Azure Resource Manager (ARM) PowerShell
Using PowerShell automation with the Microsoft Azure cloud platform gives you more consistent, repeatable, and auditable controls over your cloud resources. During this course, we will explore the process of connecting Microsoft Windows PowerShell to the Microsoft Azure platform. We'll talk about the installation and authentication process, managing your Azure subscriptions, and Azure Resource Manager (ARM) Resource Groups. We will deploy an ARM JSON Template to a Resource Group, and finally demonstrate how easy it is to deploy cloud resources individually, through imperative provisioning!
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Hello. In this video demonstration, we're going to show how to install the Azure Resource Manager PowerShell Module. First, we're going to take a look at the PowerShell Gallery. The PowerShell Gallery can be accessed using a series of commands in the PowerShell Get- Module.
So if we call up the PowerShell core command called "Get-Command" and then specify the module parameter and pass in "PowerShellGet" as the parameter value, you'll see that we get a list of commands that allow us to interact with the PowerShell gallery.
Now as you can see we have a tool called "Find-Module." And if we call "Find-Module" we can specify a few different parameters including the name parameter. The name of the Azure Resource Manager PowerShell Module on the PowerShell Gallery is simply "AzureRM." So if we call "Find-Module AzureRM" you'll see that we can find the latest version of it.
Now as you can see we're currently running PowerShell ISE as a nonadministrator. So I'm actually going to go ahead and launch a new instance of PowerShell ISE using the UAC token. So now, I've launched PowerShell ISE with the UAC token and I'm running it as administrator. Now I need to make sure I run it as administrator in order to successfully install the "AzureRM" module.
So let's go ahead and call an "Install-Module -Name AzureRM." And by default, it's going to install to the "All Users" scope so that all users have access to that module. So now, we've installed the module. Let's make sure that it's available to us. So if we called "Get-Module -ListAvailable" that's going to list the modules that could be imported into our PowerShell session. It's not going to list the PowerShell modules that are actually imported into our PowerShell session. So anyway, I'm going to call "Get-Module -ListAvailable -Name AzureRM." So if I go ahead and hit "Enter" there you'll see that I've got actually two different versions of the AzureRM module installed.
So now that we have the AzureRM module installed, let's call "Get-Command" for that module. So I'm going to call "Get-Command -Module AzureRM." So here's a list of commands that are available in the AzureRM PowerShell Module. As you can see here, we've got a command called "Install-AzureRM" which is actually an alias to another command.
So how do we find out what command that's aliased to? Well we can call "Get-Alias -Name Install-AzureRM." And as you can see let's just pipe that into select star here. The alias "Install-AzureRM" points to the "Update-AzureRM" command. And so what that's going to do is actually invoke the update process for all of the child modules for AzureRM.
So let's go ahead and just call "Update-AzureRM." And this command is going to go out and that's going to pull all of the different feature specific PowerShell Modules for Azure Resource Manager into our PowerShell session. So let's come back in a minute here and we'll look at the process to follow after this is completed.
Okay as you can see we have now successfully installed all of the Azure Resource Manager Child Modules. So now, we can start leveraging these modules inside of our automation scripts or interactively. So let's go ahead and create a new script file here. And the first thing that we're going to do is call "Login-AzureRMAccount." This command is going to pop up an authentication dialog for us to authenticate against the Microsoft Azure platform with. So let's go ahead and just hit "F8" here. And as you can see the "Login-AzureAccount" command is running. And on my other screen, we're actually going to get the Microsoft Azure login dialog. So I could type my Azure Active Directory user account credential here or I could specify my Microsoft account.
Now if you want to run scripts silently so that they don't depend on user interaction you can actually use the credential parameter of the Login-AzureRMAccount command. So the credential parameter for Login-AzureRMAccount expects a "PSCredential" object. So the first thing that we need to do is actually create a PSCredential. So I'm going to create a variable here called "AzureCredential." And I'm going to assign the results of the "Get-Credential" command to that variable. I'm going to specify the username, which I'll use a new variable called "AzureUsername." And I'm also going to specify a message to prompt the user to type their password. So I'm going to say, "Please enter your Microsoft Azure password."
Now I need to create the Azure username variable. So Azure username will be "Trevor@TrevorSullivan.net." And of course, you would specify your own Azure Active Directory account here instead. It's important to understand that the credential parameter does not support using Microsoft accounts. So you'll need to make sure that you have an Azure Active Directory user account specified in your "PSCredential" object.
So now, I'm going to pass in the "AzureCredential" object into the credential parameter. If I hit "F5" to run the script, you'll see that I get prompted for a password and I can simply type that password and successfully be authenticated to Azure. Now you might say, "Well how do I run my script silently this way?" Well what you can actually do is persist your password to disk and then read it back from disk as an encrypted string when you need to use it.
So what we're going to do is to take our password and persist it to disk. We're going to call "AzureCredential. GetNetworkCredential.Password." Actually let's call this first here. And then we'll do a "Get-Member" on the "AzureCredential." And you'll see that I have my password as a secure string here. So what I can do is call "AzureCredential. GetNetworkCredential.SecurePassword." And then convert that from a SecureString object to an actual secure string. And then I can take that secure string, that encrypted string and put it into a file. And so we'll put it as "env:USERPROFILE\azurepassword.txt."
Okay so now if we look at the contents of that file, let's go to "\user\TrevorSullivan" here. So if I do "Get-Content" on the "azurepassword.txt" you'll see that I have this encrypted string, which uses the Windows Data Protection API to encrypt it. So all I have to do to decrypt it is read that file from disk and pipe it into "ConvertTo-SecureString."
So now that I've got that password persisted to disk I can simply construct a new PSCredential by using the "New-Object" command. We'll specify the type name which is "PSCredential." And then we'll specify the "ArgumentList" which is an array of objects. So the "PSCredential" expects the username in clear text. So we'll use "AzureUsername." And then it also expects a "SecureString" object which we have here in the "SecurePassword." So if I hit "F8" to read that password in from disk and then convert it to a secure string the "SecurePassword" is actually a "SecureString" object. And then we can pass that in to the "New-Object" commands to construct this new "PSCredential" object through its constructor.
So now, instead of prompting myself for my credential every time I run the script I can simply construct the "Azure Credential" using this methodology. So now, I've got my Azure username, my password, which is being read in from disk. And then finally I'm constructing the PSCredential and logging in. So if I hit "F5" you'll see that this script actually runs completely silently and authenticates me to Azure.
Okay let's take a closer look at the AzureRM.profile module. I'm going to call "Get-Command" and specify the module I want to get commands for is the AzureRM.profile module. So if we hit "F8" to run just that one line you'll see that there is a variety of commands that help us to manage our accounts.
There's a couple of key commands here in the Azure Resource Manager PowerShell Module that allow you to enable or disable data collection about the usage of the module on your system. If you want to help Microsoft improve their software, you can call "Enable-AzureRMDataCollection" and that will enable automatic data collection on an anonymous basis so that Microsoft can improve the Azure Resource Manager PowerShell Module based on everyone's utilization of it. I encourage you to enable data collection to help Microsoft improve it.
You'll also see that there's a variety of commands that help you to manage contexts, subscriptions and profiles. So when we call the "Login-AzureRMAccount" command, what we actually get back is called an "AzureProfile" object. So if we assign the results of "Login-AzureRMAccount" to a variable, we can use the built in PowerShell command "Get-Member" to examine it. As you can see, the type of object that this is, is a PS AzureProfile. The Azure profile has a couple of key properties specifically the context and environments. The environment is the cloud environment that you are authenticated to such as the Microsoft Azure Public Cloud, the Azure China Cloud, the Azure Government Cloud and other on-premises environments.
If we run the "Save-AzureRMProfile" command, we can actually persist our entire Azure profile to disk. So let's call "Save-AzureRMProfile" and then we pass in the profile object which would be the one that we obtained when we logged into Azure. So we'll call "AzureProfile" here. And then finally we need to specify a path. So in this case, I'm going to output my Azure Profile object to a JSON file in my user directory.
So now, if I go retrieve the content of that file you'll see that it's persisted a bunch of encrypted information such as my user token, the endpoints that I'm authenticated to and my subscription details all into that JSON file. So that way I can write automation scripts that utilize this profile by calling "Select-AzureRMProfile" and then telling this command where on disk that profile is.
So if I were to create a new PowerShell session, instead of authenticating to Azure using "Login- AzureRMAccount." I could actually use "Select-AzureRMProfile" to select that specific profile on disks. Using this technique, you can also log in to Azure using multiple accounts and then simply specify the profile that you currently want to operate on. So if I needed to login to two different accounts I could simply copy all of this code up here and then authenticate a second time using an entirely different account. And then I could simply change the name of the Azure Profile to "AzureProfile2" so that I have a unique variable containing that profile. Once I've created those additional profiles, I can then just call "Select-AzureRMProfile" and instead of using the path parameter I would use the profile parameter to specify a different profile object.
Another concept you want to be familiar with is the ability to select a different subscription. So as you can see there is a command called "Select-AzureRMSubcription" which is actually an alias like some of the other commands that we've looked at. So the "Select-AzureRMSubcription" command is actually an alias for "Set-AzureRMContext." So if we call "Set-AzureRMContext" we can specify the subscription name or the subscription ID that we want to operate on.
So if I were to call the "Get-AzureRMSubcription" command I would be able to see a list of subscriptions that are available to the profile that's currently selected. So I'm currently working on my profile with Trevor@TrevorSullivan.net which has access to two different subscriptions. One called Visual Studio Ultimate with MSDN and the other called Microsoft Partner Network. So now, if I want to change the subscription that I'm operating on, I can simply specify the subscription name parameter on "Set-AzureRMContext." And then if I hit "F8" I have now changed contexts into that subscription.
Trevor Sullivan is a Microsoft MVP for Windows PowerShell, and enjoys working with cloud and automation technologies. As a strong, vocal veteran of the Microsoft-centric IT field since 2004, Trevor has developed open source projects, provided significant amounts of product feedback, authored a large variety of training resources, and presented at IT functions including worldwide user groups and conferences.