def get_automation_runas_token():
""" Returs a token that can be used to authenticate against Azure resources """
from OpenSSL import crypto
import adal
import automationassets
# Get the Azure Automation RunAs service principal certificate
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
sp_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,
sp_cert.get_privatekey())
# Get run as connection information for the Azure Automation service principal
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
# Authenticate with service principal certificate
resource = "https://management.core.windows.net/"
authority_url = ("https://login.microsoftonline.com/" + tenant_id)
context = adal.AuthenticationContext(authority_url)
azure_credential = context.acquire_token_with_client_certificate(
resource, application_id, pem_pkey, thumbprint)
# Return the token
return azure_credential.get('accessToken')
def import_child_runbook(resource_group, automation_account, runbook_name):
""" Downloads a runbook from the automation account to the cloud container """
import os
import sys
import requests
import automationassets
# Get RunAs access token
access_token = get_automation_runas_token()
# Set what resources to act against
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
subscription_id = str(runas_connection["SubscriptionId"])
# Set up URI to create a new automation job
uri = ("https://management.azure.com/subscriptions/" + subscription_id +
"/resourceGroups/" + resource_group +
"/providers/Microsoft.Automation/automationAccounts/" +
automation_account + "/runbooks/" + runbook_name +
"/content?api-version=2015-10-31")
# Make request to get runbook content
headers = {"Authorization": 'Bearer ' + access_token}
result = requests.get(uri, headers=headers)
runbookfile = os.path.join(sys.path[0], runbook_name) + ".py"
with open(runbookfile, "w") as text_file:
text_file.write(result.text)
# Import downloaded python module and return to caller
import importlib
return importlib.import_module(runbook_name)
def get_automation_runas_credential():
""" Returs a credential that can be used to authenticate against Azure resources """
from OpenSSL import crypto
from msrestazure import azure_active_directory
import adal
import automationassets
# Get the Azure Automation RunAs service principal certificate
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
sp_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,
sp_cert.get_privatekey())
# Get run as connection information for the Azure Automation service principal
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
# Authenticate with service principal certificate
resource = "https://management.core.chinacloudapi.cn/"
authority_url = ("https://login.partner.microsoftonline.cn/" + tenant_id)
context = adal.AuthenticationContext(authority_url)
return azure_active_directory.AdalAuthentication(
lambda: context.acquire_token_with_client_certificate(
resource, application_id, pem_pkey, thumbprint))
def import_child_runbook(resource_group, automation_account, runbook_name):
import os
import sys
import requests
import automationassets
access_token = get_automation_runas_token()
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
subscription_id = str(runas_connection["SubscriptionId"])
uri = ("https://management.azure.com/subscriptions/" + subscription_id +
"/resourceGroups/" + resource_group +
"/providers/Microsoft.Automation/automationAccounts/" +
automation_account + "/runbooks/" + runbook_name +
"/content?api-version=2015-10-31")
headers = {"Authorization": 'Bearer ' + access_token}
result = requests.get(uri, headers=headers)
runbookfile = os.path.join(sys.path[0], runbook_name) + ".py"
with open(runbookfile, "w") as text_file:
text_file.write(result.text)
import importlib
return importlib.import_module(runbook_name)
def adal_vault_callback(server, resource, scope):
""" Returns a token that can be used to authenticate against Azure resources """
from OpenSSL import crypto
import adal
import automationassets
# Get the Azure Automation RunAs service principal certificate
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
sp_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,
sp_cert.get_privatekey())
# Get run as connection information for the Azure Automation service principal
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
# Authenticate with service principal certificate
if not resource:
resource = "https://vault.azure.net"
if not server:
server = ("https://login.windows.net/" + tenant_id)
context = adal.AuthenticationContext(server)
azure_credential = context.acquire_token_with_client_certificate(
resource, application_id, pem_pkey, thumbprint)
# Return the token
return azure_credential.get('tokenType'), azure_credential.get(
'accessToken')
def verify_connection():
actualconnection = automationassets.get_automation_connection(AzureConnectionName)
if actualconnection["AutomationCertificateName"] == expectedFieldValuesAzureConnection["AutomationCertificateName"]:
print "Get Azure connection Successful"
else:
print "ERROR: Get Azure Connection Failed"
actualconnection = automationassets.get_automation_connection(AzureSPConnectionName)
if actualconnection["CertificateThumbprint"] == expectedFieldValuesAzureSP["CertificateThumbprint"]:
print "Get Azure SP connection Successful"
else:
print "ERROR: Get Azure SP connection Failed"
actualconnection = automationassets.get_automation_connection(AzureClassicCertConnectionName)
if actualconnection["CertificateAssetName"] == expectedFieldValuesAzureCC["CertificateAssetName"]:
print "Get Azure Classic connection Successful"
else:
print "ERROR: Get Azure Classic connection Failed"
def get_compute_client():
""" Authenticate to Azure using the Azure Automation
RunAs service principal
"""
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
azure_credential = get_automation_runas_credential(runas_connection)
compute_client = ComputeManagementClient(
azure_credential, str(runas_connection["SubscriptionId"]))
return compute_client
def main():
webhook_data = ""
for arg in sys.argv:
webhook_data += arg
if webhook_data:
webhook = parse_webhook_data(webhook_data)
else:
print("ERROR: no webhook received")
sys.exit(-1)
# Authenticate to Azure using the Azure Automation RunAs service principal
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
azure_credential = get_automation_runas_credential(runas_connection)
subscription_id = runas_connection['SubscriptionId']
# KeyVaultManagement Client to manage KV resources only
kv_mgmt_client = KeyVaultManagementClient(azure_credential,
subscription_id)
kv_client = KeyVaultClient(KeyVaultAuthentication(adal_vault_callback))
# Get Event Hub Details from Key Vault
namespace = get_kv_secret(kv_client, 'EventHubNamespace')
event_hub = get_kv_secret(kv_client, 'EventHub')
user = get_kv_secret(kv_client, 'EventHubKeyName')
key = get_kv_secret(kv_client, 'EventHubKey')
headers = get_http_header(namespace, event_hub, user, key)
params = get_http_params()
# Publish event to Event Hub via REST API, for some reason can't use the
# Event Hub SDK to directly publish the event
uri = "https://{}.servicebus.windows.net/{}/messages".format(
namespace, event_hub)
r = requests.post(url=uri,
headers=headers,
params=params,
data=json.dumps(webhook))
print(r)
print("sent event to event hub")
print(json.dumps(webhook, indent=4))
def get_automation_runas_credential():
from OpenSSL import crypto
from msrestazure import azure_active_directory
import adal
import automationassets
runas_connection = automationassets.get_automation_connection(
"AzureRunAsConnection")
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
sp_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,
sp_cert.get_privatekey())
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
resource = "https://management.core.windows.net/"
authority_url = ("https://login.microsoftonline.com/" + tenant_id)
context = adal.AuthenticationContext(authority_url)
return azure_active_directory.AdalAuthentication(
lambda: context.acquire_token_with_client_certificate(
resource, application_id, pem_pkey, thumbprint))
logging.info("%s - Starting" % datetime.datetime.now())
logging.info("INPUT: %s" % sys.argv)
#try:
prsArg = json.loads(json.loads(sys.argv[1])['RequestBody'])
print(prsArg)
newCompartmentName = prsArg['subname']
newCompartmentOwner = prsArg['owner']
newCompartmentBudget = float(prsArg['monthlybudget'])
storage_account = automationassets.get_automation_variable(
'oci_storage_account')
storage_share = automationassets.get_automation_variable(
'oci_storage_share_name')
automationConnection = automationassets.get_automation_connection(
"AzureRunAsConnection")
AZTenantId = automationConnection["TenantId"]
logging.info("Getting OCI config files from file share - account: %s " %
storage_account)
file_service = FileService(
account_name=storage_account,
account_key=automationassets.get_automation_variable(
'oci_storage_account_key'))
# Create target Directory if don't exist
if not os.path.exists('.oci'):
os.mkdir('.oci')
logging.info("Created the .oci directory")
logging.info("Downloading config files to .oci")
def download_file(resource_group, automation_account, runbook_name, runbook_type):
"""
Downloads a runbook from the automation account to the cloud container
"""
import os
import sys
import requests
import automationassets
# Return token based on Azure automation Runas connection
def get_automation_runas_token(runas_connection):
""" Returs a token that can be used to authenticate against Azure resources """
from OpenSSL import crypto
import adal
# Get the Azure Automation RunAs service principal certificate
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
sp_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey())
# Get run as connection information for the Azure Automation service principal
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
# Authenticate with service principal certificate
resource = "https://management.core.windows.net/"
authority_url = ("https://login.microsoftonline.com/" + tenant_id)
context = adal.AuthenticationContext(authority_url)
azure_credential = context.acquire_token_with_client_certificate(
resource,
application_id,
pem_pkey,
thumbprint)
# Return the token
return azure_credential.get('accessToken')
# Authenticate to Azure using the Azure Automation RunAs service principal
automation_runas_connection = automationassets.get_automation_connection("AzureRunAsConnection")
access_token = get_automation_runas_token(automation_runas_connection)
# Set what resources to act against
subscription_id = str(automation_runas_connection["SubscriptionId"])
# Set up URI to create a new automation job
uri = ("https://management.azure.com/subscriptions/" + subscription_id
+ "/resourceGroups/" + resource_group
+ "/providers/Microsoft.Automation/automationAccounts/" + automation_account
+ "/runbooks/" + runbook_name + "/content?api-version=2015-10-31")
# Make request to create new automation job
headers = {"Authorization": 'Bearer ' + access_token}
result = requests.get(uri, headers=headers)
runbookfile = os.path.join(sys.path[0], runbook_name) + runbook_type
with open(runbookfile, "w") as text_file:
text_file.write(result.text)
def install_packages(local_file_path, storage_account_name, storage_resource_group, storage_account_container_name):
"""
Copies folders or files in a container from an Azure storage account to a local directory.
Example 1:
install_packages.py -p <local_file_path> -r <resource_group> -a <storage_account_name> -c <storage_account_container_name>
Changelog:
2017-09-11 AutomationTeam:
-initial script
"""
import os
import base64
import automationassets
import azure.mgmt.storage
from azure.storage.blob import BlockBlobService
def get_automation_runas_credential(runas_connection):
""" Returns credentials to authenticate against Azure resoruce manager """
from OpenSSL import crypto
from msrestazure import azure_active_directory
import adal
# Get the Azure Automation RunAs service principal certificate
cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
pks12_cert = crypto.load_pkcs12(cert)
pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pks12_cert.get_privatekey())
# Get run as connection information for the Azure Automation service principal
application_id = runas_connection["ApplicationId"]
thumbprint = runas_connection["CertificateThumbprint"]
tenant_id = runas_connection["TenantId"]
# Authenticate with service principal certificate
resource = "https://management.core.windows.net/"
authority_url = ("https://login.microsoftonline.com/" + tenant_id)
context = adal.AuthenticationContext(authority_url)
return azure_active_directory.AdalAuthentication(
lambda: context.acquire_token_with_client_certificate(
resource,
application_id,
pem_pkey,
thumbprint)
)
def get_md5_checksum(path):
""" gets an MD5 hash of a file """
import hashlib
md5 = hashlib.md5()
with open(path, 'rb') as fh:
for data in iter(lambda: fh.read(4096), b""):
md5.update(data)
return md5
def download_blob(blob_file, local_path):
""" downloads a file from stroage to local path """
# Get diretory / file from the blob name
directoryname, filename = os.path.split(blob_file.name)
# If there is a direcotry, create it on the local file system if it doesn't exist
if directoryname:
if not os.path.exists(os.path.join(local_path, directoryname)):
os.makedirs((os.path.join(local_path, directoryname)))
# Download the blob if it is different than local file
if os.path.exists(os.path.join(local_path, blob.name)):
object_md5 = get_md5_checksum(os.path.join(local_path, blob_file.name))
if blob_file.properties.content_settings.content_md5 != base64.b64encode(object_md5.digest()):
blobservice.get_blob_to_path(storage_account_container_name, blob_file.name, os.path.join(local_path, blob_file.name))
else:
blobservice.get_blob_to_path(storage_account_container_name, blob_file.name, os.path.join(local_path, blob_file.name))
# Check that required arguments are specified
if (local_file_path is None
or storage_resource_group is None
or storage_account_name is None
or storage_account_container_name is None):
raise ValueError("local direcotry, storage resource group, storage account, and container must be specified as arguments")
# Authenticate to Azure resource manager
automation_runas_connection = automationassets.get_automation_connection("AzureRunAsConnection")
azure_credential = get_automation_runas_credential(automation_runas_connection)
subscription_id = str(automation_runas_connection["SubscriptionId"])
# Get storage key
storage_client = azure.mgmt.storage.StorageManagementClient(
azure_credential,
subscription_id)
storage_keys = storage_client.storage_accounts.list_keys(storage_resource_group, storage_account_name)
storage_account_key = storage_keys.keys[0].value
# Authenticate to the storage account
blobservice = BlockBlobService(account_name=storage_account_name, account_key=storage_account_key)
# If local directory does not exist, create it
if not os.path.exists(local_file_path):
os.makedirs(local_file_path)
blobs = blobservice.list_blobs(storage_account_container_name)
# Dowload all blobs from the container and create local file system to match
for blob in blobs:
download_blob(blob, local_file_path)
classic_run_as_connection["CertificateAssetName"])
sp_cert = OpenSSL.crypto.load_pkcs12(cert)
temp_pem_file = tempfile.NamedTemporaryFile(suffix='.pem', delete=False)
temp_pem_file.write(
OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM,
sp_cert.get_privatekey()))
temp_pem_file.write(
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
sp_cert.get_certificate()))
temp_pem_file.close()
return temp_pem_file
try:
# get Azure classic run as connection
automation_classic_run_as_connection = automationassets.get_automation_connection(
"AzureClassicRunAsConnection")
# get certificate from the service that is used for authentication
pem_file = None
pem_file = get_certificate_file(automation_classic_run_as_connection)
# authenticate against the serivce management api
service_management_client = azure.servicemanagement.ServiceManagementService(
automation_classic_run_as_connection["SubscriptionId"], pem_file.name)
# get list of hosted services and print out each service name
hosted_services = service_management_client.list_hosted_services()
for hosted_service in hosted_services:
print hosted_service.service_name
finally:
