I have been using Powershell to manage pieces of Azure on and off for about a year and half now. I had heard tell of Azure Automation but never really had a good reason to justify spending the time climbing that particular mountain (hill really…).
Then the request came through… let’s scale AzureSQL databases up and down based on time of day for a given project… If you have worked in Azure you know Microsoft has built in a fairly robust and relatively easy to use auto scale-out configuration interface for Azure App services. Not so for “up/down” scale operations (increasing/decreasing the size of a single-instance). Hence, my foray into Azure Automation.
I have done a fair bit of Azure Powershell scripting just using the ISE interface and keeping scripts on my desktop. I started out with “AzureRM” and migrated to “AZ” as Microsoft starting a couple of years ago pretty much said “AZ” is the future… switch now.
With that background in place, I will state that I found starting out on Azure Automation to be a bit of a bumpy ride. I wanted to hopefully save you the reader some of the time I spent chasing my tail…
Dump AzureRM, Install AZ
Microsoft tells us to use the AZ Powershell modules… but when you create a new Azure Automation Account you will quickly find out that all of the tutorial scripts reference AzureRM and when you create a Powershell runbook and try to test it you will quickly find out that none of the “AZ” modules are present…. “BANG HEAD HERE”
Thankfully the “fix” for this inconvenience isn’t all that bad for those that want to embrace the future (according to Microsoft) and use AZ modules.
First, delete all of those tutorial runbooks with AzureRM code in them. It may be urban legend but I swear I read in a few places when sorting this out for myself that A.) you definitely do NOT want to mix AzureRM and AZ within the same runbook and B.) I am pretty sure several folks mentioned you don’t even want to mix them within the same Azure Automation account. I would guess the latter is probably because runbooks can actually reference and call other runbooks.
Second.. You need the AZ modules installed… HOW do you do this you ask? My experience with many things in Azure is that very little is intuitive… so lets just skip to the answer.
Great… you have all the AzureRM tutorial scripts removed, and you have installed the AZ modules. Hurdle one down. As a side not, don’t bother trying to uninstall all the AzureRM modules that are already installed… It wouldn’t let me…
One other thing, you are going to be on your own a lot from here with automation scripts. I hope you are comfortable with Powershell AZ. Most of the gallery scripts and example scripts that exist out there all reference AzureRM. My setup was a fresh new environment, I wanted to embrace the -seemingly- new (as in the thing Microsoft launched two+ years ago and said they would henceforth be deprecating the old).
Get Authentication Working – The “Easy” Way
The internet remembers all things… which means there is a lot of outdated information, especially when it comes to guidance on using cloud services. This article will probably be outdated next week… Anyhow, one of the frustrating things I came across were that all the articles I looked at as far as setting up an account for your script to run privileged operations under were definitely outdated. You do NOT need to hop into Azure Active Directory and create a new account with password authentication and then pass those credentials through in all your scripts or set them up as a shared credential source in your automation account. Rather, Azure Automation has what is called “RunAS” accounts and setting them up couldn’t be any easier. To the point:
What this does…
Last step… when you go to create a Powershell runbook, you need to tell the script to run under this “Run As” identity. I stole the code directly from a Microsoft page and created the following function (I like functions). Drop this at the top of all of your Powershell runbooks and execute it before you do anything else and you are good to go.
Disable-AzContextAutosave -Scope Process
$connection = Get-AutomationConnection -Name AzureRunAsConnection
$logonAttempt = 0
while(!($connectionResult) -And ($logonAttempt -le 10)){
$LogonAttempt++
$connectionResult = Connect-AzAccount `
-ServicePrincipal `
-Tenant $connection.TenantID `
-ApplicationId $connection.ApplicationID `
-CertificateThumbprint $connection.CertificateThumbprint
Start-Sleep -Seconds 30
}
}
Presto, your script now has contributor rights and can do all the things on resources within your subscription.
Conclusion
I beat my head against the wall for over an hour sorting out the above things for myself. Hopefully this will save you from having similar headaches.
I have also written some scripts I hope to share. One is for a scheduled base scale-up/down of AzureSQL databases and another is a script that takes parameters and can be called from Azure Monitor to dynamically Scale-Up and Scale-Down an AzureSQL DB based on workload. I have the first figured out and am almost done with the second and look forward to writing and sharing soon. Cheers!