Creating a Resource Group
I won’t go into ARM templates but we’ll build this example into a Resource Group so at the very least, you’ll be able to destroy all artefacts in one go at the end (by destroying the Resource Group).
So let’s go in the Preview Portal to create a new Resource Group. In the home page, select Resource groups.
Then select Add.
This should pop up the following blade.
As Resource Group Name, type SampleAutomations.
Select the Subscription you wanna use.
Locate the Resource Group where it’s more convenient for you.
Then click on the Create button at the bottom of the blade.
Creating Automation Account
Let’s create an Automation Account.
Give it a unique name (I used myfirstautomation), ensure it is in the resource group we created and in a suitable region (not all regions are supported yet) and click the Createbutton.
Exploring Automation Account
Let’s open the newly created account.
Runbooks are PowerShell workflows. In a nutshell those are a mix of PowerShell scripts and Workflow Foundation (WF) worflows. They allow long running workflows, pauses, restart, etc. You already have a runbook, it’s the tutorial runbook. You can look at it.
Assets come in different forms:
- Schedules
- Modules
- Certificates
- Connections
- Variables
- Credentials
We are going to use a schedule to run our run book. We are also going to use variables to store configuration about our run book.
Creating Storage Account
Before we create our run book we need a storage account.
We’re going to create a storage account within the Resource Group we’ve created. Click the plus button at the top left of the portal.
Select Data + Storage then select Storage Account.
Then at the bottom of the Storage Account pane, select “Resource Manager” and clickCreate.
Name the account something unique (I used mysample2015).
In Resource Group, make sure to select the resource group you just created. Make sure the location suits you and click Create.
Creating Storage Container
Using your favorite Azure Storage tool (I used CloudXplorer), create a container namedmy-watched-container.
For the runbook to access to container, we’ll use a Shared Access Signature (SAS) token. Whenever you can, use the access mechanism giving as little access as possible. This way, if your assets get compromised, the attacker can do less damage than if you stick the keys of the castle in there. This is the least privilege principle and you should always apply it.
So, for that newly created container, create a SAS token allowing for listing and deleting. This is what our runbook will do: list the blobs, delete the ones matching a certain pattern.
Creating Variables
Let’s create the variables for our run book.
Go back to the run book, select assets then select variables then add variable.
Give it accountName as a Name, leave the default string type there and for value, input the name of the storage account you created. Then click create.
Do the same for the following:
| NAME | VALUE |
|---|---|
| containerName | my-watched-container |
| pattern | draft |
| sas | The value of the sas token you created for your container. This should start with the question mark of the query string. |
For the last one, select the encrypted option.
This will make the variable inaccessible to operators in the future. It’s an added level of security.
You should have the following variables defined.
Creating Runbook
Let’s create the runbook. Let’s close the Variables and Assets blade.
Let’s select the Runbooks box and click the Add a run book button. Select Quick Create.
For Name, input CleanBlobs. For Runbook type, choose PowerShell Workflow. Hit theCreate button.
This is the code of our Workflow. Let’s paste in the following:
workflow CleanBlobs
{
InlineScript
{
# Here we load all the variables we defined earlier
$account = Get-AutomationVariable -Name ‘accountName’
$container = Get-AutomationVariable -Name ‘containerName’
$sas = Get-AutomationVariable -Name ‘sas’
$pattern = Get-AutomationVariable -Name ‘pattern’
{
InlineScript
{
# Here we load all the variables we defined earlier
$account = Get-AutomationVariable -Name ‘accountName’
$container = Get-AutomationVariable -Name ‘containerName’
$sas = Get-AutomationVariable -Name ‘sas’
$pattern = Get-AutomationVariable -Name ‘pattern’
# Construct a context for the storage account based on a SAS
$context = New-AzureStorageContext -StorageAccountName $account -SasToken $sas
$context = New-AzureStorageContext -StorageAccountName $account -SasToken $sas
# List all the blobs in the container
$blobs = Get-AzureStorageBlob -container $container -Context $context
$blobs = Get-AzureStorageBlob -container $container -Context $context
$filteredBlobs = $blobs | where-object {$_.Name.ToUpper().Contains($pattern.ToUpper())}
$filteredBlobs | ForEach-Object {Remove-AzureStorageBlob -blob $_.Name -Context $context -Container $container}
}
}
}
}
You can see how we are using the variables by calling the cmdlet Get-AutomationVariable. You could actually discover that by opening the Assets tree view on the left of the edit pane.
We can then test our Run book by hitting the test button on top. First you might want to insert a few empty file in your blob container, with some containing the word “draft” in them. Once the workflow ran, it should have deleted the draft files.
Scheduling Runbook
Let’s schedule the runbook. First let’s publish it. Close the test pane and click the Publishbutton.
Then click the Schedule button and Link a schedule to your runbook.
No comments:
Post a Comment