Framework/Configurations/ContinuousAssurance/RunbookCoreSetup.ps1
|
function SetModules { param( [System.Collections.IDictionary] $ModuleList, [string[]] $SyncModuleList ) $ModuleList.Keys | ForEach-Object{ $ModuleName = $_ $ModuleVersion = $ModuleList.Item($_) $Module = Get-AzAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name $ModuleName -ErrorAction SilentlyContinue if(($Module | Measure-Object).Count -eq 0) { PublishEvent -EventName "CA Setup Modules" -Properties @{"ModuleName" = $ModuleName; "ModuleState"= "NotAvailable"; "RequiredModuleVersion"= $ModuleVersion} #Download module if it is not available DownloadModule -ModuleName $ModuleName -ModuleVersion $ModuleVersion -Sync ($SyncModuleList.Contains($ModuleName)) } else { PublishEvent -EventName "CA Setup Modules" -Properties @{"ModuleName" = $ModuleName; "ModuleState"= $Module.ProvisioningState; "RequiredModuleVersion"= $ModuleVersion; "AvailableModuleVersion" = $Module.Version} #module is in extraction state if($Module.ProvisioningState -ne "Failed" -and $Module.ProvisioningState -ne "Succeeded" -and $Module.ProvisioningState -ne "Created") { Write-Output("CS: Current provisioning state for module: [$ModuleName] is: [$($Module.ProvisioningState)]") } #Check if module with specified version already exists elseif(IsModuleHealthy -ModuleName $ModuleName -ModuleVersion $ModuleVersion) { return } else { #Download required version DownloadModule -ModuleName $ModuleName -ModuleVersion $ModuleVersion -Sync ($SyncModuleList.Contains($ModuleName)) } } } } # To download Az base modules with Azure RM base commands function DownloadAzModuleWithRM { param( [string]$ModuleName, [string]$ModuleVersion, [bool] $Sync ) $ProvisioningState = $true $SearchResult = SearchModule -ModuleName $ModuleName -ModuleVersion $ModuleVersion if($SearchResult) { $ModuleName = $SearchResult.title.'#text' # get correct casing for the Module name $PackageDetails = Invoke-RestMethod -Method Get -UseBasicParsing -Uri $SearchResult.id $ModuleVersion = $PackageDetails.entry.properties.version #Build the content URL for the nuget package $ModuleContentUrl = "$PublicPSGalleryUrl/api/v2/package/$ModuleName/$ModuleVersion" # Find the actual blob storage location of the Module do { $ActualUrl = $ModuleContentUrl $ModuleContentUrl = (Invoke-WebRequest -Uri $ModuleContentUrl -MaximumRedirection 0 -UseBasicParsing -ErrorAction Ignore).Headers.Location } while(!$ModuleContentUrl.Contains(".nupkg")) $ActualUrl = $ModuleContentUrl $retryCount = 0 do{ $AutomationModule = $null $retryCount++ $AutomationModule = New-AzureRmAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name $ModuleName ` -ContentLink $ActualUrl } while($null -eq $AutomationModule -and $retryCount -le 3) Write-Output("CS: Importing module: [$ModuleName] Version: [$ModuleVersion] into the CA automation account.") if($Sync) { while( $AutomationModule.ProvisioningState -ne "Created" -and $AutomationModule.ProvisioningState -ne "Succeeded" -and $AutomationModule.ProvisioningState -ne "Failed" ) { #Module is in extracting state Start-Sleep -Seconds 120 $AutomationModule = $AutomationModule | Get-AzureRmAutomationModule } if($AutomationModule.ProvisioningState -eq "Failed") { $ProvisioningState = $false Write-Output ("CS: Failed to import: [$AutomationModule] into the automation account. Will retry in a bit.") return; } } } if(-not $ProvisioningState) { DownloadAzModuleWithRM -ModuleName $ModuleName -ModuleVersion $ModuleVersion -Sync $true } } function DownloadModule { param( [string]$ModuleName, [string]$ModuleVersion, [bool] $Sync ) $SearchResult = SearchModule -ModuleName $ModuleName -ModuleVersion $ModuleVersion if($SearchResult) { $ModuleName = $SearchResult.title.'#text' # get correct casing for the Module name $PackageDetails = Invoke-RestMethod -Method Get -UseBasicParsing -Uri $SearchResult.id $ModuleVersion = $PackageDetails.entry.properties.version #Build the content URL for the nuget package $ModuleContentUrl = "$PublicPSGalleryUrl/api/v2/package/$ModuleName/$ModuleVersion" #$ModuleName/$AzSK... etc. are defined in the core setup (start) code further below if($ModuleName -imatch "AzSK*") { $ModuleContentUrl = "$AzSKPSGalleryUrl/api/v2/package/$ModuleName/$ModuleVersion" Write-Output("CS: Downloading $ModuleName from $ModuleContentUrl") } # Find the actual blob storage location of the Module do { $ActualUrl = $ModuleContentUrl $ModuleContentUrl = (Invoke-WebRequest -Uri $ModuleContentUrl -MaximumRedirection 0 -UseBasicParsing -ErrorAction Ignore).Headers.Location } while(!$ModuleContentUrl.Contains(".nupkg")) $ActualUrl = $ModuleContentUrl $retryCount = 0 do{ $AutomationModule = $null $retryCount++ $AutomationModule = New-AzAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name $ModuleName ` -ContentLink $ActualUrl } while($null -eq $AutomationModule -and $retryCount -le 3) Write-Output("CS: Importing module: [$ModuleName] Version: [$ModuleVersion] into the CA automation account.") if($Sync) { while( $AutomationModule.ProvisioningState -ne "Created" -and $AutomationModule.ProvisioningState -ne "Succeeded" -and $AutomationModule.ProvisioningState -ne "Failed" ) { #Module is in extracting state Start-Sleep -Seconds 120 $AutomationModule = $AutomationModule | Get-AzAutomationModule } if($AutomationModule.ProvisioningState -eq "Failed") { Write-Output ("CS: Failed to import: [$AutomationModule] into the automation account. Will retry in a bit.") return; } } } } #Checks if the desired module (version) is already present and ready in the automation account so we don't have to download it... function IsModuleHealthy { param( [string] $ModuleName, [string] $ModuleVersion ) $SearchResult = SearchModule -ModuleName $ModuleName -ModuleVersion $ModuleVersion $Module = Get-AzAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name $ModuleName -ErrorAction SilentlyContinue if(($Module | Measure-Object).Count -eq 0) { #Module is not available return $false } else { #added condition to return false if module is not successfully extracted return ((($Module.ProvisioningState -eq "Succeeded") -or ($Module.ProvisioningState -eq "Created")) -and ($SearchResult.properties.Version -eq $Module.Version)) } } function SearchModule { param( [string] $ModuleName, [string] $ModuleVersion ) $url ="" $PSGalleryUrlComputed = $PublicPSGalleryUrl #We need to consider AzSK separately because there are various choices/settings that may decide exactly which #version of AzSK is used (e.g., prod/staging/preview) and where from (ps gallery/staging gallery, etc.) if($ModuleName -imatch "AzSK*" ) { #assign environmment specific gallery URL $PSGalleryUrlComputed = $AzSKPSGalleryUrl $ModuleVersion ="" #set UpdateToLatestVersion variable's default value as false if it's not defined in caller runbook #This code considers the possibility that the outer runbook is an older version and is unaware #of this flag (introduced in recent runbook) $isUpdateFlagTrue = $false if([bool]::TryParse($UpdateToLatestVersion, [ref]$isUpdateFlagTrue)) { $UpdateToLatestVersion = $isUpdateFlagTrue } else { $UpdateToLatestVersion = $false } #If org policy owner does not wish to migrate to latest AzSK, we need to check #on their policy endpoint to determine which version... (in AzSKConfig.JSON) if((-not [string]::IsNullOrWhiteSpace($azskVersionForOrg)) -and (-not $UpdateToLatestVersion)) { #Download AzSKConfig.JSON to get the desired AzSK module version $uri = $global:ExecutionContext.InvokeCommand.ExpandString($azskVersionForOrg) Write-Output("CS: Reading specific AzSK version to use in CA from org settings at: [$uri]") [System.Uri] $validatedUri = $null; if([System.Uri]::TryCreate($uri, [System.UriKind]::Absolute, [ref] $validatedUri)) { try { $serverFileContent = Invoke-RestMethod ` -Method GET ` -Uri $validatedUri ` -UseBasicParsing if($null -ne $serverFileContent) { if(-not [string]::IsNullOrWhiteSpace($serverFileContent.CurrentVersionForOrg)) { $ModuleVersion = $serverFileContent.CurrentVersionForOrg Write-Output("CS: Desired AzSK version: [$ModuleVersion]") } } } catch { # If unable to fetch server config file or module version property then continue and download latest version module. Write-Output("CS: Failed in the attempt to fetch the org-specific AzSK version from org policy location: [$validatedUri]") Write-Output("CS: Attempting to get the latest version of AzSK from PSGallery as fallback.") } } } } ####################################################################################################################### #The code below is common for AzSK or other modules. However, in the case of AzSK, $ModuleVersion may already be set #due to org preference to update to a specific (non-latest) version for their CA environment. #Build the query string for our module search. Write-Output ($ModuleVersion) if([string]::IsNullOrWhiteSpace($ModuleVersion)) { $queryString = "`$filter=IsLatestVersion&searchTerm=%27$ModuleName%27&includePrerelease=false&`$skip=0&`$top=40&`$orderby=Version%20desc" } else { $queryString = "searchTerm=%27$ModuleName%27&includePrerelease=false&`$filter=Version%20eq%20%27$ModuleVersion%27" } $url = "$PSGalleryUrlComputed/api/v2/Search()?$queryString" $SearchResult = Invoke-RestMethod -Method Get -Uri $url -UseBasicParsing if(!$SearchResult) { Write-Error "CS: Could not find module: [$ModuleName] in gallery: $PSGalleryUrlComputed" return $null } else { $SearchResult = $SearchResult | Where-Object -FilterScript { return $_.title.'#text' -eq $ModuleName } #filter for module version if(![string]::IsNullOrWhiteSpace($ModuleVersion)) { $SearchResult = $SearchResult | Where-Object -FilterScript { return $_.properties.version -eq $ModuleVersion } } return $SearchResult } } function AddDependentModules { param( $InputModuleList ) $InputModuleList.Keys | ForEach-Object{ $moduleName = $_ $moduleVersion = $InputModuleList.Item($_) $searchResult = SearchModule -ModuleName $moduleName -ModuleVersion $moduleVersion if($searchResult) { $packageDetails = Invoke-RestMethod -Method Get -UseBasicParsing -Uri $searchResult.id $dependencies = $packageDetails.entry.properties.dependencies if($dependencies) { $dependencies = $dependencies.Split("|") #parse dependencies, which are in the format: Module1name:[Module1version]:|Module2name:[Module2version] for($index=0;($index -lt $dependencies.count) -and (![string]::IsNullOrWhiteSpace($dependencies[$index]));$index++) { $dependencyModuleDetail = $dependencies[$index].Split(":") $dependencyModuleName = $dependencyModuleDetail[0] $dependencyModuleVersion = $dependencyModuleDetail[1].Replace('[','').Replace(']','').Split(',')[0] #Add dependent module to the result list if(!$ResultModuleList.Contains($dependencyModuleName)) { $tempList = [ordered]@{$dependencyModuleName=$dependencyModuleVersion} $tempList+= $ResultModuleList $ResultModuleList.Clear() $tempList.Keys | ForEach-Object{$ResultModuleList.Add($_,$tempList.Item($_))} AddDependentModules -InputModuleList @{$dependencyModuleName=$dependencyModuleVersion} | Out-Null } } } if(!$ResultModuleList.Contains($moduleName)) { if([string]::IsNullOrWhiteSpace($moduleVersion)) { $moduleVersion = $searchResult.properties.Version } $ResultModuleList.Add($moduleName,$moduleVersion) } } } return $ResultModuleList } function RemoveOnetimeHelperSchedule() { $schedule = Get-AzAutomationSchedule -Name $CAHelperScheduleName ` -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName ` -ErrorAction SilentlyContinue if(($schedule | Measure-Object).Count -gt 0 -and ($schedule.Frequency -eq [Microsoft.Azure.Commands.Automation.Model.ScheduleFrequency]::Onetime)) { Remove-AzAutomationSchedule -AutomationAccountName $AutomationAccountName -Name $CAHelperScheduleName -ResourceGroupName $AutomationAccountRG -Force -ErrorAction SilentlyContinue | Out-Null } } function CreateNewScheduleIfNotExists($scheduleName,$startTime) { $scheduleExists = (Get-AzAutomationSchedule -Name $scheduleName ` -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName ` -ErrorAction SilentlyContinue | Measure-Object).Count -gt 0 if(!$scheduleExists) { New-AzAutomationSchedule -AutomationAccountName $AutomationAccountName -Name $scheduleName ` -ResourceGroupName $AutomationAccountRG -StartTime $startTime ` -HourInterval 1 -Description "This schedule ensures that CA activity initiated by the Scan_Schedule actually completes. Do not disable/delete this schedule." ` -ErrorAction Stop | Out-Null } $isRegistered = (Get-AzAutomationScheduledRunbook -AutomationAccountName $AutomationAccountName -ResourceGroupName $AutomationAccountRG ` -RunbookName $RunbookName -ScheduleName $scheduleName -ErrorAction SilentlyContinue | Measure-Object).Count -gt 0 if(!$isRegistered) { Register-AzAutomationScheduledRunbook -RunbookName $RunbookName -ScheduleName $scheduleName ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName -ErrorAction Stop | Out-Null } } function CreateHelperSchedules() { RemoveOnetimeHelperSchedule Write-Output("CS: Creating required helper schedule(s)...") for($i = 1;$i -le 4; $i++) { $scheduleName = "" if($i -eq 1) { $scheduleName = $CAHelperScheduleName } else { $scheduleName = [string]::Concat($CAHelperScheduleName,"_$i") } $startTime = $(get-date).AddMinutes(15*$i) CreateNewScheduleIfNotExists -scheduleName $scheduleName -startTime $startTime } DisableHelperSchedules } # Using AzureRM commands to create schedule for the first time since Az modules are not present function CreateHelperSchedulesAzureRM() { Write-Output("CS: Creating required helper schedule(s)...") for($i = 1;$i -le 4; $i++) { $scheduleName = "" if($i -eq 1) { $scheduleName = $CAHelperScheduleName } else { $scheduleName = [string]::Concat($CAHelperScheduleName,"_$i") } $startTime = $(get-date).AddMinutes(15*$i) New-AzureRmAutomationSchedule -AutomationAccountName $AutomationAccountName -Name $scheduleName ` -ResourceGroupName $AutomationAccountRG -StartTime $startTime ` -HourInterval 1 -Description "This schedule ensures that CA activity initiated by the Scan_Schedule actually completes. Do not disable/delete this schedule." ` -ErrorAction Stop | Out-Null } $isRegistered = (Get-AzureRmAutomationScheduledRunbook -AutomationAccountName $AutomationAccountName -ResourceGroupName $AutomationAccountRG ` -RunbookName $RunbookName -ScheduleName $CAHelperScheduleName -ErrorAction SilentlyContinue | Measure-Object).Count -gt 0 if(!$isRegistered) { Register-AzureRmAutomationScheduledRunbook -RunbookName $RunbookName -ScheduleName $CAHelperScheduleName ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName -ErrorAction Stop | Out-Null } } function DisableHelperSchedules() { Get-AzAutomationSchedule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName | ` Where-Object {$_.Name -ilike "*$CAHelperScheduleName*"} | ` Set-AzAutomationSchedule -IsEnabled $false | Out-Null } function DisableHelperSchedules($excludeSchedule) { Get-AzAutomationSchedule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName | ` Where-Object {$_.Name -ilike "*$CAHelperScheduleName*" -and $_.Name -ne $excludeSchedule} | ` Set-AzAutomationSchedule -IsEnabled $false | Out-Null } function FindNearestSchedule($intervalInMins) { $desiredNextRun = $(get-date).ToUniversalTime().AddMinutes($intervalInMins) $finalSchedule = Get-AzAutomationSchedule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName -ErrorAction SilentlyContinue | ` Where-Object {$_.Name -ilike "*$CAHelperScheduleName*" -and ($_.ExpiryTime.UtcDateTime -gt $(get-date).ToUniversalTime()) -and ($_.NextRun.UtcDateTime -ge $desiredNextRun)} | ` Sort-Object -Property NextRun | Select-Object -First 1 if(($finalSchedule|Measure-Object).Count -eq 0) { $finalSchedule = Get-AzAutomationSchedule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName -ErrorAction SilentlyContinue | ` Where-Object {$_.Name -ilike "*$CAHelperScheduleName*" -and ($_.ExpiryTime.UtcDateTime -gt $(get-date).ToUniversalTime()) -and ($_.NextRun.UtcDateTime -le $desiredNextRun)} | ` Sort-Object -Property NextRun -Descending | Select-Object -First 1 } return $finalSchedule } function EnableHelperSchedule($scheduleName) { if(($scheduleName|Measure-Object).Count -gt 1) { $scheduleName = $scheduleName[0] } #Enable only required schedule and disable others $isRegistered = (Get-AzAutomationScheduledRunbook -AutomationAccountName $AutomationAccountName -ResourceGroupName $AutomationAccountRG ` -RunbookName $RunbookName -ScheduleName $scheduleName -ErrorAction SilentlyContinue | Measure-Object).Count -gt 0 if(!$isRegistered) { Write-Output ("CS: CA Runbook is not linked to the Scheduler. Linking....") $sched = Register-AzAutomationScheduledRunbook -RunbookName $RunbookName -ScheduleName $scheduleName ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName if($sched) { Write-Output ("CS: Linked RB: [$($sched.RunbookName)]") PublishEvent -EventName "CA Helper schedule relinked" -Properties @{"ScheduleName" = ($sched.ScheduleName);} } else{ Write-Output ("CS: Failed to link RB. Will retry later.") PublishEvent -EventName "CA Helper schedule relink failed" -Properties @{"ScheduleName" = ($scheduleName);} } } $enabledSchedule = Set-AzAutomationSchedule -Name $scheduleName -AutomationAccountName $AutomationAccountName -ResourceGroupName $AutomationAccountRG -IsEnabled $true -ErrorAction SilentlyContinue if(($enabledSchedule|Measure-Object).Count -gt 0 -and $enabledSchedule.IsEnabled) { DisableHelperSchedules -excludeSchedule $scheduleName } Write-Output ("CS: Scheduled CA helper job :[$scheduleName]") } function ScheduleNewJob($intervalInMins) { $finalSchedule = FindNearestSchedule -intervalInMins $intervalInMins if(($finalSchedule|Measure-Object).Count -gt 0) { EnableHelperSchedule -scheduleName $finalSchedule.Name } else { CreateHelperSchedules $finalSchedule = FindNearestSchedule -intervalInMins $intervalInMins EnableHelperSchedule -scheduleName $finalSchedule.Name } PublishEvent -EventName "CA Job Rescheduled" -Properties @{"IntervalInMinutes" = $intervalInMins} } function IsScanComplete() { $helperScheduleCount = (Get-AzAutomationSchedule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName -ErrorAction SilentlyContinue | ` Where-Object {$_.Name -ilike "*$CAHelperScheduleName*"}|Measure-Object).Count return ($helperScheduleCount -gt 1 -and $helperScheduleCount -lt 4) } $isAzAutomationAvailable = Get-Command -Name "Get-AzAutomationSchedule" -ErrorAction SilentlyContinue $isAzAccountsAvailable = Get-Module Az.Accounts if ((-not [string]::IsNullOrWhiteSpace($isAzAccountsAvailable)) -and (-not [string]::IsNullOrWhiteSpace($isAzAutomationAvailable))) { $Global:isAzAvailable = $true } $setupTimer = [System.Diagnostics.Stopwatch]::StartNew(); PublishEvent -EventName "CA Setup Started" Write-Output("CS: Starting core setup...") ###Config start-------------------------------------------------- $AzSKModuleName = "AzSKPreview" $RunbookName = "Continuous_Assurance_Runbook" $retryDownloadIntervalMins = 10 $monitorjobIntervalMins = 45 #These get set as constants during the build process (e.g., AzSKStaging will have a diff URL) #PublicPSGalleryUrl is always same. $AzSKPSGalleryUrl = "https://www.powershellgallery.com" $PublicPSGalleryUrl = "https://www.powershellgallery.com" #This gets replaced when org-policy is created/updated. This is the org-specific #url that helps bootstrap which module version to use within an org setup $azskVersionForOrg = "#AzSKConfigURL#" #We use this to check if another job is running... $Global:FoundExistingJob = $false; if($Global:isAzAvailable) { try { ###Config end---------------------------------------------------- #initialize variables $ResultModuleList = [ordered]@{} $tempUpdateToLatestVersion = Get-AutomationVariable -Name UpdateToLatestAzSKVersion -ErrorAction SilentlyContinue if($null -ne $tempUpdateToLatestVersion) { $UpdateToLatestVersion = ConvertStringToBoolean($tempUpdateToLatestVersion) } #We get sub id from RunAsConnection $SubscriptionID = $RunAsConnection.SubscriptionID if(IsScanComplete) { CreateHelperSchedules return } $jobs = Get-AzAutomationJob -Name $RunbookName -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName #Find out how many times has CA runbook run today for this account... $TodaysJobs = $jobs | Where-Object {$_.CreationTime.UtcDateTime.Date -eq $(get-date).ToUniversalTime().Date} #Under normal circumstances, we should not see too many runs on a single day within a CA setup #If that is what is happening, let us stop and also disable further retries on the same day. if($TodaysJobs.Count -gt 25) { Write-Error("CS: Daily job retry limit exceeded. Will disable retries for today. If this recurs each day, please contact your support team.") #The Scan_Schedule will attempt a retry again next day. #We don't disable Scan_Schedule because then we won't have a way to 'auto-recover' CA setups. PublishEvent -EventName "CA Setup Fatal Error" -Properties @{"JobsCount"=$TodaysJobs.Count} -Metrics @{"TimeTakenInMs" =$setupTimer.ElapsedMilliseconds; "SuccessCount" = 0} #Disable the helper schedule DisableHelperSchedules return; } #Check if a scan job is already running. If so, we don't need to duplicate effort! $TotalJobsRunning = $jobs | Where-Object { $_.Status -in ("Queued", "Starting", "Resuming", "Running", "Activating")} ScheduleNewJob -intervalInMins $monitorjobIntervalMins $NoOfRecentActiveRunningJobs = 0 if(($TotalJobsRunning|Measure-Object).Count -gt 1) { $TotalJobsRunning|ForEach-Object{ #Automation account should have terminated the job after 3hrs (current default behavior). If not, let us stop it. if(((GET-DATE).ToUniversalTime() - $_.StartTime.UtcDateTime).TotalMinutes -gt 210) { $jobId = $_.JobId try { Stop-AzAutomationJob -Id $jobId -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName } catch { #Eat exception as not able to stop the existing running job Write-Output ("CS: Error while stopping job [" + $jobId + "]") } } else { $NoOfRecentActiveRunningJobs = $NoOfRecentActiveRunningJobs + 1 } } #A job is already running. Let it take care of things.... if($NoOfRecentActiveRunningJobs -gt 1) { $Global:FoundExistingJob = $true; return; } } #region: check modules health #Examine the AzSK module(s) currently present in the automation account $azskmodules = @() $azskModules += Get-AzAutomationModule -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -ErrorAction SilentlyContinue | Where-Object { $_.Name -ilike "azsk*" } Write-Output ("CS: Looking for module: [$AzSKModuleName] in account: [$AutomationAccountName] in RG: [$AutomationAccountRG]") if($azskModules.Count -gt 1) { #Multiple modules! This anomaly can happen, for e.g., if someone setup AzSKPreview and then switched to AzSK (prod). #Clean up all AzSK* modules. Write-Output ("CS: Found mulitple AzSK* modules in the automation account. Cleaning them up and importing a fresh one.") $azskModules | ForEach-Object { Remove-AzAutomationModule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName -Name $_.Name -ErrorAction SilentlyContinue -Force } } elseif($azskModules.Count -eq 1 -and $azskModules[0].Name -ne $AzSKModuleName) { Write-Output ("CS: Found [$($azskModules[0].Name)] in the automation account when looking for: [$AzSKModuleName]. Cleaning it up and importing a fresh one.") Remove-AzAutomationModule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName -Name $azskModules[0].Name -ErrorAction SilentlyContinue -Force } #check health of various Azure PS modules (AzSK dependencies) $azureModules = Get-AzAutomationModule -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -ErrorAction SilentlyContinue #healthy modules will have 'ProvisioningState' == Succeeded or Created! $areAzureModulesUnhealthy= ($azureModules| Where-Object { $_.Name -like 'Az.*' -and -not ($_.ProvisioningState -eq "Succeeded" -or $_.ProvisioningState -eq "Created")} | Measure-Object).Count -gt 0 $azskModule = Get-AzAutomationModule -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name $AzSKModuleName -ErrorAction SilentlyContinue $isAzSKAvailable = ($azskModule | Where-Object {$_.ProvisioningState -eq "Succeeded" -or $_.ProvisioningState -eq "Created"} | Measure-Object).Count -gt 0 if($isAzSKAvailable) { Import-Module $AzSKModuleName } $isAzSKLatest = IsModuleHealthy -ModuleName $AzSKModuleName $isSetupComplete = $isAzSKLatest -and -not $areAzureModulesUnhealthy $azskSearchResult = SearchModule -ModuleName $AzSKModuleName $desiredAzSKVersion = $azskSearchResult.properties.Version #Note this may not be literally the latest version if org-policy prefers otherwise! #endregion if($azskModule -and ($azskModule.Version -ne $desiredAzSKVersion)) { Write-Output ("CS: Installed $AzSKModuleName version: [" + $azskModule.Version + "] in provisioning state: [" + $azskModule.ProvisioningState + "]. Expected version: [$desiredAzSKVersion]") #########################Invoke AzSK Recovery code in case of module is in importing state longer than 1 day####################### try{ $unHealthyModuleList = Get-AzAutomationModule -ResourceGroupName $AutomationAccountRG -AutomationAccountName $AutomationAccountName | Where-Object { -not ($_.ProvisioningState -eq "Succeeded" -or $_.ProvisioningState -eq "Created") -and $_.LastModifiedTime -lt $(get-date).AddDays(-2)} if(($unHealthyModuleList | Measure-Object).Count -gt 0) { Write-Output ("CS: RecoveryStep- Automation account found in unhealthy status.") PublishEvent -EventName "CA Recovery: Start AzSK recovery" PublishEvent -EventName "CA Recovery: Unhealthy module list" -Properties @{ "ModuleList" = $unHealthyModuleList | ConvertTo-Json -Depth 5; } $coreModuleList = $unHealthyModuleList | where-Object { $_.Name -eq "Az.Account" -or $_.Name -eq "Az.Automation"} if(($coreModuleList| Measure-Object).Count -gt 0) { PublishEvent -EventName "CA Recovery: Found Core module unhealthy" } Write-Output ("CS: RecoveryStep- Removing unhealthy modules...") $unHealthyModuleList | Where-Object { $_.Name -notin ("Az.Account","Az.Automation") } | Remove-AzAutomationModule -Force Write-Output ("CS: RecoveryStep- Completed removing unhealthy modules.") PublishEvent -EventName "CA Recovery: Completed AzSK recovery " } } catch { PublishEvent -EventName "CA Recovery: exception" -Properties @{ "ErrorRecord" = ($_ | Out-String) } } ##############################End of AzSK Recovery code ################################### } #Telemetry PublishEvent -EventName "CA Setup Required Modules State" -Properties @{ "ModuleStateAzSK"= $azskModule.ProvisioningState; ` "InstalledModuleVersionAzSK"=$azskModule.Version; ` "RequiredModuleVersionAzSK"=$desiredAzSKVersion; ` "IsCompleteAzSK"=$isAzSKLatest; ` "IsComplete"=$isSetupComplete } #If the automation account does not have all modules in expected state, we have some work to do... if(!$isSetupComplete) { PublishEvent -EventName "CA Az Stage3 " -Properties @{ "Description"="CA importing Az dependencies"} Write-Output ("CS: Checking and importing missing modules into the automation account..."); #Module list is in hashtable format : key = modulename , value = version (This is useful to fetch version of specific module by name) $finalModuleList = [ordered]@{} #Get dependencies of AzSK module PublishEvent -EventName "CA Setup Computing Dependencies" AddDependentModules -InputModuleList @{$AzSKModuleName=""} | Out-Null #Azure modules to be downloaded first should be added first in finalModuleList $baseModuleList = [ordered]@{} $baseModuleList.Add("Az.Accounts",$ResultModuleList.Item("Az.Accounts")) $baseModuleList.Add("Az.Automation",$ResultModuleList.Item("Az.Automation")) $ResultModuleList.Remove("Az.Accounts") $ResultModuleList.Remove("Az.Automation") $syncModules = @("Az.Accounts", "Az.Automation"); $finalModuleList += $baseModuleList $finalModuleList += $ResultModuleList SetModules -ModuleList $finalModuleList -SyncModuleList $syncModules Write-Output("CS: Creating helper schedule for importing modules into the automation account...") ScheduleNewJob -intervalInMins $retryDownloadIntervalMins } #Let us be really sure AzSK is ready to run cmdlets before calling it done! elseif((Get-Command -Name "Get-AzSKAzureServicesSecurityStatus" -ErrorAction SilentlyContinue|Measure-Object).Count -eq 0) { Write-Output ("CS: AzSK not fully ready to run. Creating helper schedule for another retry...") ScheduleNewJob -intervalInMins $retryDownloadIntervalMins } else { Write-Output ("CS: CA core setup completed.") PublishEvent -EventName "CA Setup Succeeded" -Metrics @{"TimeTakenInMs" = $setupTimer.ElapsedMilliseconds;"SuccessCount" = 1} } PublishEvent -EventName "CA Setup Completed" -Metrics @{"TimeTakenInMs" = $setupTimer.ElapsedMilliseconds;"SuccessCount" = 1} } catch { Write-Error("CS: Error during core setup: " + ($_ | Out-String)) PublishEvent -EventName "CA Setup Error" -Properties @{ "ErrorRecord" = ($_ | Out-String) } -Metrics @{"TimeTakenInMs" =$setupTimer.ElapsedMilliseconds; "SuccessCount" = 0} } } else { Write-Output ("CS: Checking if Az.Accounts and Az.Automation present in automation account.") $AzModule = Get-AzureRmAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name "Az.Accounts" -ErrorAction SilentlyContinue if(-not $AzModule) { DownloadAzModuleWithRM -ModuleName Az.Accounts -ModuleVersion 1.2.1 -Sync $true } $AzModule = Get-AzureRmAutomationModule ` -ResourceGroupName $AutomationAccountRG ` -AutomationAccountName $AutomationAccountName ` -Name "Az.Automation" -ErrorAction SilentlyContinue if(-not $AzModule) { DownloadAzModuleWithRM -ModuleName Az.Automation -ModuleVersion 1.0.0 -Sync $true } Write-Output("CS: Creating helper schedule for importing modules into the automation account...") CreateHelperSchedulesAzureRM PublishEvent -EventName "CA Setup Completed" -Metrics @{"TimeTakenInMs" = $setupTimer.ElapsedMilliseconds;"SuccessCount" = 1} } |