Manage Azure Resources using PowerShell Function App with Managed Identity
Published Feb 01 2022 10:19 PM 8,418 Views
Microsoft

Briefly, this post will provide you a step to step guidance with sample code on how to leverage Azure PowerShell Function App to manage Azure resources and use managed identity for authentication to simplify the workflow.

 

Azure PowerShell is a set of cmdlets for managing Azure resources directly from the PowerShell command line. Azure PowerShell is designed to make it easy to learn and get started with, but provides powerful features for automation.

 

Azure Functions is a cloud service available on-demand that provides all the continually updated infrastructure and resources needed to run your applications. You focus on the pieces of code that matter most to you, and Functions handles the rest. Functions provides serverless compute for Azure. You can use Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more.

 

When we combine the Azure PowerShell and Azure Function App, it could make a magic. For example, we can make it automatic to restart a Virtual Machine(s) on schedule. Or update a rule in network security group with a HTTP request.

In this post, we will take restoring Azure Web App from Snapshot regularly as an example to demonstrate the idea. The general workflow is as follow:

Create PowerShell Function App -> Enable Managed identity -> Grant related resource permissions to the identity(Function App) -> Integrate Az module in functions -> Test and Run

The topology is as below, we will grant role permission to Function App from source web app and Destination Web App. Then manage them from the function app.

KevinLi_0-1643782165027.png

 

 

Steps:

  1. Create a Windows PowerShell Function App from portal

KevinLi_7-1643728774857.png

 

  1. Set up the managed identity in the new Function App by enabling Identity and saving from portal. It will generate an Object(principal) ID for you automatically.

KevinLi_8-1643728774860.png

 

  1. Now let's go to the source web app and add role assignment from Access control(IAM):

KevinLi_9-1643728774862.png

 

  1. To make it simple, we use the role "Contributor".

KevinLi_10-1643728774865.png

 

  1. Choose the Managed identity and find the Function App we just created.

KevinLi_11-1643728774867.png

 

  1. Repeat steps 3~5 for destination web app to grant permission for the function app. Alternatively, you can assign role at resource group(s) or subscription level.

 

  1. After finishing the role assignment. We will go ahead to install Az modules using managed dependencies by simply going to App files and choose requirements.psd1, then uncomment the line "# 'Az' = '7.*'". After then, when the first time we trigger the function, it will take some time to download these dependencies automatically.

KevinLi_0-1643764349075.png

 

  1. Now we can get back to the function app and go ahead to create a Timer trigger function, note that Azure Functions uses the NCronTab library to interpret NCRONTAB expressions. An NCRONTAB expression is similar to a CRON expression except that it includes an additional sixth field at the beginning to use for time precision in seconds:

{second} {minute} {hour} {day} {month} {day-of-week}

Reference:  https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer?tabs=csharp#ncrontab...

 

KevinLi_12-1643728774870.png

  1. Leverage below sample code in the function.

Sample Code:

Replace the source and destination web app, resource groups with yours.

 

 


# Input bindings are passed in via param block.

param($Timer)

# Get the current universal time in the default string format.

$currentUTCtime = (Get-Date).ToUniversalTime()

# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.

if ($Timer.IsPastDue) {

    Write-Host "PowerShell timer is running late!"

}

$srcWebappname = "SourceWebApp"

$srcResourceGroupName = "SourceGroup"

$dstWebappname = "DestinationWebApp"

$dstResourceGroupName = "DestinationGroup"

$snapshot = (Get-AzWebAppSnapshot -ResourceGroupName $srcResourceGroupName -Name $srcWebappname)[0]

Write-Host "Start restoring Snapshot from $srcWebappname to $dstWebappname"

Restore-AzWebAppSnapshot -ResourceGroupName $dstResourceGroupName -Name $dstWebappname -InputObject $snapshot -RecoverConfiguration -Force

Write-Host "Done"

# Write an information log with the current time.

Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

 

 

Test and Run:

When we manually trigger it, it should be shown like as below:

KevinLi_13-1643728774874.png

All done. Thanks for reading! I hope you have fun in it!

 

3 Comments
Co-Authors
Version history
Last update:
‎Feb 01 2022 10:18 PM
Updated by: