Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Set-StrictMode -Version Latest
- Import-Module Az.Websites
- Import-Module Az.KeyVault
- $requiresAppSettings = $True
- $vaultName = ""
- $requiresVaultAccess = ![string]::IsNullOrEmpty($vaultName)
- # Required for local dev ############################################################################
- $username = "#{AzureAccount.Username}"
- $credential = Get-Credential -UserName $username -Message "Enter Password for #{AzureAccount.Password}"
- Write-Output "Logging in with supplied credentials"
- $null = Connect-AzAccount -Credential $credential
- Write-Output "Switching to Subscription #{AzureAccount.SubscriptionName}"
- $npeSubscriptionId = "#{AzureAccount.SubscriptionId}"
- $null = Select-AzSubscription -Subscription $npeSubscriptionId
- $resourceGroupName = "#{WebApp.ResourceGroupName}"
- $webAppName = "#{WebApp.Name}"
- $deploymentSlot = "staging"
- $requiresVaultAccess = $False
- $requiresAppSettings = $True
- # Check for an Active session
- $context = Get-AzContext
- if ([string]::IsNullOrEmpty($context.Account)) {
- throw "An active Azure session is required"
- }
- # Read slot-specific app settings for Web App
- $appSettings = @{}
- $appSettings.add('#{AppSetting.ApiClientBaseUrlName}', '#{ApiClientBaseUrl}');
- $appSettings
- if($requiresAppSettings)
- {
- Write-Host "Read $($appSettings.Keys.Count) app settings from JSON Slot-Specific App Settings parameter"
- $appSettingsKeys = $appSettings.GetEnumerator() | ForEach-Object {$_.Key}
- }
- #####################################################################################################
- $global:counter = 0;
- $global:totalSteps = 3;
- function Get-StepCounter() {
- $global:counter++
- "Step $($global:counter)/$($global:totalSteps)"
- }
- #####################################################################################################
- if ($requiresVaultAccess) {
- $global:totalSteps += 2;
- }
- # Check web app exists
- Write-Host "$(Get-StepCounter) Checking if Web App $($webAppName) exists in Resource Group $($resourceGroupName)"
- $sourceWebApp = Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName
- if ($requiresVaultAccess) {
- # Check if vault exists
- Write-Host "$(Get-StepCounter) Checking if Key Vault $($vaultName) exists"
- $null = Get-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
- }
- Write-Host "$(Get-StepCounter) Checking if Slot exists - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
- $existingSlot = Get-AzWebAppSlot -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot -ErrorAction SilentlyContinue
- # Delete any existing slot and access policies. This ensures a cleaner and more predictable deployment to the slot.
- if ($null -ne $existingSlot ) {
- if (($requiresVaultAccess) -and ($null -ne $existingSlot.Identity)) {
- $existingSlotObjectId = $existingSlot.Identity.PrincipalId
- Write-Host "Removing Existing Slot's Access Policy to $vaultName - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
- Remove-AzKeyVaultAccessPolicy -ObjectId $existingSlotObjectId -VaultName $vaultName -ResourceGroupName $resourceGroupName
- }
- Write-Host "Removing Existing Slot - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
- Remove-AzWebAppSlot -Name $webAppName -Slot $deploymentSlot -ResourceGroupName $resourceGroupName -Force -ErrorAction Continue
- }
- # Create the slot
- # We have to pass the -IgnoreCustomHostnames switch to prevent Azure cloning custom domain settings (results in ServerError: Conflict with hostname)
- Write-Host "$(Get-StepCounter) Creating Slot - Slot Name: $deploymentSlot, Website: $webAppName, Resource Group: $resourceGroupName"
- $newSlotArgs = @{
- Slot = $deploymentSlot
- SourceWebApp = $sourceWebApp
- Name = $webAppName
- ResourceGroupName = $resourceGroupName
- }
- if($requiresAppSettings) {
- $newSlotArgs.add('AppSettingsOverrides', $appSettings)
- }
- $null = New-AzWebAppSlot -IgnoreCustomHostNames @newSlotArgs
- if($requiresAppSettings)
- {
- # Set Application Settings Names as Slot-Specific
- Write-Host "Setting $($appSettings.Keys.Count) Application Settings as 'Sticky' Slot-Specific settings - Slot Name: $deploymentSlot, Website: $webAppName, Resource Group: $resourceGroupName"
- $null = Set-AzWebAppSlotConfigName -AppSettingNames $appSettingsKeys -ResourceGroupName $resourceGroupName -Name $webAppName
- }
- if ($requiresVaultAccess) {
- # Key Vault
- Write-Host "$(Get-StepCounter) Setting Up Access to Key Vault $($vaultName) for Slot $($deploymentSlot) (2 steps)"
- Write-Host "Assigning System Identity to Slot $($deploymentSlot)"
- $null = Set-AzWebAppSlot -AssignIdentity $true -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot
- }
- $slot = Get-AzWebAppSlot -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot
- if ($requiresVaultAccess) {
- $slotObjectId = $slot.Identity.PrincipalId
- Write-Host "Adding Access Policy to Key Vault $($vaultName) for $($deploymentSlot) (MSI Object Id: $($slotObjectId))"
- Write-Warning "NB: Account must have created the key vault (via Powershell using -EnabledForTemplateDeployment switch), otherwise it isn't permitted to grant access policies via Powershell"
- $null = Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $slotObjectId -PermissionsToSecrets get, list -PermissionsToKeys get, list
- }
- Write-Host "Done."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement