A customer asked me if there is an easy to export all the information about resources in Azure like resource groups, PaaS database servers, storage accounts etc. I found out that there is no easy automatic way to do this. That’s why I created a PowerShell script to get all the information the customer wanted and deliver this Excel sheet by a schedule in an Automation Account. In this blog post I will explain how I did this and how you can set this up by using my script.
In order to let the script run on a schedule I made use of an automation account. This can easily be created in Azure. Just go to the portal, use PowerShell or one of the many possible ways to deploy resources in Azure to create a new automation account. Set the ‘Create Azure Run As account’ to ‘Yes’.
An automation account is not just for process automation only, it can do lots more, like:
- Update Management – Connect IaaS workloads and let updates be installed on a schedule.
- Configuration Management – Let’s you set and track the configuration of IaaS workloads.
- Related resources – For example Start / Stop VMs and linking a Log Analytics workspace.
Besides these features it can also be integrated with source control systems like:
- Azure Repos (Git)
- Azure Repos (TFVC)
Another great feature of a automation account is the ability to import custom modules. Under shared resources > Modules, there is the option to import custom modules in a ZIP format or you can browse the gallery with all sorts of custom modules. For the Azure Inventory I made use of the following custom or additional modules:
- ImportExcel (link)
After importing the custom module make sure that you update the Azure modules in order to get the inventory running. You can easily do this by using the button ‘Update Azure Modules’.
Run as connection
The script uses a Run as connection that is created by default. The run as connection is named ‘AzureRunAsConnection‘. This connection uses a Azure Service Principal that needs the appropriate rights on a subscription in order to extract the data. By default the Service Principal is getting ‘Contributor’ rights on the subscription where it is created. For the inventory to run it just needs ‘Reader’ permissions. To change this we need the application id of the service principal, this can be found when you click on the ‘AzureRunAsConnection’.
Now with the application id we can change the service principle to ‘Reader’. Go to Subscriptions > Select Subscription > Access Control (IAM) > Role Assignment > Add > Add Role Assignment > Paste the application id in the select field and select ‘Reader’ and select Save.
After we made the service principle ‘Reader’ we can remove the contributor role by selecting the service principal and click ‘Remove’.
The script provided can be found on my github. But before we can copy this we need to create a runbook. Go to runbooks > ‘Create a runbook’, and fill in the Name, Runbook type and Description.
After creating the runbook we can paste the Azure Inventory script from Github in to the runbook and click ‘Save’ and Publish
To send out an e-mail with the Azure Inventory after the script is finished I used Office 365. In the script itself you can find the section for this below. The script uses credentials from the automation account. You can create a credential by going to Shared Resources > Credentials > Add a credential. Be sure to use the same name as in the script.
In order to have the correct permissions we need to adjust something on the app registration of the run as connection. Go to Azure AD > APP registrations and search for the application id of your run as account. Select it and go to settings > required permissions and click add. Select the permissions just like the screenshot, only Read is required. Click save and don’t forget to click ‘Grant Permissions’ because this will actually set the permissions.
Now that everything is in place we can schedule the script to be send out on a regular base. Go to shared resources > Schedules > Add a schedule. Give the schedule a name, description and set the Recurrence and start time.
After creation the newly created schedule must be linked to the runbook. Go to runbooks > select the AzureInventory runbook and click ‘Link to schedule’. Select the create schedule and click Ok.
Now you are all set to get an overview every day of your Azure environment.
If some functions are not present in Azure, the platform itself has enough capabilities to create your own function. This blog show how native services like Azure automation can be used to help accomplishing requests from customers in a way that everybody can.