Closed cdeli closed 7 years ago
cormacpayne
commented
7 years ago @cdeli Hey Corey, would you mind running Get-Module -ListAvailable and pasting the output here?
It seems that you may have a combination of modules from both the MSI / Web Platform Installer and the PowerShell Gallery that is causing this issue.
cdeli
commented
7 years ago Everything I have is from the PSGallery with the sole exception being FSRMDsc which I had to pull from Github manually.
Everything works in my script until I need to pass credentials through.
Do you want this module list from my workstation or from Azure Automation (where this is being run from).
cdeli
commented
7 years ago All of my local modules.
My modules from Azure Automation.
| NAME | LAST MODIFIED | STATUS |
|---|---|---|
| Azure | 7/20/2017, 10:52 AM | Available |
| Azure.Storage | 7/20/2017, 10:49 AM | Available |
| AzureRM.Automation | 7/20/2017, 10:49 AM | Available |
| AzureRM.Compute | 7/20/2017, 10:50 AM | Available |
| AzureRM.Profile | 7/24/2017, 3:26 PM | Available |
| AzureRM.Resources | 7/20/2017, 10:49 AM | Available |
| AzureRM.Sql | 7/20/2017, 10:50 AM | Available |
| AzureRM.Storage | 7/20/2017, 10:51 AM | Available |
| FSRMDsc | 7/26/2017, 10:46 AM | Available |
| Microsoft.PowerShell.Core | 7/25/2017, 5:59 PM | Available |
| Microsoft.PowerShell.Diagnostics | 7/25/2017, 6:00 PM | Available |
| Microsoft.PowerShell.Management | 7/25/2017, 6:00 PM | Available |
| Microsoft.PowerShell.Security | 7/25/2017, 6:01 PM | Available |
| Microsoft.PowerShell.Utility | 7/25/2017, 6:01 PM | Available |
| Microsoft.WSMan.Management | 7/25/2017, 6:02 PM | Available |
| Orchestrator.AssetManagement.Cmdlets | 7/25/2017, 6:06 PM | Available |
| PSDscResources | 7/24/2017, 3:26 PM | Available |
| xComputerManagement | 7/24/2017, 1:58 PM | Available |
| xDSCDomainjoin | 4/25/2017, 8:30 PM | Available |
| xPSDesiredStateConfiguration | 7/25/2017, 12:10 PM | Available |
markcowl
commented
7 years ago @cdeli it seems like you are trying to use an ARM cmdlet before logging in. If you want to log in with a service principal, you will need to know the service principal name and credentials before logging in, you will not be able to use ARM cmdlets to retrieve them unless you provide ARM with alternate credentials to use.
cdeli
commented
7 years ago I am literally following what is in this article
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-compile#credential-assets
Using my AzureRMRunAsAccounts.
cdeli
commented
7 years ago here is my code. I am unsure what I am even doing wrong at this point. I am being told to run Login-AzureRMAccount but I never should have to.
Configuration FileServer_Crypto_FSRM
{
Import-DscResource -ModuleName xPSDesiredStateConfiguration
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName xComputerManagement
Import-DSCResource -ModuleName FSRMDsc
$connectionName = "AzureRunAsConnection";
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$Cred = Get-AzureRmAutomationCredential -ResourceGroupName "Contoso-Azure-Automation" -AutomationAccountName "DSC-Automation" -Name "PowerShellStore"
$ConfigData = @{
AllNodes = @(
@{
NodeName = "*"
PSDscAllowPlainTextPassword = $True
},
@{
NodeName = "CryptoCanary"
}
)
}
Node CryptoCanary
{
File ScriptFolder
{
Type = 'Directory'
Ensure = "Present"
DestinationPath = "C:\Scripts"
}
File DownloadCanary
{
Ensure = 'Present'
Credential = $Cred
SourcePath = "\\contoso.file.core.windows.net\powershellscripts\fileservers\fsrm\cryptoupdate.ps1"
DestinationPath = "C:\Scripts\"
Type = "File"
Recurse = $true
Force = $true
}
xScheduledTask UpdateCanary
{
Ensure = 'Present'
TaskName = "UpdateCanary"
ActionExecutable = "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
ActionArguments = "-File `"C:\scripts\CryptoUpdate.ps1`""
ScheduleType = 'Once'
RepeatInterval = '00:00:15'
RepetitionDuration = '00:00:16'
Enable = $true
}
WindowsFeature FSRM
{
Name = "FS-Resource-Manager"
Ensure = "Present"
IncludeAllSubFeature = $true
}
FSRMSettings FSRMSettings
{
Id = 'Default'
SmtpServer = 'mail.contoso.com'
AdminEmailAddress = 'helpdesk@contoso.com'
FromEmailAddress = 'conotosoreporting@contoso.com'
CommandNotificationLimit = 90
EmailNotificationLimit = 90
EventNotificationLimit = 90
}
FSRMClassificationProperty SSN
{
Name = 'Contains SSN'
Type = 'YesNo'
Description = 'This file contains Social Security Numbers'
Ensure = 'Present'
} # End of classifiaction for SSN. Repeate for each classification
FSRMClassificationProperty CC
{
Name = 'Contains CC'
Type = 'YesNo'
Description = 'This file contains Credit Card Numbers'
Ensure = 'Present'
} # End of classifiaction for Credit Cards. Repeate for each classification
FSRMClassificationProperty DL
{
Name = 'Contains DL'
Type = 'YesNo'
Description = 'This file contains Drivers License Numbers'
Ensure = 'Present'
} # End of classifiaction for Drivers License. Repeate for each classification
FSRMFileGroup AntiRansomware
{
Name = "AntiRansomware"
Description = "Auto updating group to block all randomware variants"
Ensure = "Present"
}
FSRMFileScreen CreateScreen
{
Path = 'F:\'
Description = 'FileScreen for warning of crypto based files'
Ensure = 'Present'
Active = $true
IncludeGroup = 'Anti-Ransomware'
Template = "Crypto"
}
FSRMFileScreenTemplate CreateTemplate
{
Name = 'Crypto'
Description = 'Template for all files to update in the Crypto Canary'
Ensure = 'Present'
Active = $true
IncludeGroup = 'Anti-Ransomware'
}
FSRMFileScreenTemplateAction SendEmail
{
Name = 'Crypto'
Ensure = 'Present'
Type = 'Email'
Subject = 'Unauthorized file matching [Violated File Group] file group detected'
Body = 'The system detected that user [Source Io Owner] attempted to save [Source File Path] on [File Screen Path] on server [Server]. This file matches the [Violated File Group] file group which is not permitted on the system.'
MailBCC = ''
MailCC = 'fileserveradmins@contoso.com'
MailTo = '[Source Io Owner Email]'
DependsOn = '[FSRMFileScreenTemplate]CreateTemplate'
}
}
}
Start-AzureRmAutomationDscCompilationJob -ResourceGroupName "Contoso-Azure-Automation" -AutomationAccountName "DSC-Automation" -ConfigurationName "FileServer_Crypto_FSRM" -ConfigurationData $ConfigDataThis is intended to be used in a runbook with AzureAutomation, where login has already occurred. A login is required to use AzureRm cmdlets.
cdeli
commented
7 years ago Wait why on earth is this closed? My question still is not even answered. I am unable to pass the credentials through to DSC with the guide on the docs page. I would like some guidance to if I am doing this wrong or what. I am using Azure Automation DSC so I wouldn't expect the need to pull a credential in from the secure credential store would require logging in, which I cannot do unless I have an account to do this....
lfshr
commented
7 years ago @markcowl runbooks do not automatically log you in, you still have to perform 'Add-AzureRmAccount' with either a credential or a service principle with a connection. The sandbox allows you to use Get-Automation cmdlets without authentication (as opposed to Get-AzureRm cmdlets)
@cdeli try using $Cred = Get-AutomationPsCredential -Name "PowerShellStore" instead. See Here
You do not need to authenticate before using this cmdlet as the automation sandbox handles all that for you.
The docs should have stated the Get-AutomationPsCredential cmdlet and not Get-AzureRmAutomationCredential as it only returns a partial credential. (No password)
The credential must live inside the automation account you're generating the MOF file on.
Liam
lfshr
commented
7 years ago Also, I don't recommend using the 'PSDscAllowPlainTextPassword' option. Azure Automation (as far as I'm aware) should handle the encryption certificates for MOF passwords, so there should be no need to include this in your DSC script, just remove it and it should work.
Liam
lfshr
commented
7 years ago Also, I just noticed you listed your local modules. Just for the sake of clarity, are you compiling this on Azure Automation? This approach will not work if you're running them locally (unless you're using the automation dev toolkit with the Get-AutomationPsCredential cmdlet).
cdeli
commented
7 years ago No I am doing all of the compiling with Azure. Was unsure which modules were needed so I did both just for sanity sake.
I will try your suggestions tonight while I do some additional work. Thank you for the input @lfshr, I will report back after to verify. I did not see the link you posted before when I was researching this so that is a big help for me.
cdeli
commented
7 years ago Still wants me to login. All I am trying to do is let my VM access an Azure Mapped Drive. At this point I am considering have Jenkins send the file down locally to the server.
lfshr
commented
7 years ago Hi @cdeli I managed to get it working with the following code:
configuration Config_Test {
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name 'AzureRunAsConnection'
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-ErrorAction 'Stop'
Write-Output ([String]::Join(', ', (Get-AzureRmResource).Name))
Script Test {
GetScript = {"Hello World"}
TestScript = {$false}
SetScript = {"Hello world!"}
}
}Uploaded and compiled manually in the portal. Can you try something similar?
cdeli
commented
7 years ago Tested with the same code you have here and it worked perfectly fine.
Added the whole part for Add-AzureRMAccount (including variable of $ServicePrincipalCOnnection) and it compiled properly.
Added the variable $Cred = Get-AzureRmAutomationCredential -ResourceGroupName "Azure-Automation" -AutomationAccountName "DSC-Automation" -Name "PowerShellStore" and it compiled properly.
Seems I am now failing on the file part when it is calling the $Cred variable. Does the command, listed above, need something additional perhaps to pass the password through?
Thank you for your help on this @lfshr it is moving me forward pretty well now. Just finishing calling this credential is where im stuck.
lfshr
commented
7 years ago @cdeli Glad it worked!
Get-AzureRmAutomationCredential gives you the username only, it does not populate the password. Use Get-AutomationPsCredential as it returns both the username & password.
The reason for this is that Get-AutomationPsCredential is an Automation cmdlet designed for Runbook usage. Get-AzureRmAutomationCredential is an AzureRM cmdlet that can be run anywhere.
The Get-AutomationPsCredential cmdlet is only contained in Automation. If you want to develop for automation with this cmdlet then you can install the 'AzureAutomationAuthoringToolkit' module from the gallery. See Here
Liam
cdeli
commented
7 years ago So I realized that immediately after hitting comment that I didnt swap out the origonal cmdlet for get-automationpscredential
I just added the module locally and in AA as well. I seem to be on the right path all around now with this, I greatly appreciate it.
Just for my own clarity, what was I doing wrong? I want to bypass this mistake in the future.
lfshr
commented
7 years ago @cdeli I'm not 100% sure. Did you take the Start-AzureRmAutomationDscCompilationJob -ResourceGroupName "Contoso-Azure-Automation" -AutomationAccountName "DSC-Automation" -ConfigurationName "FileServer_Crypto_FSRM" -ConfigurationData $ConfigData line out of your new DSC script? You could try adding this again and see if it causes the same issues. The DSC script and the compilation call are two separate things.
cdeli
commented
7 years ago You know what. I did comment that out and that is when things started moving, after adding your help into it of course.
Thank you again for all of your help @lfshr. Now I can move forward with this project and really delve into Azure Automation for my company.
attempting to pass a credential set from my Azure Automation Credentials into a DSC script running
$Creds = Get-AzureRmAutomationCredential -ResourceGroupName "<MyResourceGroup" -AutomationAccountName "<AccountName>" -Name "<CredentialName>"when I compile the MOF it suspends and gives me
Exception The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Run Login-AzureRmAccount to login.When I try and login with my service AzureRunAsAccount using
# Get the connection$servicePrincipalConnection = Get-AzureRmAutomationConnection -ResourceGroupName "<MyRG>" -AutomationAccountName "<AutomationAccountName>" -Name "AzureRunAsConnection"I get the same thing... There is no decent documentation on this so I am not sure what I am supposed to do at this point.
Testing the "Add-AzureRMAccount" cmdlet is showing that the $servicePrincipalCOnnection is not capturing any of the information that it should be either so it cant even pass the information through.
What on earth do I do here, there is no information for this at all and everything that exists is outdated and does not work.
Edit: And yes all my modules are up to date as of today.