Set-StrictMode -Version LatestImport-Module Az.WebsitesImport-Module Az.KeyVa

1. Set-StrictMode -Version Latest
2.  
3. Import-Module Az.Websites
4. Import-Module Az.KeyVault
5.  
6. $requiresAppSettings = $True
7. $vaultName = ""
8. $requiresVaultAccess = ![string]::IsNullOrEmpty($vaultName)
9.  
10.  
11. # Required for local dev ############################################################################
12. $username = "#{AzureAccount.Username}"
13. $credential = Get-Credential -UserName $username -Message "Enter Password for #{AzureAccount.Password}"
14.  
15. Write-Output "Logging in with supplied credentials"
16. $null = Connect-AzAccount -Credential $credential
17.  
18. Write-Output "Switching to Subscription #{AzureAccount.SubscriptionName}"
19. $npeSubscriptionId = "#{AzureAccount.SubscriptionId}"
20. $null = Select-AzSubscription -Subscription $npeSubscriptionId
21.  
22. $resourceGroupName = "#{WebApp.ResourceGroupName}"
23. $webAppName = "#{WebApp.Name}"
24. $deploymentSlot = "staging"
25.  
26. $requiresVaultAccess = $False
27. $requiresAppSettings = $True
28.  
29. # Check for an Active session
30. $context = Get-AzContext
31. if ([string]::IsNullOrEmpty($context.Account)) {
32. throw "An active Azure session is required"
33. }
34.  
35. # Read slot-specific app settings for Web App
36. $appSettings = @{}
37. $appSettings.add('#{AppSetting.ApiClientBaseUrlName}', '#{ApiClientBaseUrl}');
38. $appSettings
39. if($requiresAppSettings)
40. {
41.  
42. Write-Host "Read $($appSettings.Keys.Count) app settings from JSON Slot-Specific App Settings parameter"
43.  
44. $appSettingsKeys = $appSettings.GetEnumerator() | ForEach-Object {$_.Key}
45. }
46.  
47. #####################################################################################################
48. $global:counter = 0;
49. $global:totalSteps = 3;
50. function Get-StepCounter() {
51. $global:counter++
52. "Step $($global:counter)/$($global:totalSteps)"
53. }
54. #####################################################################################################
55.  
56. if ($requiresVaultAccess) {
57. $global:totalSteps += 2;
58. }
59.  
60. # Check web app exists
61. Write-Host "$(Get-StepCounter) Checking if Web App $($webAppName) exists in Resource Group $($resourceGroupName)"
62. $sourceWebApp = Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName
63.  
64.  
65. if ($requiresVaultAccess) {
66. # Check if vault exists
67. Write-Host "$(Get-StepCounter) Checking if Key Vault $($vaultName) exists"
68. $null = Get-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
69. }
70.  
71. Write-Host "$(Get-StepCounter) Checking if Slot exists - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
72.  
73. $existingSlot = Get-AzWebAppSlot -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot -ErrorAction SilentlyContinue
74.  
75. # Delete any existing slot and access policies. This ensures a cleaner and more predictable deployment to the slot.
76. if ($null -ne $existingSlot ) {
77. if (($requiresVaultAccess) -and ($null -ne $existingSlot.Identity)) {
78. $existingSlotObjectId = $existingSlot.Identity.PrincipalId
79. Write-Host "Removing Existing Slot's Access Policy to $vaultName - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
80. Remove-AzKeyVaultAccessPolicy -ObjectId $existingSlotObjectId -VaultName $vaultName -ResourceGroupName $resourceGroupName
81. }
82. Write-Host "Removing Existing Slot - Slot Name: $deploymentSlot Website: $webAppName Resource Group: $resourceGroupName"
83. Remove-AzWebAppSlot -Name $webAppName -Slot $deploymentSlot -ResourceGroupName $resourceGroupName -Force -ErrorAction Continue
84. }
85.  
86.  
87. # Create the slot
88. # We have to pass the -IgnoreCustomHostnames switch to prevent Azure cloning custom domain settings (results in ServerError: Conflict with hostname)
89. Write-Host "$(Get-StepCounter) Creating Slot - Slot Name: $deploymentSlot, Website: $webAppName, Resource Group: $resourceGroupName"
90. $newSlotArgs = @{
91. Slot = $deploymentSlot
92. SourceWebApp = $sourceWebApp
93. Name = $webAppName
94. ResourceGroupName = $resourceGroupName
95. }
96. if($requiresAppSettings) {
97. $newSlotArgs.add('AppSettingsOverrides', $appSettings)
98. }
99.  
100. $null = New-AzWebAppSlot -IgnoreCustomHostNames @newSlotArgs
101.  
102. if($requiresAppSettings)
103. {
104. # Set Application Settings Names as Slot-Specific
105. Write-Host "Setting $($appSettings.Keys.Count) Application Settings as 'Sticky' Slot-Specific settings - Slot Name: $deploymentSlot, Website: $webAppName, Resource Group: $resourceGroupName"
106. $null = Set-AzWebAppSlotConfigName -AppSettingNames $appSettingsKeys -ResourceGroupName $resourceGroupName -Name $webAppName
107. }
108.  
109. if ($requiresVaultAccess) {
110. # Key Vault
111. Write-Host "$(Get-StepCounter) Setting Up Access to Key Vault $($vaultName) for Slot $($deploymentSlot) (2 steps)"
112. Write-Host "Assigning System Identity to Slot $($deploymentSlot)"
113. $null = Set-AzWebAppSlot -AssignIdentity $true -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot
114. }
115.  
116. $slot = Get-AzWebAppSlot -ResourceGroupName $resourceGroupName -Name $webAppName -Slot $deploymentSlot
117.  
118. if ($requiresVaultAccess) {
119. $slotObjectId = $slot.Identity.PrincipalId
120. Write-Host "Adding Access Policy to Key Vault $($vaultName) for $($deploymentSlot) (MSI Object Id: $($slotObjectId))"
121. Write-Warning "NB: Account must have created the key vault (via Powershell using -EnabledForTemplateDeployment switch), otherwise it isn't permitted to grant access policies via Powershell"
122. $null = Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $slotObjectId -PermissionsToSecrets get, list -PermissionsToKeys get, list
123. }
124.  
125. Write-Host "Done."