I often face situation where i need to put some data/ make some changes to different resources located in different subscriptions in Azure. This usually imply what some actions (logic) need to be performed on some resources (data).
There are several ways to achieve this:
Method | Can be treated as IaC (Infrastructure as Code) | Separation of Data and Logic |
1. Manually using a portal (kitty dies when you do this 🙂 | no | no |
2. Create list of Az Cli or Powershell Az cmdlets with values filled | yes | no |
3. Create Powershell script with all data in special datastructure and programm logic to put this data to cloud | yes | no |
4. Create Powershell script which read data from data file (usually CSV or JSON format) | yes | yes |
5. Use some template solution (Azure Arm templates, Bicep, Terraform etc) | yes | yes (in cases you don’t hardcode paramaters in template) |
In this article i would like to describe approach nr 3 – how to combine data and logic in Powershell. Usually, it competes with method nr 4 (have data in separate CSV file). Having data and logic separated usually is a most desired method. But it has some disadvantages – as it is a little bit difficult to program, a little bit difficult to debug, a little bit difficult to create data files…
So i found method of combining data and logic in Powershell optimal if i need to make several changes (up to 10..20).
As am example i presenting here a PoC script which put secret values to different Key Vaults in different subscriptions.
Data is held in Array of PSCustomObject objects with named properties. Logic is implemented with running Set-AzKeyVaultSecret in foreach loop. For maintaining archival of data you need to take template file with empty values, fill in the data and rename it to something like 2021.01.01_0100_AV_API_values2KeyVault.ps1. Run it and archieve it. Good practice would be to delete file with values after archieval 🙂
N.B. This script is supplied as PoC (Prove Of Concept) without any additional support or warranty. Use it on your own risk. I am not responsible for any possible problems or losses in case of using this information for any purpose.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
$tenantID = "your teneat id here" $secretsArray = @( #subscription xxxx [pscustomobject]@{subscriptionID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";kvName = "nameOfKeyVault";secretName = "Secret1";secretValue="secret1_value"}, [pscustomobject]@{subscriptionID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";kvName = "nameOfKeyVault";secretName = "Secret2";secretValue="secret2_value"}, #subscription yyyy [pscustomobject]@{subscriptionID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";kvName = "nameOfKeyVault";secretName = "Secret1";secretValue="secret1_value"}, [pscustomobject]@{subscriptionID="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";kvName = "nameOfKeyVault";secretName = "Secret2";secretValue="secret2_value"}, #subscription zzzz [pscustomobject]@{subscriptionID="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz";kvName = "nameOfKeyVault";secretName = "Secret1";secretValue="secret1_value"}, [pscustomobject]@{subscriptionID="zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz";kvName = "nameOfKeyVault";secretName = "Secret2";secretValue="secret2_value"} ) $currentAZContext = Get-AzContext if ($currentAZContext.Tenant.id -ne $tenantID){ write-host "This script is not authenticated to needed teneant. Runnng authentication " Connect-AzAccount -TenantId $tenantID -SubscriptionId $subscriptionID } else{ write-host "This script is already authenticated to needed tenant - reusing." } $subscriptionID = $currentAZContext.Subscription.ID foreach($currObj in $secretsArray){ if (-not($subscriptionID -eq $currObj.subscriptionID)) { $subscriptionID = $currObj.subscriptionID write-host "setting subscription to $subscriptionID" Set-AzContext -subscriptionId $subscriptionID -Tenant $tenantID |Out-Null if (! $?){ write-host "Error ocured during Set-AzContext. Error message: $($error[0].Exception.InnerException.Message)" write-host "trying to discconect and reconnect" Disconnect-AzAccount Connect-AzAccount -TenantId $tenantID -SubscriptionId $subscriptionID Set-AzContext -subscriptionId $subscriptionID -Tenant $tenantID } } $KV = Get-AzKeyVault -VaultName $currObj.kvName write-host " keyvalt is $($KV.vaultname)" write-host " adding value $($currObj.secretValue) to $($currObj.secretName)" $secretvalue = ConvertTo-SecureString $currObj.secretValue -AsPlainText -Force Set-AzKeyVaultSecret -VaultName $KV.vaultname -Name $currObj.secretName -SecretValue $secretvalue } |
This script use elements of reusable authentication described in one of the previous post