Azure PowerShell ‘Az’ Module version 1.0


(Steve Funk Tracy) #1

Looks like Microsoft is shifting powershell from AzureRM to AZ. With new features only being added to powershell AZ.

How can Azure AZ powershell scripts be run via OctopusDeploy?


(Lawrence Wilson) #3

Hi Steve,
Thanks for getting in touch! I’m interested to know if you are running the Octopus Self-Hosted version or Octopus Cloud.

If you are running Octopus Self-Hosted you should be able to log directly into your Octopus Server and install the new AZ Module directly, from there it will be available to Octopus’ PowerShell Steps and you can import it like any other module in PowerShell.

In Octopus Cloud it might be a little more tricky but installing PowerShell modules normally works. The only thing you need to do here is ensure you are installing the module scoped to the CurrentUser.

For example, I believe it might look a bit like this:

PS C:\> Install-Module -Name "Az" -Scope "CurrentUser"

In this case, we also recommend that you run a step to Install the module at the beginning of your deployment because if your Octopus Cloud instance gets recycled, the module will no longer exist on the Instance.

Thank you for linking to that article as well, I’m interested to know if there are other forms of authenticating with the PowerShell AZ module other than using the new interactive logon web page option, I have a feeling this method won’t work in Octopus because scripts are typically ran without a logged in User, which means the Web Browser won’t open. In that case, I believe the best option would be to login with an Azure Service Principal Account when possible.

I look forward to hearing if this has helped!

Kind regards,
Lawrence.


(Iain Brown) #4

To use the Az module you can’t have the AzureRm modules also loaded, so we can’t use Az calls in an “Run an Azure Powershell Script” stage, so is there a way of getting the azure service principal account programmatically?

I’ve looked at https://octopus.com/docs/deployment-process/variables/azure-account-variables but the variable I get from is of the wrong type (it’s a string rather the credential type the commandlet needs)

I’m trying this
Connect-AzAccount -ServicePrincipal -ApplicationId $azureaccountClient -Credential $OctopusParameters[“azure account”] -TenantId $azureaccountTenantId


(Shaun Marx) #5

Hi Iain,

That is definitely possible, using a regular Powershell script step. I also noticed that you have already found the documentation on accessing the account variables. In order to login using those variables, you would have to do something like the following:

# Authenticate via Service Principal
$securePassword = ConvertTo-SecureString $OctopusParameters["azaccount.Password"] -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($OctopusParameters["azaccount.Client"], $securePassword)
$azEnv = if($OctopusParameters["azaccount.AzureEnvironment"]) { $OctopusParameters["azaccount.AzureEnvironment"] } else { "AzureCloud" }

$azEnv = Get-AzEnvironment -Name $azEnv
if (!$azEnv) {
	Write-Error "No Azure environment could be matched given the name $($OctopusParameters["azaccount.AzureEnvironment"])"
	exit -2
}

Write-Verbose "Authenticating with Service Principal"

# Force any output generated to be verbose in Octopus logs.
Login-AzAccount -Credential $creds -TenantId $OctopusParameters["azaccount.TenantId"] -SubscriptionId $OctopusParameters["azaccount.SubscriptionNumber"] -Environment $azEnv -ServicePrincipal

//Some Az commands

Hope that helps,

Regards,
Shaun