AKS Announcements Roll-up from Microsoft Ignite 2020

There were a whole lot of announcements around Azure Kubernetes Service (AKS) at Ignite 2020. I thought I’d quickly sum them all up and provide links:

Brendan Burn’s post on AKS Updates

A great summary of recent investments in AKS from Kubernetes co-creator, Brendan Burns.

Preview: AKS now available on Azure Stack HCI

AKS on Azure Stack HCI enables customers to deploy and manage containerized apps at scale on Azure Stack HCI, just as they can run AKS within Azure.

Public Preview: AKS Stop/Start Cluster

Pause an AKS cluster and pick up where they left off later with a switch of a button, saving time and cost.

GA: Azure Policy add on for AKS

Azure Policy add on for AKS allows customers to audit and enforce policies to their Kubernetes resources.

Public Preview: Confidential computing nodes on Azure Kubernetes Service

Azure Kubernetes Service (AKS) supports adding DCsv2 confidential computing nodes on Intel SGX.

GA: AKS support for new Base image Ubuntu 18.04

You can now create Node Pools using Ubuntu 18.04.

GA: Mutate default storage class

You can now use a different storage class in place of the default storage class to better fit their workload needs.

Public preview: Kubernetes 1.19 support

AKS now supports Kubernetes release 1.19 in public preview. Kubernetes release 1.19 includes several new features and enhancements such as support for TLS 1.3, Ingress and seccomp feature GA, and others.

Public preview: RBAC for K8s auth

With this capability, you can now manage RBAC for AKS and its resources using Azure or native Kubernetes mechanisms. When enabled, Azure AD users will be validated exclusively by Azure RBAC while regular Kubernetes service accounts are exclusively validated by Kubernetes RBAC.

Public Preview: VSCode ext. diag+periscope

This Visual Studio Code extension enables developers to use AKS periscope and AKS diagnostics in their development workflow to quickly diagnose and troubleshoot their clusters.This Visual Studio Code extension enables developers to use AKS periscope and AKS diagnostics in their development workflow to quickly diagnose and troubleshoot their clusters.

Enhanced protection for containers

Enhanced protection for containers: As containers and specifically Kubernetes are becoming more widely used, the Azure Defender for Kubernetes offering has been extended to include Kubernetes-level policy management, hardening and enforcement with admission control to make sure that Kubernetes workloads are secured by default. In addition, container image scanning by Azure Defender for Container Registries will now support continuous scanning of container images to minimize the exploitability of running containers

Learn more about Microsoft Defender, Azure Defender and Azure Sentinel.

There may indeed been more, and I’ll update them as they come to hand. Hope this roll up helps.

Head over to https://myignite.microsoft.com and watch some of the AKS content to get even an even better view of the updates.

Enable AKS Azure Active Directory integration with a Managed Identity from an ARM template

When you’re deploying an Azure Kubernetes Service (AKS) cluster in Azure, it is common that you’ll want to integrate it into Azure Active Directory (AAD) to use it as an authentication provider.

The original (legacy) method for enabling this was to manually create a Service Principal and use that to grant your AKS cluster access to AAD. The problem with this approach was that you would need to manage this manually and as well as rolling worry about rolling secrets.

More recently an improved method of integrating your AKS cluster into AAD was announced: AKS-managed Azure Active Directory integration. This method allows your AKS cluster resource provider to take over the task of integrating to AAD for you. This simplifies things significantly.

You can easily do this integration by running PowerShell or Bash scripts, but if you’d prefer to use an ARM template, here is what you need to know.

1. You will need to have an object id of an Azure Active Directory group to use as your Cluster Admins.
   

   	$clusterAdminGroupObjectIds = (New-AzADGroup `
   	-DisplayName "AksClusterAdmin" `
   	-MailNickname "AksClusterAdmin").Id

   view raw Create-AksClusterAdminsAadGroup.ps1 hosted with ❤ by GitHub
   
   

   

   This will return the object Id for the newly create group in the variable $clusterAdminGroupObjectIds. You will need to pass this variable into your ARM template.
2. You need to add an aadProfile block into the properties of your AKS cluster deployment definition:
   
   For example:
   

   	{
   	"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
   	"contentVersion": "1.0.0.0",
   	"parameters": {
   	"clusterAdminGroupObjectIds": {
   	"defaultValue": [],
   	"type": "array",
   	"metadata": {
   	"description": "Array of Azure AD Group object Ids to use for cluster administrators."
   	}
   	}
   	},
   	"resources": [
   	{
   	"name": "MyAksCluster",
   	"type": "Microsoft.ContainerService/managedClusters",
   	"apiVersion": "2020-04-01",
   	"location": "eastus",
   	"properties": {
   	"kubernetesVersion": "1.18.4",
   	"enableRBAC": true,
   	"aadProfile": {
   	"managed": true,
   	"adminGroupObjectIds": "[parameters('clusterAdminGroupObjectIds')]",
   	"tenantId": "[subscription().tenantId]"
   	}
   	// Other cluster properties here...
   	},
   	"identity": {
   	"type": "SystemAssigned"
   	}
   	}
   	]
   	}

   view raw ArmTemplateAksClusterWithManagedAadIntegration.json hosted with ❤ by GitHub
3. When you deploy the ARM template (using whatever method you choose), you’ll need to pass the $clusterAdminGroupObjectIds​as a parameter. For example:
   

   	New-AzResourceGroupDeployment `
   	-ResourceGroupName 'MyAksWithAad_RG `
   	-TemplateFile 'ArmTemplateAksClusterWithManagedAadIntegration.json' `
   	-TemplateParameterObject @{
   	clusterAdminGroupObjectIds = @( $clusterAdminGroupObjectIds )
   	}

   view raw Deploy-AksClusterWithAadIntegration.ps1 hosted with ❤ by GitHub

That is all you really need to get AKS-managed AAD integration going with your AKS cluster.

For a fully formed ARM template for that will deploy an AKS cluster with AKS-managed AAD integration plus a whole lot more, check out this ARM template. It will deploy an AKS cluster including the following:

• A Log Analytics workspace integrated into the cluster with Cluster Insights and Diagnostics.
• A VNET for the cluster nodes.
• An ACR integrated into the VNET with Private Link and Diagnostics into the Log Analytics Workspace.
• Multiple node pools spanning availability zones:
  • A system node pool including automatic node scaler.
  • A Linux user node pool including automatic node scaler.
  • A Windows node pool including automatic node scaler and taints.

Thanks for reading.

Azure Resource Manager Templates Hands-on Lab and #GlobalAzure 2019

Recently I helped organize and present at the 2019 Global Azure Bootcamp in Auckland. The Global Azure Bootcamp is an huge event run by Azure communities throughout the world all on the same day every year. It is an opportunity for anyone with an interest in Azure to come and learn from experts and presenters and share their knowledge. If you’re new to Azure or even if you’re an expert it is well worth your time to attend these free events.

The Global Azure Bootcamp is also an awful lot of fun to be a part of and I got to meet some fantastic people!

That's a wrap. The #globalazure bootcamp Auckland concludes for its 6th year. pic.twitter.com/O8aLww3O0K

— Auckland Azure User Group (@AucklandAzure) April 27, 2019

We also got to contribute to the Global Azure Bootcamp Science lab, which was a really great way to learn Azure as well as contribute to the goal of finding potential exosolar planets (how cool is that?). A global dashboard was made available where all locations could compare their contributions. The Auckland Team did fantastically well, given the size of Auckland comparatively: We managed to get 8th on the team leaderboard:

Hands-On Workshop Material

As part of my session this year, I produced a Hands-on workshop and presentation showing attendees the basics of using Azure Resource Manager templates as well as some of the more advanced topics such as linked/nested templates and security.

The topics covered are:

I’ve made all of this material open and free for the community to use to run your own sessions or modify and improve.

You can find the material in GitHub here:

https://github.com/PlagueHO/Workshop-ARM-Templates

Thanks for reading and hope to see some of you at a future Global Azure Bootcamp!

Enable CORS Support in Cosmos DB using PowerShell

Support for Cross-Origin Resource Sharing (CORS) was recently added to Cosmos DB. If you want to enable CORS on an existing Cosmos DB account or create a new Cosmos DB account with CORS enabled it is very easy to do with Azure Resource Manager (ARM) templates or the Azure Portal.

But what if you’re wanting to find out the state of the CORS setting on an account or set it using PowerShell? Well, look no further.

The Cosmos DB PowerShell module (version 3.0.0 and above) supports creating Cosmos DB accounts with CORS enabled as well as updating and removing the CORS headers setting on an existing account. You can also retrieve the CORS setting for an existing Cosmos DB account.

Installing the CosmosDB Module

The first thing you need to do is install the CosmosDB PowerShell module from the PowerShell Gallery by running this in a PowerShell console:

Install-Module -Name CosmosDB -MinimumVersion 3.0.0.0

view raw Install-CosmosDBModule.ps1 hosted with ❤ by GitHub

This will also install the Az PowerShell modules Az.Accounts and Az.Resources modules if they are not installed on your machine. The *-CosmosDbAccount functions in the CosmosDB module are dependent on these modules.

Note: The CosmosDB PowerShell module and the Az PowerShell modules are completely cross-platform and support Linux, MacOS and Windows. Running in either Windows PowerShell (Windows) or PowerShell Core (cross-platform) is supported.

Versions of the CosmosDB PowerShell module earlier than 3.0.0.0 use the older AzureRm/AzureRm.NetCore modules and do not support the CORS setting.

Authenticating to Azure with ‘Az’

Before using the CosmosDB PowerShell module accounts functions to work with CORS settings you’ll first need to authenticate to Azure using the Az PowerShell Modules. If you’re planning on automating this process you’ll want to authenticate to Azure using a Service Principal identity.

Side note: if you’re using this module in an Azure DevOps build/release pipeline the Azure PowerShell task will take care of the Service Principal authentication process for you:

But if you’re just doing a little bit of experimentation then you can just use an interactive authentication process.

To use the interactive authentication process just enter into your PowerShell console:

Connect-AzAccount

view raw Connect-AzAccount.ps1 hosted with ❤ by GitHub

then follow the instructions.

Create a Cosmos DB Account with CORS enabled

Once you have authenticated to Azure, you can use the New-CosmosDbAccount function to create a new account:

	New-CosmosDbAccount `
	-Name 'dsrcosmosdbtest' `
	-ResourceGroupName 'dsrcosmosdbtest-rgp' `
	-Location 'westus' `
	-AllowedOrigin 'https://www.fabrikam.com','https://www.contoso.com'

view raw New-CosmosDbAccountWithCors.ps1 hosted with ❤ by GitHub

This will create a new Cosmos DB account with the name dsrcosmosdbtest in the resource group dsrcosmosdbtest-rgp in the West US location and with CORS allowed origins of https://www.fabrikam.com and https://www.contoso.com.

Important: the New-CosmosDbAccount command assumes the resource group that is specified in the ResourceGroup parameter already exists and you have contributor access to it. If the resource group doesn’t exist then you can create it using the New-AzResourceGroup function or some other method.

It will take Azure a few minutes to create the new Cosmos DB account for you.

Side note: But if you want your PowerShell automation or script to be able to get on and do other tasks in the meantime, then add the -AsJob parameter to the New-CosmosDbAccountcall. This will cause the function to immediately return and provide you a Job object that you can use to periodically query the state of the Job. More information on using PowerShell Jobs can be found here.

Be aware, you won’t be able to use the Cosmos DB account until the Job is completed.

If you look in the Azure Portal, you will find the new Cosmos DB account with the CORS allowed origin values set as per your command:

Get the CORS Allowed Origins on a Cosmos DB Account

Getting the current CORS Allowed Origins value on an account is easy too. Just run the following PowerShell command:

	(Get-CosmosDbAccount `
	-Name 'dsrcosmosdbtest' `
	-ResourceGroupName 'dsrcosmosdbtest-rgp').Properties.Cors.AllowedOrigins

view raw Get-CosmosDbAccountCorsAllowedOrigins.ps1 hosted with ❤ by GitHub

This will return a string containing all the CORS Allowed Origins for the Cosmos DB account dsrcosmosdbtest.

You could easily split this string into an array variable by using:

	$corsAllowedOrigins = (Get-CosmosDbAccount `
	-Name 'dsrcosmosdbtest' `
	-ResourceGroupName 'dsrcosmosdbtest-rgp').Properties.Cors.AllowedOrigins -split ','

view raw Get-CosmosDbAccountCorsAllowedOriginsSplit.ps1 hosted with ❤ by GitHub

Update the CORS Allowed Origins on an existing Cosmos DB Account

To set the CORS Allowed Origins on an existing account use the Set-CosmosDbAccount function:

	Set-CosmosDbAccount `
	-Name 'dsrcosmosdbtest' `
	-ResourceGroupName 'dsrcosmosdbtest-rgp' `
	-AllowedOrigin 'http://www.mycompany.com'

view raw Set-CosmosDbAccountCors.ps1 hosted with ❤ by GitHub

This will take a few minutes to update. So you can use the -AsJob parameter to run this as a Job.

Remove the CORS Allowed Origins from an existing Cosmos DB Account

You can remove the CORS Allowed Origins setting by setting using the Set-CosmosDbAccount function but passing in an empty string to the AllowedOrigin parameter:

	Set-CosmosDbAccount `
	-Name 'dsrcosmosdbtest' `
	-ResourceGroupName 'dsrcosmosdbtest-rgp' `
	-AllowedOrigin ''

view raw Remove-CosmosDbAccountCors.ps1 hosted with ❤ by GitHub

This will take a few minutes to update as well. As always, you can use the -AsJob parameter to run this as a Job.

 

Final Words

Hopefully, you can see it is fairly simple to automate and work with the Cosmos DB CORS Allowed Origins setting using the PowerShell Cosmos DB module.

If you have any issues or queries or would like to contribute to the PowerShell Cosmos DB module, please head over to the GitHub repository.

 

Use Pester to Test Azure Resource Manager Templates for Best Practices

Recently I came across the amazing Secure DevOps Kit for Azure (AzSK). This contains a really useful AzSK PowerShell Module that contains cmdlets for performing different types of security scanning on Azure Resources, Subscriptions and Resource Manager Templates.

The feature of this module that I was most interested in for my current project was being able to scan ARM templates for best practice violations. The module contains several

To install the module, open a PowerShell Window and run:

	Install-Module -Name AzSK

view raw Install-AzSK.ps1 hosted with ❤ by GitHub

Important: At the time of writing this post, the AzSK module has dependencies on the AzureRM.Profile and other AzureRM.* PowerShell modules. As of December 2018, the AzureRM.* PowerShell Modules are going to be renamed to Az.* (see this post). The AzureRM and Az modules can not be installed side-by-side, so if you’ve installed the Az PowerShell modules on your system then the installation of AzSK will fail because the AzureRM modules will also be installed and a conflict will occur.

The cmdlet we’re most interested in is the Get-AzSKARMTemplateSecurityStatus. It can be used to scan one or more ARM templates or entire folders of ARM templates for best practice violations:

This will scan the ARM templates and produce a CSV report in a folder Microsoft\AzSKLogs\ARMChecker within your $ENV:LOCALAPPDATA folder and open the folder in Explorer. This isn’t ideal for automation scenarios or using during Continuous Integration or Continuous Delivery pipelines. I’ve raised an issue with the AzSK team on GitHub to see if this can be improved.

In my case, I wanted to be able to use the PowerShell Pester Module, a PowerShell testing framework, to execute tests on the output and then use the nUnit output Pester generates to publish into a Continuous Integration pipeline. To do that I needed to create a custom test script that would take the CSV report, count the failures of each level (High, Medium or Low) and fail if any are counted in the specific level.

This is what the script looks like:

	<#PSScriptInfo
	.VERSION 1.0.0
	.GUID bf41177f-4d1e-481a-a126-5f0c07dd9aae
	.AUTHOR Daniel Scott-Raynsford
	.COMPANYNAME
	.COPYRIGHT (c) 2018 Daniel Scott-Raynsford. All rights reserved.
	.TAGS AzSK, Pester, Test
	.LICENSEURI https://gist.github.com/PlagueHO/1af35ee65a2276ca90b3a8a5b224a5d4
	.PROJECTURI https://gist.github.com/PlagueHO/1af35ee65a2276ca90b3a8a5b224a5d4
	.ICONURI
	.EXTERNALMODULEDEPENDENCIES
	.REQUIREDSCRIPTS
	.EXTERNALSCRIPTDEPENDENCIES
	.RELEASENOTES First version.
	.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core
	#>
	#requires -Modules @{ ModuleName="AzSK"; ModuleVersion="3.6.1" }
	#requires -Modules @{ ModuleName="Pester"; ModuleVersion="4.3.0" }
	<#
	.SYNOPSIS
	Pester test for validating ARM template meets best-practices
	.DESCRIPTION
	This Pester test will validate one or more ARM templates in the specified
	file path to validate that they meet the best practices.
	.PARAMETER TemplatePath
	The full path to the ARM template to check. This may be a path with
	wild cards to check multiple files.
	.PARAMETER Severity
	An array of severity values that will count as failed tests. Any violation
	found in the ARM template that matches a severity in this list will cause
	the Pester test to count as failed. Defaults to 'High' and 'Medium'.
	.PARAMETER SkipControlsFromFile
	The path to a controls file that can be use to suppress rules.
	#>
	[CmdletBinding()]
	param (
	[Parameter(Mandatory = $true)]
	[System.String]
	$TemplatePath,
	[Parameter()]
	[System.String[]]
	$Severity = @('High','Medium'),
	[Parameter()]
	[System.String]
	$SkipControlsFromFile
	)
	Describe 'ARM template best practices' -Tag 'AzSK' {
	Context 'When AzSK module is installed and run on all files in the Templates folder' {
	$resultPath = Get-AzSKARMTemplateSecurityStatus `
	-ARMTemplatePath $TemplatePath `
	-Preview:$true `
	-DoNotOpenOutputFolder `
	-SkipControlsFromFile $SkipControlsFromFile `
	-Recurse
	$resultFile = (Get-ChildItem -Path $resultPath -Filter 'ARMCheckerResults_*.csv')[0].FullName
	It 'Should produce a valid CSV results file ' {
	$resultFile | Should -Not -BeNullOrEmpty
	Test-Path -Path $resultFile | Should -Be $true
	$script:resultsContent = Get-Content -Path $resultFile | ConvertFrom-Csv
	}
	$groupedResults = $script:resultsContent | Where-Object -Property Status -EQ 'Failed' | Group-Object -Property Severity
	$testCases = $Severity.Foreach({@{Severity = $_}})
	It 'Should have 0 failed Severity:<Severity> results' -TestCases $testCases {
	param ( [System.String] $Severity )
	$failedCount = $groupedResults.Where({ $_.Name -eq $Severity })[0].Count
	$failedCount | Should -Be 0
	}
	}
	}

view raw Invoke-AzSKARMTemplateSecurityStatusPesterTest.ps1 hosted with ❤ by GitHub

You can download the script from GitHub Gist directly or get it from the PowerShell Gallery by running:

Install-Script -Name AzSKARMTemplateSecurityStatus.Test

To use it you will need to install Pester 4.3.0 and AzSK 3.6.1 modules:

	Install-Module -Name Pester -MinimumVersion 4.3.0
	Install-Module -Name AzSK -MinimumVersion 3.6.1

view raw Install-AzSKARMTemplateSecurityStatusPesterTestPrequisiteModules.ps1 hosted with ❤ by GitHub

Once that is done, you can use Invoke-Pester and pass in the TemplatePath and Severity parameters to the test script:

Invoke-Pester -Script @{ Path = 'd:\Invoke-AzSKARMTemplateSecurityStatusPesterTest.ps1'; Parameters = @{ TemplatePath = 'D:\101-webapp-basic-windows\azuredeploy.json' }}

view raw Invoke-AzSKARMTemplateSecurityStatusPesterTest.ps1 hosted with ❤ by GitHub

This will execute the Pester tests in the file above on the specified ARM template. The tests will fail when there are any best practice violations with the specified Severity or above. If you didn’t pass in a Severity then it will default to failing on Medium and High.

If you use the OutputFile and OutputFormat parameters to cause Pester to output an NUnit format file that most Continuous Integration tools will happily accept and use to display the output of the tests.

If you installed the script from the PowerShell Gallery, you can also run the tests like this:

AzSKARMTemplateSecurityStatus.Test -TemplatePath D:\101-webapp-basic-windows\azuredeploy.json

Finally, if you’re using Azure DevOps, you can also get this function as part Secure DevOps Kit (AzSK) CICD Extensions for Azure in the Azure DevOps Marketplace.

Which ever way you choose to consume AzSK, it is a great module and well worth including in your CI/CD pipelines to ensure your ARM templates meet best practices.

 

 

Managing Users & Permissions in Cosmos DB with PowerShell

If you’re just getting started with Cosmos DB, you might not have come across users and permissions in a Cosmos DB database. However, there are certain use cases where managing users and permissions are necessary. For example, if you’re wanting to be able to limit access to a particular resource (e.g. a collection, document, stored procedure) by user.

The most common usage scenario for users and permissions is if you’re implementing a Resource Token Broker type pattern, allowing client applications to directly access the Cosmos DB database.

Side note: The Cosmos DB implementation of users and permissions only provides authorization – it does not provide authentication. It would be up to your own implementation to manage the authentication. In most cases you’d use something like Azure Active Directory to provide an authentication layer.

But if you go hunting through the Azure Management Portal Cosmos DB data explorer (or Azure Storage Explorer) you won’t find any way to configure or even view users and permissions.

To manage users and permissions you need to use the Cosmos DB API directly or one of the SDKs.

But to make Cosmos DB users and permissions easier to manage from PowerShell, I created the Cosmos DB PowerShell module. This is an open source project hosted on GitHub. The Cosmos DB module allows you to manage much more than just users and permissions, but for this post I just wanted to start with these.

Requirements

This module works on PowerShell 5.x and PowerShell Core 6.0.0. It probably works on PowerShell 3 and 4, but I don’t have any more machines running this version to test on.

The Cosmos DB module does not have any dependencies, except if you call the New-Cosmos DbContext function with the ResourceGroup parameter specified as this will use the AzureRM PowerShell modules to read the Master Key for the connection directly from your Cosmos DB account. So I’d recommend installing the Azure PowerShell modules or if you’re using PowerShell 6.0, install the AzureRM.NetCore modules.

Installing the Module

The best way to install the Cosmos DB PowerShell module is from the PowerShell Gallery. To install it for only your user account execute this PowerShell command:

Install-Module -Name CosmosDB -Scope CurrentUser

Or to install it for all users on the machine (requires administrator permissions):

Install-Module -Name CosmosDB

Context Variable

Update 2018-03-06

As of Cosmos DB module v2.0.1, the connection parameter has been renamed to context and the New-CosmosDbConnection function has been renamed New-CosmosDbContext. This was to be more inline with naming adopted by the Azure PowerShell project. The old connection parameters and New-CosmosDbConnection function is still available as an alias, so older scripts won’t break. But these should be changed to use the new naming if possible as I plan to deprecate the connection version at some point in the future.

This post was updated to specify the new naming, but screenshots still show the Connection aliases.

Before you get down to the process of working with Cosmos DB resources, you’ll need to create a context variable containing the information required to connect. This requires the following information:

1. The Cosmos DB Account name
2. The Cosmos DB Database name
3. The Master Key for the account (you can have the Cosmos DB PowerShell module get this directly from your Azure account if you wish).

To create the connection variable we just use the New-CosmosDbContext:

	$account = 'MyCosmosDBAccount'
	$database = 'MyDatabase'
	$key = ConvertTo-SecureString -String 'this is your master key, get it from the Azure portal' -AsPlainText -Force
	$context = New-CosmosDbContext -Account $account -Database $database -Key $key

view raw New-CosmosDbConnection.ps1 hosted with ❤ by GitHub

If you do not wish to specify your master key, you can have the New-CosmosDbContext function pull your master key from the Azure Management Portal directly:

	Add-AzureRmAccount
	$account = 'MyCosmosDBAccount'
	$database = 'MyDatabase'
	$resourceGroup = 'MyCosmosDBResourceGroup'
	$context = New-CosmosDbContext -Account $account -Database $database -ResourceGroup $resourceGroup

view raw New-CosmosDbConnectionUsingPortal.ps1 hosted with ❤ by GitHub

Note: This requires the AzureRM.Profile and AzureRM.Resoures module on Windows PowerShell 5.x or AzureRM.Profile.NetCore and AzureRM.Resources.NetCore on PoweShell Core 6.0.0.

Managing Users

To add a user to the Cosmos DB Database use the New-CosmosDBUser function:

New-CosmosDbUser -Context $context -Id 'daniel'

To get a list of users in the database:

Get-CosmosDbUser -Context $context

To get a specific user:

Get-CosmosDbUser -Context $context -Id 'daniel'

To remove a user (this will also remove all permissions assigned to the user):

Remove-CosmosDbUser -Context $context -Id 'daniel'

Managing Permissions

Permissions in Cosmos DB are granted to a user for a specific resource. For example, you could grant a user access to just a single document, an entire collection or to a stored procedure.

To grant a permission you need to provide four pieces of information:

1. The Id of the user to grant the permission to.
2. An Id for the permission to create. This is just string to uniquely identify the permission.
3. The permission mode to the permission: All or Read.
4. The Id of the resource to grant access to. This can be generated from one of the Get-CosmosDb*ResourcePath functions in the CosmosDB PowerShell module.

In the following example, we’ll grant the user daniel all access to the TestCollection:

	$userId = 'TestUserId'
	$resourcePath = Get-CosmosDbCollectionResourcePath -Database 'TestDatabase' -Id 'TestCollection'
	New-CosmosDbPermission -Context $context -Id 'AccessTestCollection' -UserId $userId -PermissionMode All -Resource $resourcePath

view raw Grant-CosmosDbCollectionPermission.ps1 hosted with ❤ by GitHub

Once a permission has been granted, you can use the Get-CosmosDbPermission function to retrieve the permission and with it the Resource Token that can be used to access the resource for a limited amount of time (between 10 minutes and 5 hours).

Note: as you have the Master Key already, using the Resource Token isn’t required.

For example, to retrieve all permissions for the user with Id daniel and a resource token expiration of 600 seconds:

Get-CosmosDbPermission -Context $context -UserId 'daniel' -TokenExpiry '600' |
fl *

You can as expected delete a permission by using the Remove-CosmosDbPermission function:

Remove-CosmosDbPermission -Context $context -UserId 'daniel' -Id 'AccessTestCollection'

Final Thoughts

So this is pretty much all there is to managing users and permissions using the Cosmos DB PowerShell module. This module can also be used to manage the following Cosmos DB resources:

• Attachments
• Collections
• Databases
• Documents
• Offers
• Stored procedures
• Triggers
• User Defined Functions

You can find additional documentation and examples of how to manage these resources over in the Cosmos DB PowerShell module readme file on GitHub.

Hopefully this will help you in any Cosmos DB automation tasks you might need to implement.

 

Configure Azure SQL Server Automatic Tuning with PowerShell

One thing I’ve found with configuring Azure services using automation (e.g. Azure PowerShell Modules, Azure Resource Manager template) is that the automation features are a little bit behind the feature set. For example, the Azure PowerShell modules may not yet implement settings for new or preview features. This can be a an issue if you’re strictly deploying everything via code (e.g. infrastructure as code). But if you run into a problem like this, all is not lost. So read on for an example of how to solve this issue.

Azure REST APIs

One of the great things about Azure is that everything is configurable by making direct requests to the Azure REST APIs, even if it is not available in ARM templates or Azure PowerShell.

Depending on the feature/configuration you can sometimes use the Set-AzureRmResource cmdlets to make calls to the REST APIs. But this cmdlet is limited to using an HTTP method of POST. So if you need to use PATCH, you’ll need to find an alternate way to make the call.

So, what you need then is to use the Invoke-RestMethod cmdlet to create a custom call to the REST API. This is the process I needed to use to configure the Azure SQL Server Automatic Tuning settings and what I’ll show in my script below.

The Script

The following script can be executed in PowerShell (of course) and requires a number of parameters to be passed to it:

• SubscriptionId – the subscription Id of the Azure subscription that contains the Azure SQL Server.
• ResourceGroupName – The name of the resource group containing SQL Server or
  database.
• ServerName – The name of the Azure SQL Server to set the automatic tuning
  options on.
• DatabaseName – The name of the Azure SQL Database to set the automatic tuning options on. If you pass this parameter then the automatic tuning settings are applied to the Azure SQL Database, not the server.
• Mode – This defines where the settings for the automatic tuning are
  obtained from. Inherit is only valid if the DatabaseName is specified.
• CreateIndex – Enable automatic tuning for creating an index.
• DropIndex – Enable automatic tuning for dropping an index.
• ForceLastGoodPlan – Enable automatic tuning for forcing last good plan.

Requirements: You need to have the installed the AzureRM.Profile PowerShell module (part of the AzureRM PowerShell Modules) to use this script. The script also requires you to have logged into your Azure Subscription using Add-AzureRmAccount (as a user or Service Principal).

	#Requires -Modules 'AzureRM.Profile'
	<#
	.SYNOPSIS
	Configure Azure SQL Autotuning on an Azure SQL server
	or database.
	.DESCRIPTION
	This function will retrieve a current access token from
	the Azure RM PowerShell context and use it to make a direct
	request to the Azure management portal endpoint for the
	SQL Server or database. It will configure the Autotuning
	parameters for the server.
	Requires AzureRM PowerShell Modules 5.1.1 or above*.
	* May work on lower versions but untested
	.PARAMETER SubscriptionId
	The Azure subscription Id of the subscription containing
	SQL Server or database.
	.PARAMETER ResourceGroupName
	The name of the resource grou containing SQL Server or
	database.
	.PARAMETER ServerName
	The name of the Azure SQL Server to set the autotuning
	options on.
	.PARAMETER DatabaseName
	The name of the Azure SQL Database to set the autotuning
	options on.
	.PARAMETER Mode
	This defines where the settings for the Autotuning are
	obtained from.
	Inherit is only valid if the DatabaseName is specified.
	.PARAMETER CreateIndex
	Enable autotuning for creating an index.
	.PARAMETER DropIndex
	Enable autotuning for dropping an index.
	.PARAMETER ForceLastGoodPlan
	Enable autotuning for forcing last good plan.
	#>
	param (
	[Parameter(Mandatory = $true)]
	[System.String]
	$SubscriptionId,
	[Parameter(Mandatory = $true)]
	[System.String]
	$ResourceGroupName,
	[Parameter(Mandatory = $true)]
	[System.String]
	$ServerName,
	[Parameter()]
	[System.String]
	$DatabaseName,
	[Parameter()]
	[ValidateSet('Auto', 'Custom', 'Inherit')]
	[System.String]
	$Mode = 'Auto',
	[Parameter()]
	[ValidateSet('On', 'Off', 'Default')]
	[System.String]
	$CreateIndex = 'Default',
	[Parameter()]
	[ValidateSet('On', 'Off', 'Default')]
	[System.String]
	$DropIndex = 'Default',
	[Parameter()]
	[ValidateSet('On', 'Off', 'Default')]
	[System.String]
	$ForceLastGoodPlan = 'Default'
	)
	# Get an access token from the Auzre RM PowerShell token cache for accessing the Azure Management Portal
	$context = Get-AzureRmContext
	$cache = $context.TokenCache
	if (-not $cache)
	{
	# Use an older method of accessing the Token Cache (for old versions of AzureRM.Profile)
	$cache = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared
	}
	$cacheItems = $cache.ReadItems()
	$cacheItem = $cacheItems |
	Where-Object -FilterScript { $_.TenantId -eq $context.Tenant.TenantId } |
	Select-Object -First 1
	if (-not $cacheItem)
	{
	Throw ('A current access token could not be found for the tenant Id {0}.' -f $context.Tenant.TenantId)
	}
	$accessToken = $cacheItem.AccessToken
	# Generate the Body of the request
	$body = @{
	properties = @{
	desiredState = $Mode
	options = @{
	createIndex = @{
	desiredState = $CreateIndex
	}
	dropIndex = @{
	desiredState = $DropIndex
	}
	forceLastGoodPlan = @{
	desiredState = $ForceLastGoodPlan
	}
	}
	}
	}
	# Generate the URI to the endpoint
	$uri = ('https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Sql/servers/{2}' -f $SubscriptionId, $ResourceGroupName, $ServerName )
	if ($PSBoundParameters.ContainsKey('DatabaseName'))
	{
	$uri = ('{0}/databases/{1}' -f $uri, $DatabaseName)
	}
	else
	{
	if ($Mode -eq 'Inherit')
	{
	Throw 'Inherit mode is only valid for a SQL database. Either use a different not or specify a database name.'
	}
	}
	$uri = ('{0}/automaticTuning/current?api-version=2017-03-01-preview' -f $uri)
	$bodyText = ConvertTo-Json -InputObject $body -Depth 10
	$headers = @{
	'Authorization' = ('Bearer {0}' -f $accessToken)
	'Cache-Control' = 'no-cache'
	}
	$invokeRestMethodParameters = @{
	Uri = $Uri
	Method = 'PATCH'
	Headers = $headers
	ContentType = 'application/json'
	Body = $bodyText
	}
	return Invoke-RestMethod @invokeRestMethodParameters

view raw Set-AzureRMSqlServerAutotuning.ps1 hosted with ❤ by GitHub

Example Usage

To apply custom automatic tuning to an Azure SQL Server:

.\Set-AzureRMSqlServerAutotuning.ps1 -SubscriptionId '<Subscription Id>' -ResourceGroupName '<Resource Group name>' -ServerName '<Azure SQL server name>' -Mode Custom -CreateIndex On -DropIndex On -ForceLastGoodPlan Off

To apply custom automatic tuning to an Azure SQL Database:

.\Set-AzureRMSqlServerAutotuning.ps1 -SubscriptionId '<Subscription Id>' -ResourceGroupName '<Resource Group name>' -ServerName '<Azure SQL server name>' -DatabaseName '<Azure SQL database name>' -Mode Custom -CreateIndex On -DropIndex On -ForceLastGoodPlan Off

Conclusion

I’ve not yet encountered something in Azure that I can’t configure via the Azure REST APIs. This is because the Azure Management Portal uses the same APIs – so if it is available in the portal then you can do it via the Azure REST APIs. The biggest challenge is determining the body, header and methods available if the APIs are not yet documented.

If the API you need is not documented then you can raise a question in the Microsoft Azure Forums or on Stack Overflow. Failing that you can use the developer tools in your browser of choice to watch the API calls being made to the portal – I’ve had to resort to this many times, but documenting that process is something I’ll save for another day.

 

Stop, Start or Restart all Web Apps in Azure using PowerShell

Here is a short (and sometimes handy) single line of PowerShell code that can be used to restart all the Azure Web Apps in a subscription:

(Get-AzureRmWebApp).GetEnumerator() | Restart-AzureRmWebApp

view raw Restart-AzureRmAllWebApp.ps1 hosted with ❤ by GitHub

Note: Use this with care if you’re working with production systems because this _will_ restart these Web Apps without confirming first.

This would be a handy snippet to be able to run in the Azure Cloud Shell. It could also be adjusted to perform different actions on other types of resources.

To stop all Web Apps in a subscription use:

(Get-AzureRmWebApp).GetEnumerator() | Stop-AzureRmWebApp

view raw Stop-AzureRmAllWebApp.ps1 hosted with ❤ by GitHub

To start them all again:

(Get-AzureRmWebApp).GetEnumerator() | Start-AzureRmWebApp

view raw Start-AzureRmAllWebApp.ps1 hosted with ❤ by GitHub

The key part of this command is the GetEnumerator() method because most Azure Cmdlets don’t return an array of individual objects into the pipeline like typical PowerShell cmdlets. Instead returning a System.Collections.Generic.List object, which requires a slight adjustment to the code. This procedure can be used for most Azure Cmdlets to allow the results to be iterated through.

Thanks for reading.

Install Nightly Build of Azure CLI 2.0 on Windows

The Azure PowerShell cmdlets are really first class if you’re wanting to manage Azure with PowerShell. However, they don’t always support the very latest Azure components and features. For example, at the time of writing this there is no Azure PowerShell module for managing Azure Container Instances.

The solution to this is to install the Nightly Build of Azure CLI 2.0. However, on Windows it is not entirely clear the easiest way to do this. So, in this post I’ll provide a PowerShell script that will:

1. Install Python 3.x using Chocolatey
2. Use PIP (Python package manager) to install the latest nightly build packages
3. Update the Environment Path variable so that you can use Azure CLI 2.0.

Note: If you have the stable build of Azure CLI 2.0 installed using the MSI then you’ll need to configure your Environment Path variable to find the Az command that you’d like to use by default. I personally removed the stable build of Azure CLI 2.0 to make it easier.

Performing the Install

Make sure you’ve got Chocolatey installed. If you aren’t sure what Chocolatey is, it is a package management system for Windows – not unlike Apt-Get or Yum for Linux. It is free and awesome. In this process we’ll use Chocolatey to install Python for us. If you haven’t got Chocolatey installed, see this page for instructions.

Next, download and run this PowerShell script in a PowerShell Administrator Console:

	<#
	.SYNOPSIS
	Install Azure CLI 2.0 Nightly Build on Windows using Chocolatey and PowerShell
	#>
	if (-not (Get-Command -Name Choco -ErrorAction SilentlyContinue))
	{
	Throw 'Chocolatey is not installed. Please install it. See https://chocolatey.org/install for instructions.'
	}
	Write-Host -Object 'Installing Python 3 with Chocolatey...'
	& choco @('install','python3','-y')
	Update-SessionEnvironment
	$pyhtonScriptsPath = Join-Path -Path $ENV:APPDATA -ChildPath 'Python\Python36\Scripts'
	$currentPath = [System.Environment]::GetEnvironmentVariable('Path',[System.EnvironmentVariableTarget]::User) -split ';'
	if ($currentPath -notcontains $pyhtonScriptsPath)
	{
	Write-Host -Object 'Adding Python Scripts to User Environment Path...'
	$newPath = @()
	$newPath += $currentPath
	$newPath += $pyhtonScriptsPath
	$newPathJoined = $newPath -join ';'
	[System.Environment]::SetEnvironmentVariable('Path',$newPathJoined,[System.EnvironmentVariableTarget]::User)
	}
	if (-not $currentPath.Contains($pyhtonScriptsPath))
	{
	Write-Host -Object 'Adding Python Scripts to Current PowerShell session path...'
	$ENV:Path = "$($ENV:Path);$pyhtonScriptsPath"
	}
	Write-Host -Object 'Installing nightly build of Az CLI 2.0...'
	& pip @('install','--no-cache-dir','--user','--upgrade','--pre','azure-cli','--extra-index-url','https://azureclinightly.blob.core.windows.net/packages')
	Write-Host -Object 'Installation of nightly build of Az CLI 2.0 complete. Execute "az" to start.'

view raw Add-AzureCliNightlyBuildWithPython.ps1 hosted with ❤ by GitHub

You could save the content of this script into a PS1 file and then execute it like this:

It will then download and install Python, then use PIP to install the current nightly build packages. After a few minutes the installation will complete:

You can then run:

Az Login

To get started.

If you’re a bit new to Azure CLI 2.0, then another great way is to use Azure CLI Interactive:

Az Interactive

If you need to update to a newer nightly build, just run the script again and it will update your packages.

Easy as that! Now you can experiment with all the latest automation features in Azure without needing to wait for a new version of Azure CLI 2.0 or for latest Azure PowerShell cmdlets.

Edge Builds

If you want to install even more “bleeding edge” builds (built straight off the master branch on every merge to master) then you can make a small adjustment to the script above:

On line 34 change the URL of the feed from:

https://azureclinightly.blob.core.windows.net/packages

To:

https://azurecliprod.blob.core.windows.net/edge

Thanks for reading!