Some time back I had cause to demonstrate the possibility of using Azure Automation in generating time limited certificates for use with Azure. It turned out to be more difficult than I thought as certificate creation on a local server or desktop uses the COM based CryptoAPI... which isnt available for use with Automation Runbooks.
This example script used the brilliant "Bouncy Castle" library for creating certificates.
The PowerShell DSC sequence I’m using to deploy my Windows machines primarily uses script elements although a multitude of other elements (such as WindowsFeature shown below) could be used. The Pull Server has PowerShell DSC installed as a feature.
With this example, I’m using Server 2016 in Azure against other Azure provisioned systems.
This example is from provisioning a Windows client on Azure and using a bootstrap (Custom Script Extension) for using PowerShell DSC (Pull) off a Server 2016 (WMF 5) DSC server.
I’m using Self-Signed certificates in my environment. One certificate is for the webserver of my DSC server. The second certificate is for DSC to use for encryption.
My target machine is an Azure provisioned RHEL 7.2 system. I’m using an Azure Script Extension to install PowerShell DSC for Linux off a Server 2016 (WMF 5) Pull Server.
As my provisioned machine cannot access the internet, I’ve downloaded the omi and dsc rpm installers and placed them on an internal web server.
Azure Script Extensions allow end-to-end provisioning of standardised machines by providing a bootstrap mechanism to start configuration.
In the examples below, I am retrieving initial bootstrap scripts from a web server located on my vNet (and addressable in DNS).
With Linux, I’m using the CustomScriptForLinux.
A series of predefined roles are available for asignment within Azure.
The first place to start with defining custom roles is to export existing roles using the PowerShell cmdlet Get-AzureRMRoleDefinition. The snippet below writes the inbuilt Reader role to file.
Many of the templates use wildcards to allow operations. This makes explicit and auditable allocation of rights difficult.
This code snippet allows the recursive tagging of Azure objects within a Resource Group with a predefines set of values
Azure Automation is the next step in Microsoft’s Orchestration path. Using predefined workflows / with REST/Odata/WebAPI has been a core component of Orchestrator, Service Management Automation and the Cloud based Azure Automation.