AZURE-CLI: mudanças entre as edições

De Wiki Clusterlab.com.br
Ir para navegação Ir para pesquisar
Sem resumo de edição
Sem resumo de edição
 
(2 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 37: Linha 37:
===Extend secret expiration date===
===Extend secret expiration date===
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
$ az ad sp credential reset --name <Client_id> --credential-description AKSPassword --password <Client_secret> --years 1
$ az ad sp credential reset --id <Client_id> --years 1
</syntaxhighlight>
</syntaxhighlight>


Edição atual tal como às 16h40min de 10 de julho de 2023

Manage Orphans Resources

Get Orphans Disks

az disk list --query "[?managedBy==null].[name,id]" -o table

Delete Orphans Disks

az disk list --query "[?managedBy==null]|[].id" -o table |grep ^\/|xargs -i echo az disk delete --ids {} -y

Remove the "echo" command to execute the action of delete

Get Orphans NetworkDevices

az network nic list --query "[?virtualMachine==null].[name,id]" -o table

Delete Orphans NetworkDevices

az network nic list --query "[?virtualMachine==null].id" -o table| grep ^\/ | xargs -i echo az network nic delete --ids {}

Remove the "echo" command to execute the action of delete

Identity

Managed Identity

Login with Managed Identity 

az login --identity
az login --identity --username <client_id|object_id|resource_id>

Service Principal

Create Service Principal

$ az ad sp create-for-rbac --role="Contributor" --name "<name>" --scopes="/subscriptions/SUBSCRIPTION_ID"
$ az ad sp create-for-rbac -n "<name>" --skip-assignment true

Extend secret expiration date

$ az ad sp credential reset --id <Client_id> --years 1

Roles

  • Listing Roles
az role definition list --query "[].[roleName]" -o tsv
  • Listar Grupos
az ad group list
  • Listar App Keys
az ad sp list

azure role list --json | jq
azure role list --json | jq '.[] | {"Name", "Description"}'
az role definition list| jq '.[]|{"properties"}'| jq '.[]|{"roleName"}' > roles.json
  • Exibindo propriedades de uma role:
azure role show "Role_Name" --json | jq
  • Listar Resource Groups
az group list
  • Listar Roles de um resource group
azure role assignment list --resource-group "imagens-comum" --json | jq
  • Listando permissões de um usuário, inclusive herdadas por um grupo
azure role assignment list --expandPrincipalGroups --signInName usuario@dominio --json
  • Criar uma Role
azure role create --inputfile NS_CriarImagens.json
    • Criar uma role com AZ CLI
az role definition create --role-definition @stopstart.json

stopstart.json 

{
	"Name": "StopStartVm",
	"Description": "Can read, stop, start, restart and deallocate vm",
	"Actions": [
		"Microsoft.Compute/virtualMachines/start/action",
		"Microsoft.Compute/virtualMachines/restart/action",
		"Microsoft.Compute/virtualMachines/deallocate/action",
		"Microsoft.Compute/virtualMachines/*/read",
		"*/read"
  ],
  "AssignableScopes": ["/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
        }

NS_CriarImagens.json 

  {
    "Name": "CriarImagens",
    "Actions": [
      "Microsoft.Compute/images/*"
    ],
    "NotActions": [],
    "AssignableScopes": [
      "/subscriptions/0000000000000000000000000000"
    ],
    "Description": "Permite gerenciar imagens de VirtualMachines.",
    "IsCustom": "true"
  }
  • Alterar uma role
azure role set --inputfile <file path>
  • Adicionar uma Role em um Resource Group para um grupo de usuários
azure role assignment create \
--objectId <id do grupo de usuário> \
--roleName "<nome da role>" \
--resource-group "<nome do resource Group>"

az role assignment create  \
--assignee <ID/nome do grupo> \
--role <nome da role> \
--resource-group <nome do resource group>

List Storage Container

az storage container list  --query "[].name" -o table

Remove Storage Container

az storage container list  --query "[].name" -o table |xargs -i echo az storage container delete  -n {} --fail-not-exist

Get VirtualMachine With Boot Diagnostics enabled

az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].[name,id,vmId,diagnosticsProfile.bootDiagnostics.storageUri]" -o table

Disable VirtualMachine Boot Diagnostics

az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].id" -o table | grep ^\/ | xargs -i echo az vm boot-diagnostics disable --ids {}

RBAC

Virtual Machine images

List Images

List images from a subscription

az image  list  --query "[].[location,name,resourceGroup]" -o tsv | column -t

List images from marketplace

  • Listing publisher:
az vm  image list-publishers --location brazilsouth --query "[].[name]" -o tsv
  • Listing images from publisher:
az vm image list-offers -l brazilsouth -p MicrosoftRServer
  • List SKU image:
az vm image list-skus -l brazilsouth -p MicrosoftRServer -f RServer-WS2016 --query "[].[name,id]" -o tsv

Resource Groups

Listing Resoruce Grops

az group list  --query "[].[name,location]" -o tsv | column -t| sort -k1

example

#Variables declaration
export AZURE_STORAGE_ACCESS_KEY=
export AZURE_STORAGE_ACCOUNT=
export AZ_VMNAME=machine
export AZ_RG=test
export AZ_REGION=eastus2
export AZ_DISTYPE=Standard_LRS
export AZ_SUBSCRIPTION=
export AZ_VNET=virtual-us
export AZ_SUBNET=subnet01
export AZ_CONTAINER=upload
export AZ_STOACCOUNT=stor01
export AZ_VMSIZE=Standard_D3_v2 

function UPLOAD_VHD() {
	az storage blob upload \
		--container-name $AZ_CONTAINER \
		--file $AZ_VMNAME.vhd \
		--name $AZ_VMNAME.vhd  \
		--account-name $AZ_STOACCOUNT \
		--max-connections 16
}

function CREATE_NIC() {
	az network nic create \
		--resource-group $AZ_RG \
		--name $AZ_VMNAME-nic \
		--subnet $AZ_SUBNET \
		--vnet-name $AZ_VNET
}
function BLOB_LIST() {
	az storage blob list \
		--account-name $AZ_STOACCOUNT \
		--container-name $AZ_CONTAINER \
		-o table |\
			grep -i ned | \
			awk '{print $1}' | \
			while read valor
			do  
				echo az disk create \
					--resource-group $AZ_RG 
					-n $(echo $valor | awk -F . '{print $1}') 
					--source https://$AZ_STOACCOUNT.blob.core.windows.net/$AZ_CONTAINER/$valor 
					--sku $AZ_DISTYPE
			done
}
function CREATE_DISK() {
	az disk create \
		--resource-group $AZ_RG \
		-n $AZ_VMNAME \
		--source https://$AZ_STOACCOUNT.blob.core.windows.net/$AZ_CONTAINER/$AZ_VMNAME.vhd \
		--sku $AZ_DISTYPE
}
function CREATE_VM() {
	az vm create \
		--name $AZ_VMNAME \
		--resource-group $AZ_RG \
		--attach-os-disk $AZ_VMNAME \
		--attach-data-disks $AZ_VMNAME-asm01 $AZ_VMNAME-asm02  \
		--nics $AZ_VMNAME-nic \
		--location $AZ_REGION \
		--os-type linux \
		--size $AZ_VMSIZE 
}

function CREATE_DISK_AND_ATTACH() {
	seq 1 9 | while read serial
		do
			az disk create \
			--resource-group $AZ_RG \
			--name $AZ_VMNAME-asm0$serial \
			--sku $AZ_DISTYPE \
			--size-gb 1023
			rc=$?
			if [ $rc -eq 0 ] 
			then
				az vm disk attach \
				--disk $AZ_VMNAME-asm0$serial \
				--resource-group $AZ_RG \
				--vm-name $AZ_VMNAME \
				--lun $serial
			fi
		done
}

Transfer virtual machine to another region

#!/bin/bash -x
#https://blogs.msdn.microsoft.com/nicole_welch/2017/09/moving-files-between-azure-storage-and-rhel/

export RG=
export NEWRG=
export SNAPNAME=
export LOCATION=eastus
export NEWLOCATION=brazilsouth
export DISKNAME=
export VHDNAME=vm_osdisk.vhd
export CONTAINER=vmimage
export SANAME=
export SAKEY=""
export OSTYPE=windows # or "linux"
export SUBSCRIPTION=


function DISK2BLOB() {
  #Create VM disk snapshot
  az snapshot create \
    --resource-group $RG \
    --name $SNAPNAME \
    --location $LOCATION \
    --source $DISKNAME

  #Export SAS URL from the snapshot
  export SAS=$(az snapshot grant-access \
                --resource-group $RG \
                --name $SNAPNAME \
                --duration-in-seconds 7200 --query [accessSas] -o tsv)

  #Transfer SAS objet to a storage account
  az storage blob copy start \
    --destination-blob $VHDNAME \
    --destination-container $CONTAINER \
    --account-name $SANAME \
    --account-key "$SAKEY" \
    --source-uri "$SAS"

}
function CHECKTRANSFERSTATUS() {
  #Check operation progress
  while true
  do
    date
    az storage blob show \
      --container-name $CONTAINER \
      -n $VHDNAME \
      --account-name $SANAME \
      --account-key "$SAKEY" \
      --query "properties.copy.status"
    sleep 90
    clear
  done
}

function BLOB2IMAGE() {
  az snapshot create \
    --resource-group $NEWRG \
    --name NEW-$SNAPNAME \
    --location $NEWLOCATION \
    --source-storage-account-id /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Storage/storageAccounts/$SANAME \
    --source https://$SANAME.blob.core.windows.net/$CONTAINER/$VHDNAME

  #Criar image from snapshot
  az image create \
    --resource-group $NEWRG \
    --name NEW-$SNAPNAME \
    --source /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Compute/snapshots/NEW-$SNAPNAME \
    --os-type $OSTYPE \
    --location $NEWLOCATION
}

DISK2BLOB
CHECKTRANSFERSTATUS
BLOB2IMAGE

# az storage container generate-sas \
#   --name $CONTAINER \
#   --account-name "$SANAME" \
#   --account-key "$SAKEY" \
#   --permissions r \
#   --https-only \
#   --expiry "$(date -u -d "300 minutes" '+%Y-%m-%dT%H:%MZ')"
Disponível em “https://wiki.clusterlab.com.br/index.php?title=AZURE-CLI&oldid=1266