AZURE-CLI: mudanças entre as edições
		
		
		
		Ir para navegação
		Ir para pesquisar
		
| Sem resumo de edição | |||
| (7 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
| Linha 21: | Linha 21: | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| Remove the "echo" command to execute the action of delete | Remove the "echo" command to execute the action of delete | ||
| = | =Identity= | ||
| ==Managed Identity== | |||
| Login with Managed Identity | |||
| <pre> | |||
| = | az login --identity | ||
| < | az login --identity --username <client_id|object_id|resource_id> | ||
| az  | </pre> | ||
| </ | ==Service Principal== | ||
| = | ===Create Service Principal === | ||
| <syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
| az  | $ az ad sp create-for-rbac --role="Contributor" --name "<name>" --scopes="/subscriptions/SUBSCRIPTION_ID" | ||
| $ az ad sp create-for-rbac -n "<name>" --skip-assignment true | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
| = | ===Extend secret expiration date=== | ||
| <syntaxhighlight lang=bash> | <syntaxhighlight lang=bash> | ||
| az  | $ az ad sp credential reset --id <Client_id> --years 1 | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| ==Roles== | ===Roles=== | ||
| *[https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles role-based-access-built-in-roles] | *[https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles role-based-access-built-in-roles] | ||
| *[https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell role-based-access-control-manage-access-powershell] | *[https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell role-based-access-control-manage-access-powershell] | ||
| *[https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-policy resource-manager-policy] | *[https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-policy resource-manager-policy] | ||
| *[https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations Azure resource provider operations] | |||
| ---- | ---- | ||
| *Listing Roles | *Listing Roles | ||
| Linha 141: | Linha 136: | ||
| --resource-group <nome do resource group>   | --resource-group <nome do resource group>   | ||
| </pre> | </pre> | ||
| =List Storage Container= | |||
| <syntaxhighlight lang=bash> | |||
| az storage container list  --query "[].name" -o table | |||
| </syntaxhighlight> | |||
| =Remove Storage Container= | |||
| <syntaxhighlight lang=bash> | |||
| az storage container list  --query "[].name" -o table |xargs -i echo az storage container delete  -n {} --fail-not-exist | |||
| </syntaxhighlight> | |||
| =Get VirtualMachine With Boot Diagnostics enabled= | |||
| <syntaxhighlight lang=bash> | |||
| az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].[name,id,vmId,diagnosticsProfile.bootDiagnostics.storageUri]" -o table | |||
| </syntaxhighlight> | |||
| =Disable VirtualMachine Boot Diagnostics= | |||
| <syntaxhighlight lang=bash> | |||
| az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].id" -o table | grep ^\/ | xargs -i echo az vm boot-diagnostics disable --ids {} | |||
| </syntaxhighlight> | |||
| =RBAC= | |||
| *[https://docs.microsoft.com/en-us/azure/governance/policy/overview Azure Policy] | |||
| *[https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Built-in roles for Azure resources] | |||
| =Virtual Machine images= | =Virtual Machine images= | ||
| Linha 260: | Linha 276: | ||
| export RG= | export RG= | ||
| export NEWRG= | |||
| export SNAPNAME= | export SNAPNAME= | ||
| export LOCATION=eastus | export LOCATION=eastus | ||
| export NEWLOCATION=brazilsouth | |||
| export DISKNAME= | export DISKNAME= | ||
| export VHDNAME= | export VHDNAME=vm_osdisk.vhd | ||
| export CONTAINER= | export CONTAINER=vmimage | ||
| export SANAME= | export SANAME= | ||
| export SAKEY="" | export SAKEY="" | ||
| export OSTYPE=windows # or "linux" | |||
| export SUBSCRIPTION= | |||
| # | function DISK2BLOB() { | ||
|   #Create VM disk snapshot | |||
|   az snapshot create \ | |||
|     --resource-group $RG \ | |||
|     --name $SNAPNAME \ | |||
|     --location $LOCATION \ | |||
|     --source $DISKNAME | |||
| # |   #Export SAS URL from the snapshot | ||
| az  |   export SAS=$(az snapshot grant-access \ | ||
|                 --resource-group $RG \ | |||
|                 --name $SNAPNAME \ | |||
|                 --duration-in-seconds 7200 --query [accessSas] -o tsv) | |||
| # |   #Transfer SAS objet to a storage account | ||
|    az storage blob copy start \ | |||
|      --destination-blob $VHDNAME \ | |||
|    az storage blob  |      --destination-container $CONTAINER \ | ||
|      -- | |||
|      - | |||
|      --account-name $SANAME \ |      --account-name $SANAME \ | ||
|      --account-key $SAKEY \ |      --account-key "$SAKEY" \ | ||
|      --query "properties.copy.status" |      --source-uri "$SAS" | ||
| } | |||
| done | function CHECKTRANSFERSTATUS() { | ||
|   #Check operation progress | |||
| az snapshot create --resource-group  |   while true | ||
| #Criar image from snapshot |   do | ||
| az image create --resource-group  |     date | ||
|     az storage blob show \ | |||
|       --container-name $CONTAINER \ | |||
|       -n $VHDNAME \ | |||
|       --account-name $SANAME \ | |||
|       --account-key "$SAKEY" \ | |||
|       --query "properties.copy.status" | |||
|     sleep 90 | |||
|     clear | |||
|   done | |||
| } | |||
| function BLOB2IMAGE() { | |||
|   az snapshot create \ | |||
|     --resource-group $NEWRG \ | |||
|     --name NEW-$SNAPNAME \ | |||
|     --location $NEWLOCATION \ | |||
|     --source-storage-account-id /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Storage/storageAccounts/$SANAME \ | |||
|     --source https://$SANAME.blob.core.windows.net/$CONTAINER/$VHDNAME | |||
|   #Criar image from snapshot | |||
|   az image create \ | |||
|     --resource-group $NEWRG \ | |||
|     --name NEW-$SNAPNAME \ | |||
|     --source /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Compute/snapshots/NEW-$SNAPNAME \ | |||
|     --os-type $OSTYPE \ | |||
|     --location $NEWLOCATION | |||
| } | |||
| DISK2BLOB | |||
| CHECKTRANSFERSTATUS | |||
| BLOB2IMAGE | |||
| # az storage container generate-sas \ | |||
| #   --name $CONTAINER \ | |||
| #   --account-name "$SANAME" \ | |||
| #   --account-key "$SAKEY" \ | |||
| #   --permissions r \ | |||
| #   --https-only \ | |||
| #   --expiry "$(date -u -d "300 minutes" '+%Y-%m-%dT%H:%MZ')" | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
Edição atual tal como às 16h40min de 10 de julho de 2023
Manage Orphans Resources
Get Orphans Disks
az disk list --query "[?managedBy==null].[name,id]" -o table
Delete Orphans Disks
az disk list --query "[?managedBy==null]|[].id" -o table |grep ^\/|xargs -i echo az disk delete --ids {} -y
Remove the "echo" command to execute the action of delete
Get Orphans NetworkDevices
az network nic list --query "[?virtualMachine==null].[name,id]" -o table
Delete Orphans NetworkDevices
az network nic list --query "[?virtualMachine==null].id" -o table| grep ^\/ | xargs -i echo az network nic delete --ids {}
Remove the "echo" command to execute the action of delete
Identity
Managed Identity
Login with Managed Identity
az login --identity az login --identity --username <client_id|object_id|resource_id>
Service Principal
Create Service Principal
$ az ad sp create-for-rbac --role="Contributor" --name "<name>" --scopes="/subscriptions/SUBSCRIPTION_ID"
$ az ad sp create-for-rbac -n "<name>" --skip-assignment true
Extend secret expiration date
$ az ad sp credential reset --id <Client_id> --years 1
Roles
- role-based-access-built-in-roles
- role-based-access-control-manage-access-powershell
- resource-manager-policy
- Azure resource provider operations
- Listing Roles
az role definition list --query "[].[roleName]" -o tsv
- Listar Grupos
az ad group list
- Listar App Keys
az ad sp list
azure role list --json | jq
azure role list --json | jq '.[] | {"Name", "Description"}'
az role definition list| jq '.[]|{"properties"}'| jq '.[]|{"roleName"}' > roles.json
- Exibindo propriedades de uma role:
azure role show "Role_Name" --json | jq
- Listar Resource Groups
az group list
- Listar Roles de um resource group
azure role assignment list --resource-group "imagens-comum" --json | jq
- Listando permissões de um usuário, inclusive herdadas por um grupo
azure role assignment list --expandPrincipalGroups --signInName usuario@dominio --json
- Criar uma Role
azure role create --inputfile NS_CriarImagens.json
- Criar uma role com AZ CLI
 
az role definition create --role-definition @stopstart.json
stopstart.json
{
	"Name": "StopStartVm",
	"Description": "Can read, stop, start, restart and deallocate vm",
	"Actions": [
		"Microsoft.Compute/virtualMachines/start/action",
		"Microsoft.Compute/virtualMachines/restart/action",
		"Microsoft.Compute/virtualMachines/deallocate/action",
		"Microsoft.Compute/virtualMachines/*/read",
		"*/read"
  ],
  "AssignableScopes": ["/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
        }
NS_CriarImagens.json
  {
    "Name": "CriarImagens",
    "Actions": [
      "Microsoft.Compute/images/*"
    ],
    "NotActions": [],
    "AssignableScopes": [
      "/subscriptions/0000000000000000000000000000"
    ],
    "Description": "Permite gerenciar imagens de VirtualMachines.",
    "IsCustom": "true"
  }
- Alterar uma role
azure role set --inputfile <file path>
- Adicionar uma Role em um Resource Group para um grupo de usuários
azure role assignment create \ --objectId <id do grupo de usuário> \ --roleName "<nome da role>" \ --resource-group "<nome do resource Group>" az role assignment create \ --assignee <ID/nome do grupo> \ --role <nome da role> \ --resource-group <nome do resource group>
List Storage Container
az storage container list  --query "[].name" -o table
Remove Storage Container
az storage container list  --query "[].name" -o table |xargs -i echo az storage container delete  -n {} --fail-not-exist
Get VirtualMachine With Boot Diagnostics enabled
az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].[name,id,vmId,diagnosticsProfile.bootDiagnostics.storageUri]" -o table
Disable VirtualMachine Boot Diagnostics
az vm list --query "[?diagnosticsProfile.bootDiagnostics!=null].id" -o table | grep ^\/ | xargs -i echo az vm boot-diagnostics disable --ids {}
RBAC
Virtual Machine images
List Images
List images from a subscription
az image list --query "[].[location,name,resourceGroup]" -o tsv | column -t
List images from marketplace
- Listing publisher:
az vm image list-publishers --location brazilsouth --query "[].[name]" -o tsv
- Listing images from publisher:
az vm image list-offers -l brazilsouth -p MicrosoftRServer
- List SKU image:
az vm image list-skus -l brazilsouth -p MicrosoftRServer -f RServer-WS2016 --query "[].[name,id]" -o tsv
Resource Groups
Listing Resoruce Grops
az group list --query "[].[name,location]" -o tsv | column -t| sort -k1
example
#Variables declaration
export AZURE_STORAGE_ACCESS_KEY=
export AZURE_STORAGE_ACCOUNT=
export AZ_VMNAME=machine
export AZ_RG=test
export AZ_REGION=eastus2
export AZ_DISTYPE=Standard_LRS
export AZ_SUBSCRIPTION=
export AZ_VNET=virtual-us
export AZ_SUBNET=subnet01
export AZ_CONTAINER=upload
export AZ_STOACCOUNT=stor01
export AZ_VMSIZE=Standard_D3_v2 
function UPLOAD_VHD() {
	az storage blob upload \
		--container-name $AZ_CONTAINER \
		--file $AZ_VMNAME.vhd \
		--name $AZ_VMNAME.vhd  \
		--account-name $AZ_STOACCOUNT \
		--max-connections 16
}
function CREATE_NIC() {
	az network nic create \
		--resource-group $AZ_RG \
		--name $AZ_VMNAME-nic \
		--subnet $AZ_SUBNET \
		--vnet-name $AZ_VNET
}
function BLOB_LIST() {
	az storage blob list \
		--account-name $AZ_STOACCOUNT \
		--container-name $AZ_CONTAINER \
		-o table |\
			grep -i ned | \
			awk '{print $1}' | \
			while read valor
			do  
				echo az disk create \
					--resource-group $AZ_RG 
					-n $(echo $valor | awk -F . '{print $1}') 
					--source https://$AZ_STOACCOUNT.blob.core.windows.net/$AZ_CONTAINER/$valor 
					--sku $AZ_DISTYPE
			done
}
function CREATE_DISK() {
	az disk create \
		--resource-group $AZ_RG \
		-n $AZ_VMNAME \
		--source https://$AZ_STOACCOUNT.blob.core.windows.net/$AZ_CONTAINER/$AZ_VMNAME.vhd \
		--sku $AZ_DISTYPE
}
function CREATE_VM() {
	az vm create \
		--name $AZ_VMNAME \
		--resource-group $AZ_RG \
		--attach-os-disk $AZ_VMNAME \
		--attach-data-disks $AZ_VMNAME-asm01 $AZ_VMNAME-asm02  \
		--nics $AZ_VMNAME-nic \
		--location $AZ_REGION \
		--os-type linux \
		--size $AZ_VMSIZE 
}
function CREATE_DISK_AND_ATTACH() {
	seq 1 9 | while read serial
		do
			az disk create \
			--resource-group $AZ_RG \
			--name $AZ_VMNAME-asm0$serial \
			--sku $AZ_DISTYPE \
			--size-gb 1023
			rc=$?
			if [ $rc -eq 0 ] 
			then
				az vm disk attach \
				--disk $AZ_VMNAME-asm0$serial \
				--resource-group $AZ_RG \
				--vm-name $AZ_VMNAME \
				--lun $serial
			fi
		done
}
Transfer virtual machine to another region
#!/bin/bash -x
#https://blogs.msdn.microsoft.com/nicole_welch/2017/09/moving-files-between-azure-storage-and-rhel/
export RG=
export NEWRG=
export SNAPNAME=
export LOCATION=eastus
export NEWLOCATION=brazilsouth
export DISKNAME=
export VHDNAME=vm_osdisk.vhd
export CONTAINER=vmimage
export SANAME=
export SAKEY=""
export OSTYPE=windows # or "linux"
export SUBSCRIPTION=
function DISK2BLOB() {
  #Create VM disk snapshot
  az snapshot create \
    --resource-group $RG \
    --name $SNAPNAME \
    --location $LOCATION \
    --source $DISKNAME
  #Export SAS URL from the snapshot
  export SAS=$(az snapshot grant-access \
                --resource-group $RG \
                --name $SNAPNAME \
                --duration-in-seconds 7200 --query [accessSas] -o tsv)
  #Transfer SAS objet to a storage account
  az storage blob copy start \
    --destination-blob $VHDNAME \
    --destination-container $CONTAINER \
    --account-name $SANAME \
    --account-key "$SAKEY" \
    --source-uri "$SAS"
}
function CHECKTRANSFERSTATUS() {
  #Check operation progress
  while true
  do
    date
    az storage blob show \
      --container-name $CONTAINER \
      -n $VHDNAME \
      --account-name $SANAME \
      --account-key "$SAKEY" \
      --query "properties.copy.status"
    sleep 90
    clear
  done
}
function BLOB2IMAGE() {
  az snapshot create \
    --resource-group $NEWRG \
    --name NEW-$SNAPNAME \
    --location $NEWLOCATION \
    --source-storage-account-id /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Storage/storageAccounts/$SANAME \
    --source https://$SANAME.blob.core.windows.net/$CONTAINER/$VHDNAME
  #Criar image from snapshot
  az image create \
    --resource-group $NEWRG \
    --name NEW-$SNAPNAME \
    --source /subscriptions/$SUBSCRIPTION/resourceGroups/$NEWRG/providers/Microsoft.Compute/snapshots/NEW-$SNAPNAME \
    --os-type $OSTYPE \
    --location $NEWLOCATION
}
DISK2BLOB
CHECKTRANSFERSTATUS
BLOB2IMAGE
# az storage container generate-sas \
#   --name $CONTAINER \
#   --account-name "$SANAME" \
#   --account-key "$SAKEY" \
#   --permissions r \
#   --https-only \
#   --expiry "$(date -u -d "300 minutes" '+%Y-%m-%dT%H:%MZ')"