -ComputerName . -Credential $DomainAdministratorCredential -ArgumentList $QueueName,$Username,$MessageQueueAccessRight,$MessageQueueAccessType
}
Of course it's necessary to use the same approach when MSMQ queue gets created by DSC. So MSMQ queue creation should be made by the same account, whose initially going to adjust ACLs.
To do this in DSC, you can run your command using different credentials by having your custom DSC resource take a [PSCredential] parameter.
To do this securely requires some significant changes to your DSC infrastructure. See my answer to this question: https://serverfault.com/questions/632390/protecting-credentials-in-desired-state-configuration-using-certificates/#632836
If you just want to test before making those changes, you can tell DSC to allow storing your credentials in plaintext using PSDscAllowPlainTextPassword = $true in your configuration data (see here for details).
I also created a custom DSC resource to setup/modify my MSMQ queues within my web farm. Since DSC runs as SYSTEM you must ensure that the SYSTEM account has access to create/modify MSMQ's on the node.
There is a way to have DSC run as an account. If that is the case then you have to ensure that you are passing in that account when attempting to create/modify your MsmqQueue.
I understand I am responding to an old thread. But someone else in the near future may be facing the same issue and come across this thread.
Enjoy & Good Luck!