def get_automation_runas_token(): """ Returs a token that can be used to authenticate against Azure resources """ from OpenSSL import crypto import adal import automationassets # Get the Azure Automation RunAs service principal certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") sp_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey()) # Get run as connection information for the Azure Automation service principal runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] # Authenticate with service principal certificate resource = "https://management.core.windows.net/" authority_url = ("https://login.microsoftonline.com/" + tenant_id) context = adal.AuthenticationContext(authority_url) azure_credential = context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint) # Return the token return azure_credential.get('accessToken')
def import_child_runbook(resource_group, automation_account, runbook_name): """ Downloads a runbook from the automation account to the cloud container """ import os import sys import requests import automationassets # Get RunAs access token access_token = get_automation_runas_token() # Set what resources to act against runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") subscription_id = str(runas_connection["SubscriptionId"]) # Set up URI to create a new automation job uri = ("https://management.azure.com/subscriptions/" + subscription_id + "/resourceGroups/" + resource_group + "/providers/Microsoft.Automation/automationAccounts/" + automation_account + "/runbooks/" + runbook_name + "/content?api-version=2015-10-31") # Make request to get runbook content headers = {"Authorization": 'Bearer ' + access_token} result = requests.get(uri, headers=headers) runbookfile = os.path.join(sys.path[0], runbook_name) + ".py" with open(runbookfile, "w") as text_file: text_file.write(result.text) # Import downloaded python module and return to caller import importlib return importlib.import_module(runbook_name)
def get_automation_runas_credential(): """ Returs a credential that can be used to authenticate against Azure resources """ from OpenSSL import crypto from msrestazure import azure_active_directory import adal import automationassets # Get the Azure Automation RunAs service principal certificate runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") cert = automationassets.get_automation_certificate("AzureRunAsCertificate") sp_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey()) # Get run as connection information for the Azure Automation service principal application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] # Authenticate with service principal certificate resource = "https://management.core.chinacloudapi.cn/" authority_url = ("https://login.partner.microsoftonline.cn/" + tenant_id) context = adal.AuthenticationContext(authority_url) return azure_active_directory.AdalAuthentication( lambda: context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint))
def import_child_runbook(resource_group, automation_account, runbook_name): import os import sys import requests import automationassets access_token = get_automation_runas_token() runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") subscription_id = str(runas_connection["SubscriptionId"]) uri = ("https://management.azure.com/subscriptions/" + subscription_id + "/resourceGroups/" + resource_group + "/providers/Microsoft.Automation/automationAccounts/" + automation_account + "/runbooks/" + runbook_name + "/content?api-version=2015-10-31") headers = {"Authorization": 'Bearer ' + access_token} result = requests.get(uri, headers=headers) runbookfile = os.path.join(sys.path[0], runbook_name) + ".py" with open(runbookfile, "w") as text_file: text_file.write(result.text) import importlib return importlib.import_module(runbook_name)
def adal_vault_callback(server, resource, scope): """ Returns a token that can be used to authenticate against Azure resources """ from OpenSSL import crypto import adal import automationassets # Get the Azure Automation RunAs service principal certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") sp_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey()) # Get run as connection information for the Azure Automation service principal runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] # Authenticate with service principal certificate if not resource: resource = "https://vault.azure.net" if not server: server = ("https://login.windows.net/" + tenant_id) context = adal.AuthenticationContext(server) azure_credential = context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint) # Return the token return azure_credential.get('tokenType'), azure_credential.get( 'accessToken')
def verify_connection(): actualconnection = automationassets.get_automation_connection(AzureConnectionName) if actualconnection["AutomationCertificateName"] == expectedFieldValuesAzureConnection["AutomationCertificateName"]: print "Get Azure connection Successful" else: print "ERROR: Get Azure Connection Failed" actualconnection = automationassets.get_automation_connection(AzureSPConnectionName) if actualconnection["CertificateThumbprint"] == expectedFieldValuesAzureSP["CertificateThumbprint"]: print "Get Azure SP connection Successful" else: print "ERROR: Get Azure SP connection Failed" actualconnection = automationassets.get_automation_connection(AzureClassicCertConnectionName) if actualconnection["CertificateAssetName"] == expectedFieldValuesAzureCC["CertificateAssetName"]: print "Get Azure Classic connection Successful" else: print "ERROR: Get Azure Classic connection Failed"
def get_compute_client(): """ Authenticate to Azure using the Azure Automation RunAs service principal """ runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") azure_credential = get_automation_runas_credential(runas_connection) compute_client = ComputeManagementClient( azure_credential, str(runas_connection["SubscriptionId"])) return compute_client
def main(): webhook_data = "" for arg in sys.argv: webhook_data += arg if webhook_data: webhook = parse_webhook_data(webhook_data) else: print("ERROR: no webhook received") sys.exit(-1) # Authenticate to Azure using the Azure Automation RunAs service principal runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") azure_credential = get_automation_runas_credential(runas_connection) subscription_id = runas_connection['SubscriptionId'] # KeyVaultManagement Client to manage KV resources only kv_mgmt_client = KeyVaultManagementClient(azure_credential, subscription_id) kv_client = KeyVaultClient(KeyVaultAuthentication(adal_vault_callback)) # Get Event Hub Details from Key Vault namespace = get_kv_secret(kv_client, 'EventHubNamespace') event_hub = get_kv_secret(kv_client, 'EventHub') user = get_kv_secret(kv_client, 'EventHubKeyName') key = get_kv_secret(kv_client, 'EventHubKey') headers = get_http_header(namespace, event_hub, user, key) params = get_http_params() # Publish event to Event Hub via REST API, for some reason can't use the # Event Hub SDK to directly publish the event uri = "https://{}.servicebus.windows.net/{}/messages".format( namespace, event_hub) r = requests.post(url=uri, headers=headers, params=params, data=json.dumps(webhook)) print(r) print("sent event to event hub") print(json.dumps(webhook, indent=4))
def get_automation_runas_credential(): from OpenSSL import crypto from msrestazure import azure_active_directory import adal import automationassets runas_connection = automationassets.get_automation_connection( "AzureRunAsConnection") cert = automationassets.get_automation_certificate("AzureRunAsCertificate") sp_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey()) application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] resource = "https://management.core.windows.net/" authority_url = ("https://login.microsoftonline.com/" + tenant_id) context = adal.AuthenticationContext(authority_url) return azure_active_directory.AdalAuthentication( lambda: context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint))
logging.info("%s - Starting" % datetime.datetime.now()) logging.info("INPUT: %s" % sys.argv) #try: prsArg = json.loads(json.loads(sys.argv[1])['RequestBody']) print(prsArg) newCompartmentName = prsArg['subname'] newCompartmentOwner = prsArg['owner'] newCompartmentBudget = float(prsArg['monthlybudget']) storage_account = automationassets.get_automation_variable( 'oci_storage_account') storage_share = automationassets.get_automation_variable( 'oci_storage_share_name') automationConnection = automationassets.get_automation_connection( "AzureRunAsConnection") AZTenantId = automationConnection["TenantId"] logging.info("Getting OCI config files from file share - account: %s " % storage_account) file_service = FileService( account_name=storage_account, account_key=automationassets.get_automation_variable( 'oci_storage_account_key')) # Create target Directory if don't exist if not os.path.exists('.oci'): os.mkdir('.oci') logging.info("Created the .oci directory") logging.info("Downloading config files to .oci")
def download_file(resource_group, automation_account, runbook_name, runbook_type): """ Downloads a runbook from the automation account to the cloud container """ import os import sys import requests import automationassets # Return token based on Azure automation Runas connection def get_automation_runas_token(runas_connection): """ Returs a token that can be used to authenticate against Azure resources """ from OpenSSL import crypto import adal # Get the Azure Automation RunAs service principal certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") sp_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, sp_cert.get_privatekey()) # Get run as connection information for the Azure Automation service principal application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] # Authenticate with service principal certificate resource = "https://management.core.windows.net/" authority_url = ("https://login.microsoftonline.com/" + tenant_id) context = adal.AuthenticationContext(authority_url) azure_credential = context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint) # Return the token return azure_credential.get('accessToken') # Authenticate to Azure using the Azure Automation RunAs service principal automation_runas_connection = automationassets.get_automation_connection("AzureRunAsConnection") access_token = get_automation_runas_token(automation_runas_connection) # Set what resources to act against subscription_id = str(automation_runas_connection["SubscriptionId"]) # Set up URI to create a new automation job uri = ("https://management.azure.com/subscriptions/" + subscription_id + "/resourceGroups/" + resource_group + "/providers/Microsoft.Automation/automationAccounts/" + automation_account + "/runbooks/" + runbook_name + "/content?api-version=2015-10-31") # Make request to create new automation job headers = {"Authorization": 'Bearer ' + access_token} result = requests.get(uri, headers=headers) runbookfile = os.path.join(sys.path[0], runbook_name) + runbook_type with open(runbookfile, "w") as text_file: text_file.write(result.text)
