Pester Test Your ARM Template in Azure DevOps CI Pipelines

Introduction It is fair to say, I have spent a lot of time on Pester lately. I just finished up a 12 months engagement with a financial institute here in Melbourne. During this engagement, everyone in the project team had to write tests for any patterns / pipelines they are developing. I once even wrote a standalone pipeline only to perform Pester tests. One of the scenario we had to cater for is: How can you ensure the ARM template you are deploying only deploys the resources that you intended to deploy? In another word, if someone has gone rogue

Continue reading

Deploying PowerShell Modules to NuGet Feeds (Version 2) Using VSTS CI/CD Pipelines

It’s been 2 weeks since my last post, I was half way through my list (of blogs to be written), then Melbourne was hit by a big cold wave, I got sick for over a week because of that, and with the recent outage of VSTS, I only got chance to finalise my code and demo for this post today. Background Last year, I posted an article on how to deploy PowerShell modules from GitHub to MyGet feeds using VSTS. I wasn’t really satisfied with what I did back then, and I had a requirement to develop several VSTS pipelines

Continue reading

Enforcing Code Signing for Azure Automation Runbooks on Hybrid Workers

Towards the end of last year, in order to solve a specific issue, we were planning to introduce Azure Automation Hybrid Workers to the customer I was working for back then. We planned to place the Hybrid Workers inside the on-prem network and execute several runbooks that required to run on-prem. The security team had some concerns – what if the Automation Accounts or Azure subscriptions get compromised? Then the bad guys can run malicious runbooks targeting on-prem machines. long story short, in the end, we managed to get the Hybrid Worker pattern approved and implemented because we can configure

Continue reading

PowerShell Module: PSPesterTest

Few weeks ago, the customer I was working for has a requirement that all the PowerShell scripts and in-house written modules must be validated against PSScriptAnalyzer as part of the build pipelines before it is implemented to their Azure environments in release pipelines. The validation must be performed using Pester so the test results can be easily consumed in the VSTS projects (i.e. dashboards). Luckily, I found this blog post: https://blog.kilasuit.org/2016/03/29/invoking-psscriptanalyzer-in-pester-tests-for-each-rule/, so I used this post as the starting point, and created a PowerShell module that performs pester test by invoking PS Script Analyzer rules. I named this module PSPesterTest.

Continue reading

PowerShell Script to Deploy Subscription Level ARM Templates

Introduction In my previous post, I demonstrated how to deploy Azure Policy definitions that require input parameters via ARM templates. as I mentioned in that post, at the time of writing, the tooling has not been updated to allow subscription level ARM template deployments. The only possible way to deploy such template right now is via the ARM REST API. I have a requirement to deploy subscription level templates in VSTS pipelines. since I can’t use the native AzureRM PowerShell module or the Azure Resource Group Deployment VSTS task, I had to create a PowerShell script that can be used

Continue reading

OpsMgrExtended PowerShell module is now on GitHub and PSGallery

I developed the OpsMgrExnteded module back in 2015 and it was freely available from my company’s website. I also wrote a 18-post blog series on Automating OpsMgr using this module I was also aware of a bug in the New-OMOverride function in the module since 2015. I never got around to fix it because my focus has been shifted away from System Center. I just had a requirement to use this module so I have spent a little bit time yesterday and updated it to version 1.3. Here’s the change log: Bug fixes in New-OMOverride function Added SCOM 2016 SDK

Continue reading

Creating Azure Monitor Alerts using Azure Log Analytics Query Language Based On Azure Automation Runbook Job Output

Well, this post has such a long title – but I’ve tried my best. It is based on an idea I had – We all have many “Health Check” PowerShell scripts in our collections, why not use them in OMS without too much modification and generate meaningful alerts based on the outputs of these scripts? I have been meaning to write this post for at least 4 months, I finally found some spare time this weekend so I can work on this. In the past, when I was still working on System Center Operations Manager, I always get requests from

Continue reading

Log-In to AzureRM PowerShell module using oAuth Tokens

In my last post, I demonstrated how to generate Azure AD oAuth tokens using my AzureServicePrincipalAccount PowerShell module. Although personally, I pretty much use Azure Resource Manager REST API for everything – this is where the oAuth token come in play, but often, I have seen colleagues and customers use a mixture of both ARM REST APIs calls and AzureRM modules within same PowerShell scripts. This could potentially be troublesome because in order to use AzureRM modules, you will need to sign-in to Azure using Add-AzureRMAccount (or it’s alias Login-AzureRMAccount). Luckily, Add-AzureRMAccount also supports signing in using an existing AAD

Continue reading

Generating Azure AD oAuth Token in PowerShell

Recently in a project that I’m currently working on, myself and other colleagues have been spending a lot of time dealing with Azure AD oAuth tokens when developing code for Azure. There are so many scenarios and variations when trying to generate the token, and you have probably seen a lot of samples on the Internet already. I have spent a lot of time trying to develop a common method that the project team can use in all the scenarios. To summarise, you can generate oAuth tokens for the following security principals (and different configurations): Azure AD Application Service Principals

Continue reading

Bulk Register Azure Resource Providers Using PowerShell

Azure Resource Providers registration dictates what types of resources you allow users to provision within your Azure subscription. Although by default, some resource providers are automatically registered, the user must have required permission to register resource providers (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services). I had to create a script to bulk-register resource providers for a subscription because normal users have not been given the permissions to do so. In the following sample script, I am using regular expressions to match the resource provider names, and it is registering all Microsoft resource providers except for the classic (ASM) resource types. View the code on Gist. This

Continue reading
%d bloggers like this: