Azure Automation Tutorial | Automate PowerShell execution

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

development and operations always go side by side and when it comes to operation things like process automation configuration management and update management are very common challenges that you will be facing in our today I'll introduce to you two other automation a service that was specifically designed to help you of those challenges stay tuned [Music] so our automation what is our automation it's a cloud-based service that allows you to automate and configure your services across both your utter and non other environments so what does it deliver first of all three things process automation update management and configuration management an entire service is built around that it also gives you a complete control during deployment on all the operations that you're doing using this service what are the common scenarios first of all process automation is your way of automating standard processes so like a DevOps processes or maybe just other management and you can do it through using graphical or scripting through partial all you can also write Python notebooks notebooks is a key word here because we're gonna be creating notebooks today you also have configuration management so you can collect inventory inventory is basically you collecting information formal services around let's say what our service is installed what is the information in the registry on those servers you can track changes on those environments and you can also write DSC which is desired state configuration so you can tell your servers how should they be configured and our automation will handle this for you additionally you also have update management so other automation can actually handle all the updates and scheduling of the updates on your virtual machines and lastly you have a lot of shared resources so you can have access based control integration you can have secured store for variables and many more what is also good here it did that it works on both Linux and Windows machine and on adder and on-premises so you can orchestrate and manage your services in pretty much any environment so how does the process alternation works this process automation is the topic for today I will cover other topics in the future but for today I wanted to focus on the most common one inertia which is process automation so if you have your automation account within the Dark Dimension account you will be creating something called run books as we previously said run books is a either PowerShell or Python script and using those scripts you can actually write your logic and this service is all about writing those scripts at least for the process automation additionally you have some shared resources regarding connectivity so credentials so you can store your username and passwords you have certificates so you can upload an entire certificate that will be used for connectivity to other services and you have connections which is simply information about other Active Directory accounts that you will be using to authenticate to other additionally you have something short like modules so if you're using partial modules are something for PowerShell equivalent of modules are Python packages and you have also variables if you want to parameterize your automation you can either make an input parameters or your static variables and lastly when the run book is ready you can send it for execution and our automation will create a virtual machine for that purpose and send that run book for execution what is good here is that during execute during the of the execution of the run book on the virtual machine which you of course you don't manage other automation than it is that but during that that execution a script can refer to those shared resources so it can pull either credentials connections variables order modules and you can use them within your scripts during the execution so what are the additional features first of all there are many ways to trigger run books like you can do schedule by its execution you can do even based solve for instance integrate with event grid and react to some events in Azure or you can fall back to very classic way of executing so you can call your run books through web but additionally you have also hybrid workers as I said our automation very nicely integrates with both Archer and on-premises so you can install an agent and execute your automation scripts on your own premise environments using hybrid workers and lastly you also have script colors which are amazing because those are the community and Microsoft given out-of-the-box ready to use scripts for you so I would highly recommend to check those out before you start writing any scripts so I have a couple of demos for you today we're gonna be creating and I will give you a brief introduction to our automation in the portal itself then we're gonna be creating run books and running scripts from the run books updating modules I will also explain why this third step is so so important and we're gonna be automatic operations so I'm gonna do a quick demo when we're gonna be shutting down virtual machine using run books and lastly I will show you how to schedule your operation notebooks so let's go to the portal so in the portal let's create automation account to do this go to this menu hit create resource type automation and you're gonna find all the results automation from Microsoft hit create you can give it a name I'm gonna call it AM demo and next I will hit subscription select my subscription hit the resource group I'll use auto forever on automation intro location North Europe I'm gonna leave this as default and here's a very important step that I want to actually focus on for a minute create auto-runners account what does it really mean first of all when you're going to be creating this and you're not an owner of the subscription and administrator on an Active Directory this will be grayed out and you will be only selecting No why is that so let's figure out what is happening here I will go back to my presentation and go one more slide so what I want to show you now is you remember this process automation diagram right let's remove what is not important so let's remove this and this and let's just leave that so a single run running on the virtual machines so how does this run book will connect to other services of course through certificates and connections but how what does actually happen a runner's account is an account that is created on Active Directory to be frank it's simply an application with a service principle and to that application there is a certificate attached so it's your service account think of it like that and you will use this account to authenticate to Azure to automate your processes of course once this process creates that application and attaches a certificate it puts that certificate into the automation account into the connectivity shared resources and also creates a connection details regarding that application information so this is the tying up processes so that you can actually use it from the scripts without exposing credentials in the scripts itself once the connectivity objects are created you can then start using those certificates and connections from the virtual machine from the run boots itself and what it will do at the very first part of the script you will need to log into Active Directory using those connection and certificate once you do that you will then be able to manage and automate your processes for instance shutdown virtual machine but of course remember one important thing at this point when you will try to shut down either Active Directory will actually check if your application account the automation account that you created has privileges to do so by default and this is why you need to be an owner in the subscription to have this when creating this application certificate and owner privileges will be granted on a subscription level this is very problematic because as you can imagine this has several disadvantages but I will talk about it in a second so this is how you will actually authenticate and automate processes so we can go back to portal once you have this setup you can hit create and just wait a couple of minutes I will actually skip ahead provisioning has been finished so let's see what happened there are actually two messages first of all deployments see that that means the automation account was created but also notice this new runners account service principle was created and this is the process that I was talking about in your Active Directory at this point a new account application was created and as you see it was granted contribute to roll to this user at the subscription level so that means this act donation account can now create manage and even delete all the resources on this subscription we're going to be fixing that later but for now just leave this at that and you can go to the resource in the reasons you have couple of stuff first of all we have this table statistics so we were gonna be starting jobs you will see this being updated and besides that there's not much important information here so let's see what do you have in the portal first of all you have configuration management in here as I said you can manage those information about your servers like running daemon services registry entries you can change track what was changing on your servers you can have the desired set configuration so manage state for your servers and update management as I said for today we're focusing on a process automation in here you have run books jobs so basically when you execute the run book that's a job so let's see in the run books before we go further in the run book when you create an automation account by default you will have free run books each of one type because Microsoft once you give you those demo run books so you see what you can do first of all you have graphical run book when you hit on it and go this is your in browser editor for your run books you can actually start the run book here view the code or edit the code right in the browser you can link it to schedule so basically schedule it at some time and a web hook if you need to or do all other stuff like see what are the jobs that you executed using this run book what are the current schedules web hooks etc what I will do right now is I will actually go to view edit inside of edit for the graphical run book you have this drag and drop type of experience so if you would want to write your scripts you could simply go to say assets use the variables if you have any defined connections can't say I have one this is this runners connection credential certificates you have one book control but the most importance are seeing the let's so commandlets are your way of running partial scripts in a graphical way so basically find whatever the information you need for instance start for virtual machines or SQL or virtual machines are under compute and you can for instance use get a draw iron TM and you can hit three dots at canvas and that's another block and you can simply drag and drop this UI and write the scripts and as you see as a simple runners connection log into Azure get resource group find resources write output I will probably leave it here because my recommendation is well this is very cool and looks nice seems to be easier it usually isn't it's hard to manage graphic on run books so my recommendation is not really to use those they are very neat but in the end for a longer perspective or longer management they're harder to manage and take more effort to understand from the very brief point of view so like she referred this change and go back so the second run book that we have is Python run book I will not dig in here because Python run books are in version 2.0 there is no support for latest versions 3.7 of Python which is very very bad and Microsoft will be actually deprecating in future Python version 2.0 so there will be actually no support even for run books like that so don't even think about it but honestly just look at this there's the script as simple as that say we grab your script you put it here and if you have already created automation scripts using Python you can probably bring them here although what our automation really shines at is PowerShell run books so this is the most common way of using a drug donation so when you hit on it and you go to edit you will get actually your script I'll actually delete those notes for a second so you get a bit more real estate so what is happening here first of all we defined variable called runners connection what does this really mean I will actually go back to the portal an opera our resource group and inside of resource group you have our a.m. demo account the free default run box notice that run books are actually treated like a normal other resource so actually see more in the future when you will be working with automation account so when you go to am demo in here if you scroll down you will find those shared resources that I was talking about and you have connection and certificates so if you go to connection notice the name run Arjun Ranas connection and this is that variable so using that you will actually use the command late-- called get automation connection and provide that name this will return that saved connection to your automation account and also it will be pointing to that certificate that you have here run a certificate using this thumbprint so you go back notice this log into Azure and we're logging use excels principles or a service account we're providing a tenant ID 10 an ID is just an abbreviation for a synonym for other Active Directory so this is your other activity through active account ID you have done application ID so this is the ID of your service principle a certificate thumbprint which I already showed you an application ID by the way all this info is also available in the connections when you go to connection and open it you will see this application ID 10 an ID and a thumbprint and there's even subscription ID so all that information are stored within this object and you log into artery using that when this try-catch finishes you can already start automating the process so for instance get all armed resources from research group so this will return all the resource groups and for each resource group will I'll be returning all the resources within that research group so let's see if this works to do that you can actually there save and then go hit this button start this will actually register a new job but if you're not ready or you want to debug your script before publishing you can actually use test pane where you simply hit start and kill your process for running as you see our script has no input parameters so it requires nothing to run it so I'm gonna skip ahead here the script finished and as you see it iterated over all my research groups it found my application automation intro my VM demo and all the other private resource groups why did it do that well because this run book as I said has a contributor an entire subscription therefore it was able to actually see all my resource groups and this is well this is great it also very dangerous so my first order of business that you should always do is actually go to Azure subscription subscription and on the subscription level find the application like how do you find the application so let me show you how would could you find your application go to the research group go to automation intro go to am demo scroll down to your connections hit on their runners connection and copy application ID this is the first step next once you have the application ID you can go to other active directory where under application registration section you can actually paste this ID to find it you will find as you see it's called a.m. demo the same name as our automation account underscore and then random hash so you can hit on it and this is your full application and of course in the certificates if you'll see you will find your certificate being uploaded so now we have our a.m. demo application name so the display name is how you can actually find application now that you have the name you can go to subscription open your subscription go to access control roll assignments and find this as a contributor my advice is just remove it because it should not have such high privileges and go back to your research group and assign proper privileges just for the research groups that you want to manage in this case I want to manage our automation intro so I will actually go here today I am and add a role access based control as an owner provide the name of the application select it and now my automation account is only able to access this research group so that I'm making sure that it cannot delete anything else that I don't want it to all right so that said we can actually do one very important thing now go to our research group go to automation account and under modules here I will show you something interesting notice that there's other modules installed already so when you create automation account all those modules are installed but if you have a keen eye you probably really noticed that one point of free version of RL automation libraries are installed that's very bad because currently I think the version 6.0 is already available so if you can imagine you're using version one and there is a version six on the market that will have several disadvantages when you're writing scripts because some of the scripts that you will find on the Internet will simply not work so a security imagine you could simply hit this update our modules button here but hold on notice this this a drawer yikes feature has been deprecated if you're watching this video at later stage it is possible that this button will not even be here so what you will actually need to do here is go to this github page here available as an open source there's a script there will actually scroll here a bit and there's a script update automation modules you can actually just grab this entire script here it's a very long script but you don't have to understand it even so we'll actually go back to our automation account and simply create a new run book I'm gonna call it update modules I'm gonna I forget you cannot use spaces and of course run book type is partial because that was a partial script hit create once you create a new script simply paste this very long script hit save hit publish this will make sure that when you hit start it will be already in published state so hit start and notice that this script has a lot of parameters but the only two are mandatory so let's provide the resource group name and let's provide automation accounting so what this will do right now this will log into Azure to this resource group and update this other automation account using this script everything else you can leave as default but it will do it will update to add up to date as your errand modules if you're already using AZ modules check Microsoft guide that will link in the description below how to update to AC modules it's almost as simple as just writing AZ here but there are a couple additional steps here so I will update right now to utter Aaron to the latest version hit OK and simply you can go to output to see what is happening so will actually speed this ahead when the script completes you will see all the outputs and you should see that all the modules were updated to the latest version you can review if there were any errors or warnings or just review all the logs from the output of this example so this should ultima tower modules and when you go back to your run books and scroll down to the modules you should find all the latest version 2d are from iran which is five point three 4.0 so as you see it doesn't update to six point six version yet or maybe that was me and actually might have mistaken that with powershell version six actually seven is coming but that's another topic for another day so 35.3 4.0 that's the lightest version and all the modules are updated now you can actually making sure but when you're running those scripts from the guides from the documentation that will be action running and this should be your first order of business why is this important besides being up to date and having more flexibility with the lighter scripts most of the issues I had with automation in the past was because those modules were updated so if you're having random errors and you don't know why try updating the modules first before we investigate further a very big hint that I learned after over one year of project with an error automation so big important stuff here all right so the very last demo at least from the operation perspective I want to show you is automation of operations so let's go to the resource group and I created a resource group called automation VM demo so this is a research group where I have a Linux virtual machine called VM demo currently it stopped so I'm gonna start it and while it's starting I watched also the very important stuff which in the access control you need to grant an access since we took contributor access for that VM from entire subscription we always need to manage this access and this is very important so go add role assignment just close this I'm going to add it as an owner or maybe just contributor problem with out-of-the-box roles is that contributor allows you also to deat this virtual machine which is not ideal so for the actual production use my advice is create a custom role called virtual machine contributor which allows you only to start and storage from machines if that's the purpose of your automation account but that's a topic for another day so let's select and find our application a.m. demo this is our application hit save so now our application is a contributor on this resource group therefore it can manage that virtual machine and all the resources within this research group so since the applique automation account has an access here now we can go back to the automation account through the resource group open automation account open run books I'm gonna first copy the wrong book that I already have so I'm just gonna use this code and I'm going to create a new run book this will be stopped TM run book it will be type of partial and in here I'm gonna paste the script and I just took I'm gonna remove some unnecessary stuff and for brief ET I will actually take this away also and just paste it here so our script is shorter and now I can actually move this so to get again we're connecting to a ver getting the connection information and here we're connecting an adding new account so this is actually the connection part so let's stop that virtual machine in order to stop virtual machine you can use seeing the light called stop after earned VM and you need to provide a resource group name and you need to provide a virtual machine name so I know my research group name was called similarly to my current one just instead of intro it was called VM demo and my VM was also called VM demo and you need to add a parameter called force because usually it prompts user are you sure you want to be stopped at virtual machine since we don't want to have this prompt we can actually run it as is so I'm gonna go to test paint because as always this is the bugging session side not sure if this runs so I need to verify it and I will verify this in a test pane so let's skip ahead and the script finish so the virtual machine was stopped we can actually go and verify that so go back to the resource group VM demo open our virtual machine and it's currently stopped de-allocated so it's perfect it's working and if you go back to our intro and our automation account run books and quickly go back to our stop VM run book what you can also do and I will actually show you just very quickly you can actually add parameters so on the first line of the script if you want to get a more generic version of this you can simply add that permanent section and provide parameters name so instead of static name you can actually provide a dynamic names and you can use those things within the script or you can use variables so this way your script will have parameters and you will see that being correctly set up when you go to test pane actually I forgot to save it go save it go to test pane you will notice that in order to run it you need to actually provide the parameters of course I click start just to show you because my parameters are currently set as optional you can enforce that your parameters will be mandatory but this is not required right now all right so our script is done we have a parameter a script so the very last part is scheduling so let's publish the script in order to schedule it once you have published that wrong book you can go here and link to schedule when you do that you need to create a new schedule link to the schedule to run book create new schedule and provide the name stop p.m. and 7:00 p.m. right so I can give it a name I can say that's from tomorrow at 7:00 p.m. polish timezone and do that every once a day and don't ever expire so let's up the other parameter so you need to give it a resource group name you can copy that from here just be careful to not click on it or otherwise you're gonna leave this window and that was a TM demo and the name of the virtual machine was also VM demo hit OK hit OK and that's it right now we already created a schedule and you can find it within schedules here now this can't be on next run will be tomorrow at 7:00 p.m. Paul and ton and that's it this is how simply you can do schedules for your run books what else do you have in the purple and is gonna briefly show you first of all anything that you run will be found here in a jobs as you see we were running update modules we don't see any run books other than this because we're running them in a test plane you don't see anything in a past test plane here you only see runs from the publish run books you also have run book gallery I highly encourage you to go here first of all you always need to decide which language you want to run book I usually just want partial scripts because I feel other options are not as good second of all and of course partial workflows but that's the topic for another time publisher if you don't trust community of course you shouldn't but some companies done you can always set publisher to Microsoft to be sure that all dolls are validated from the trusted source and just look through the scripts that are available because there's plenty of them like starting with drum machine doing some SQL comments called integrating with event grid etc etc there's plenty of scripts for you to browse so highly encourage you to check this and besides this there's plenty of year that you could see here but for today for the quick intro I think that's it wow that is actually longer than I expected after automation what it looks simple is actually very powerful service for both process automations and daily operations so if you need that kind of workloads definitely check it out if you're moving workloads from on-premises and you are using partial again check it out that's it for today if you liked the video hit thumbs up subscribe if you to see more and see you next time [Music]

Info

Channel: Adam Marczak - Azure for Everyone

Views: 41,388

Rating: 4.9545455 out of 5

Keywords: Azure, Automation, Operations, DevOps, Ops, SecOps, PowerShell, PS, Update Management

Id: u6eR8yguVxE

Channel Id: undefined

Length: 30min 50sec (1850 seconds)

Published: Tue Nov 12 2019