def install_packages(local_file_path, storage_account_name, storage_resource_group, storage_account_container_name): """ Copies folders or files in a container from an Azure storage account to a local directory. Example 1: install_packages.py -p <local_file_path> -r <resource_group> -a <storage_account_name> -c <storage_account_container_name> Changelog: 2017-09-11 AutomationTeam: -initial script """ import os import base64 import automationassets import azure.mgmt.storage from azure.storage.blob import BlockBlobService def get_automation_runas_credential(runas_connection): """ Returns credentials to authenticate against Azure resoruce manager """ from OpenSSL import crypto from msrestazure import azure_active_directory import adal # Get the Azure Automation RunAs service principal certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") pks12_cert = crypto.load_pkcs12(cert) pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pks12_cert.get_privatekey()) # Get run as connection information for the Azure Automation service principal application_id = runas_connection["ApplicationId"] thumbprint = runas_connection["CertificateThumbprint"] tenant_id = runas_connection["TenantId"] # Authenticate with service principal certificate resource = "https://management.core.windows.net/" authority_url = ("https://login.microsoftonline.com/" + tenant_id) context = adal.AuthenticationContext(authority_url) return azure_active_directory.AdalAuthentication( lambda: context.acquire_token_with_client_certificate( resource, application_id, pem_pkey, thumbprint) ) def get_md5_checksum(path): """ gets an MD5 hash of a file """ import hashlib md5 = hashlib.md5() with open(path, 'rb') as fh: for data in iter(lambda: fh.read(4096), b""): md5.update(data) return md5 def download_blob(blob_file, local_path): """ downloads a file from stroage to local path """ # Get diretory / file from the blob name directoryname, filename = os.path.split(blob_file.name) # If there is a direcotry, create it on the local file system if it doesn't exist if directoryname: if not os.path.exists(os.path.join(local_path, directoryname)): os.makedirs((os.path.join(local_path, directoryname))) # Download the blob if it is different than local file if os.path.exists(os.path.join(local_path, blob.name)): object_md5 = get_md5_checksum(os.path.join(local_path, blob_file.name)) if blob_file.properties.content_settings.content_md5 != base64.b64encode(object_md5.digest()): blobservice.get_blob_to_path(storage_account_container_name, blob_file.name, os.path.join(local_path, blob_file.name)) else: blobservice.get_blob_to_path(storage_account_container_name, blob_file.name, os.path.join(local_path, blob_file.name)) # Check that required arguments are specified if (local_file_path is None or storage_resource_group is None or storage_account_name is None or storage_account_container_name is None): raise ValueError("local direcotry, storage resource group, storage account, and container must be specified as arguments") # Authenticate to Azure resource manager automation_runas_connection = automationassets.get_automation_connection("AzureRunAsConnection") azure_credential = get_automation_runas_credential(automation_runas_connection) subscription_id = str(automation_runas_connection["SubscriptionId"]) # Get storage key storage_client = azure.mgmt.storage.StorageManagementClient( azure_credential, subscription_id) storage_keys = storage_client.storage_accounts.list_keys(storage_resource_group, storage_account_name) storage_account_key = storage_keys.keys[0].value # Authenticate to the storage account blobservice = BlockBlobService(account_name=storage_account_name, account_key=storage_account_key) # If local directory does not exist, create it if not os.path.exists(local_file_path): os.makedirs(local_file_path) blobs = blobservice.list_blobs(storage_account_container_name) # Dowload all blobs from the container and create local file system to match for blob in blobs: download_blob(blob, local_file_path)
classic_run_as_connection["CertificateAssetName"]) sp_cert = OpenSSL.crypto.load_pkcs12(cert) temp_pem_file = tempfile.NamedTemporaryFile(suffix='.pem', delete=False) temp_pem_file.write( OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, sp_cert.get_privatekey())) temp_pem_file.write( OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, sp_cert.get_certificate())) temp_pem_file.close() return temp_pem_file try: # get Azure classic run as connection automation_classic_run_as_connection = automationassets.get_automation_connection( "AzureClassicRunAsConnection") # get certificate from the service that is used for authentication pem_file = None pem_file = get_certificate_file(automation_classic_run_as_connection) # authenticate against the serivce management api service_management_client = azure.servicemanagement.ServiceManagementService( automation_classic_run_as_connection["SubscriptionId"], pem_file.name) # get list of hosted services and print out each service name hosted_services = service_management_client.list_hosted_services() for hosted_service in hosted_services: print hosted_service.service_name finally: