Running Azure specific PowerShell Scripts (Connect-AzAccount)

I am stuck on running a PowerShell script that I feel should be easier with Octopus, it seems like there are multiple options but each one of them has issues.

I want to manage certificates from Azure Key Store and have written a couple of PowerShell scripts to do things like (a) Check when the current Cert is due to expire (b) Download the latest certificate (c) Get the certificate thumbprint to update in config values. I have working versions of these scripts but in Octopus Cloud the required Azure modules are not present and I can’t seem to install them.

ObjectNotFound: The term ‘Connect-AzAccount’ is not recognized as a name of a cmdlet, function, script file, or executable program.

Options I can see:

  1. There is an Azure Script! Yea… But no it also does not have the right modules.
  2. Run a PowerShell (Vanilla) script, okay so here I expect to have to install the missing modules, it passes the install commands but fails when it gets to use it. Some articles mentioned you need pause for it to be installed which does not make sense.
  3. Run it inside a container, on a worker which I can do a custom setup on. Jeezze why not create a VM on tin at my office while I am at it. I want to use cloud services with a few snowflakes and custom components as possible.

Attached is the script (variables replaced)
OctopusCheckCertExpiry.ps1 (1.5 KB)


Any advice will be appreciated!

Other sources looked at

Hi @mariusv,

Thanks for reaching out on our support forums, and welcome to the community!

I’m sorry the needed Powershell modules are not installing on the workers like you are expecting.

One option, as you mentioned, would be to run the script in an execution container so it can be configured with all the needed modules. Another option would be to use the step template mentioned in this blog post - Using Azure Key Vault with Octopus - Octopus Deploy. Lastly, you could use another step template if it suits your needs better - https://library.octopus.com/step-templates/e06e7e2a-5510-4b6d-bd46-22d3bc01291d/actiontemplate-import-certificate-from-azure-key-vault.

Even if you were able to get the modules to install on the worker and run the script, in the long run, you’d be running this install process for every new worker that was leased by your instance. Most workers are released after an hour of no deployments (worst case), or if there is enough deployment activity, they can be leased for 72 hrs (best case), so at best, you’d be running the install every few days. It might be less effort in the long run to configure the custom container.

I hope this helps clarify things for you. Please let me know if you have any additional questions.

Regards,
Brent

Hi Brent,

Thanks for your detailed answer.

Azure Key Vault With Octopus
This failed with an internal error calling Az, screenshot is attached but seems like there is a similar module missing issue in the background.

Docker image
This is really a tedious approach, after hours of building custom images across different baseline images I managed to create a PowerShell version that has the modules I need (My External Feed) and it seems to download during the deployment but then it can’t find PowerShell in Octopus when it tries to run a script


. Running the image locally seems fine .

Any idea why Octopus is not able to execute PowerShell from the image?

I really hope this effort and thread will help others, was quite involved up to now and still not working.

Hi Brent,

Good news, the last issue was an easy one to sort out. Just had to change to PowerShell Core.

Some notes for other people that want to do something similar and new to Docker:

  • Creating a Docker Hub account is free for these public image feeds (No additional costs)
  • Make sure you use the right type of host (I had to use windows for our worker in Octopus)
  • Need a basic understanding of
    ** PowerShell and its PSGallery Package Manager
    ** Docker (Download base image, modify container and commit changes, tagging local image and pushing it to your Docker Hub repository) - Expect it will take time to find the right base image and tag (Look for the smallest image don’t go full windows if you can help it)
  • Remember to set your PowerShell version by enabling it as a feature
  • Configure your container details as an external feed in Octopus (If public no creds required)

I still think this is far from simple things should be simple but it does work. @Brent thanks for the assist.

Regards,
Marius

2 Likes

Hi @mariusv,

All the credit to you on that one; you did the heavy lifting! I’m glad you could get something working, and thank you for posting tips for other users to reference. I even search our help forum for similar issues when new support tickets come in, which will be very helpful the next time it comes up.

Please let us know if any other issues come up.

Happy deployments!

Regards,
Brent

1 Like

I had some additional issues on the PowerShell side with Docker specifically using the nanoserver images. The default user is not admin and needs to run the same commands in a slightly different way. Below are the docker commands. One last thing, I also managed to get the native script steps working by going to the correct worker host and installing the necessary libraries there. Hope it helps!

docker run -it --user ContainerAdministrator --dns="8.8.8.8"  mcr.microsoft.com/powershell:nanoserver-1909

Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-Module Az.Accounts -AllowClobber -SkipPublisherCheck -Scope AllUsers
Install-Module Az.KeyVault -AllowClobber -SkipPublisherCheck -Scope AllUsers
Install-Module -Name Az -AllowClobber -SkipPublisherCheck -Scope AllUsers
2 Likes

Wow! @mariusv,
This is great stuff. Thanks for adding that additional info, this will really help anyone who comes across this issue in the future. Glad to have you be part of the Octo community!

Regards,
Brent

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.