Wednesday, December 23, 2020

PowerShell commands in Azure -Part 1

As I have been working with PowerShell for a while ,below are some of the common commands to work with PowerShell in Azure 

In this blog I cover the following topics 

  • How to Install Az Module in PowerShell
  • How to check the versions of Az available in PowerShell
  • How to connect to Azure using PowerShell
  • How to create or remove resource locks using PowerShell
  • How to create a policydefinition and Assign them to a resourcegroup using PowerShell

1. Install PowerShell module in local machine 

    Install-Module PowerShellGet -force -Scope CurrentUser 

2.Install AzureRM/Az packages : the latest recommended version is the az one 

    Install-Module -Name AzureRM -AllowClobber -Scope CurrentUser--older version 

    Install-Module -Name Az -AllowClobber -Scope CurrentUser

3 Get the list of Az versions installed in the machine 

Get-InstalledModule -Name Az -AllVersions

3 connect to Azure account 

Connect-AzAccount 

4 Get the list of resource groups within the subscription 

Get-AzResourceGroup

5 Get the list of resources within the resourcegroup

Get-AzResource -ResourceGroup <resource group name >

Implementing Resource Locks using PowerShell

Locks prevent the resources within a resource groups from being modified or deleted.There are two types of locks available .CanNotDelete and ReadOnly Locks 

CanNotDelete Locks : This will not allow any user to delete any resources within the resource group .When we try to delete any resource within the group ,it will throw an error 

ReadOnly Locks : This will prevent users from modifying any of the resources within the resource group .

The locks can be implemented both at the resource group level or we can set it up for individual resources within the resource group .

Now we can create locks using the portal /PowerShell/Azure CLI as well .Below are the commands which will help you get ,create and remove locks at both the resource group /or a particular resource within the resource group 

For the commands Below I have created a resource group called myrg180988 which has several resources including a SQL server database and I am trying to create two type of locks one which is a ReadOnly lock at the SQL server database resource and a CanNotDelete lock at the entire resource group level .Lets see how this can be accomplished using PowerShell commands 

#Step 1 : connecting to azure account -Connect-AzAccount

#Step 2 :removing the lock

Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 3 : adding a new lock at the DB level 

New-AzresourceLock -LockLevel ReadOnly -LockNotes "This will prevent the locks from being modified" -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 4 : List the locks available 

Get-AzResourceLock -ResourceGroupName "myrg180988" 

#Step 5 : Setting a delete lock on the entire resourcegroup

New-AzResourceLock -LockLevel CanNotDelete -LockName "mylckn180988" -ResourceGroupName "myrg180988"

#Step 6 : Listing the resourcelocks available for the resourcegroup

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

#Step 8 : Removing the resource level lock 

Remove-AzResourceLock -LockName "mylock180988" -ResourceGroupName "myrg180988" -ResourceName "mydb180988/myDB" -ResourceType "Microsoft.Sql/servers/databases"

#Step 9 : Listing the resource locks again 

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

#Step 10 : removing the lock at the resource group level

Remove-AzResourceLock -LockName "mylckn180988" -ResourceGroupName "myrg180988"

#Step 11 : Listing the locks again

Get-AzResourceLock -ResourceGroupName "myrg180988" |Select-Object -Property ResourceGroupName,ResourceName,LockName,Properties

Policy Creation /Assignment using PowerShell

to Demo this am creating a new resourcegroup and then creating a policydefinition and assign this definition to the resourcegroup .For instance I want to create a policy which will ensure all my sql servers have threat detection enabled .So if you goto the portal and check for the policies related to SQL servers you can see this policy .We need to assign this policy into our resourcegroup .for that we need to create a policy definition using AzPolicyDefinition  command  which captures this policy details from microsoft and then we will use a AzPolicyAssignment command to assign this policy to the resource group created 





##Step 1 : Creating a resource group called mytestpolicy and assigning it into a Variable 

$myrggrp=Get-AzResourceGroup -Name "mytestpolicy" -Location "South India"

echo $myrggrp

#Step 2 : Creating a Policy Definition and assigning it to a variable

$mypolicydef= Get-AzPolicyDefinition |Where-Object{$_.Properties.DisplayName -eq "Deploy Threat Detection on SQL servers"}

echo $mypolicydef

#Step 3 : Assign this policy definition to the new resource groups 

New-AzPolicyAssignment -Name "audit-sql-threat-detection" -DisplayName "This will ensure the SQL servers have threat detection enabled" -Scope $myrggrp.ResourceId -PolicyDefinition $mypolicydef -Location "South India" -AssignIdentity

Note :the AssignIdentity is a property which we need to give manually when we assign policy through scripting ,which will manage the identity of the policy .when giving this AssignIdentity we need to specify a location as well 

#Step 4 : To check whether the resources are compliant to the policy or not 

Get-AzPolicyState -ResourceGroupName $myrggrp -PolicyAssignmentName  "audit-sql-threat-detection" -Filter 'IsCompliant eq false'

This will return the Resource groups where the policy is violated 

#Step 5 : delete the policyassignment 

Remove-AzPolicyAssignment -Name "audit-sql-threat-detection" -Scope "/subscriptions/9c350b81-c8d7-40f1-831b-11a0ea6eda3c/resourceGroups/mytestpolicy"

Note : for removing policyassignment we should give the complete path of the resourcegroup from the subscription 

#Step6 : delete the policyDefinition

Remove-AzPolicyDefinition -Name $mypolicydef.Name -SubscriptionId "9c350b81-c8d7-40f1-831b-11a0ea6eda3c"






No comments:

Post a Comment