Logic Apps, Azure Automation and Functions make a simple task ... way simpler (#1/3)
Davide Bedin
Cloud Solution Architect - Application Innovation | Author | Azure Enthusiast
Part 1
I needed to get a daily report of the VMs on the tenant subscriptions, with few additional analysis on these informations, and send it via e-mail.
Azure Automation is the first service it comes to mind when you need to extract info from the Azure Resource Model and you could also send an email directly from it. In this case, I preferred to focus on Azure Logic App, I also had to compose and format the report with a bit of code and I felt relying on Azure Functions was the optimal choice: Azure Logic App was the best way to orchestrate this workflow.
A bit of intro on the involved serfvices:
- Azure Automation delivers a cloud-based automation and configuration service that provides consistent management across your Azure and non-Azure environments.
- Azure Logic Apps is cloud service in Azure that simplifies how you design and create scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.
- Azure Functions is a serverless compute service that enables you to run code on-demand without having to explicitly provision or manage infrastructure.
In a nutshell, this is what I had to accomplish:
Step 1: setup Automation
I already had an interactive script to go through all the tenant subscriptions and get the VMs details in a .csv file, I just had to clean it up a bit to separate Verbose output from the script results. I also wanted to output a .json file so it would make it easier to deal with it in the Logic App.
As Azure Automation gives you control on the powershell modules update process in your account, I soon learned that if you encounter errors like "<cmdlet name>: The term <cmdlet name> is not recognized as the name of a cmdlet, function, script file, or operable program." it might be because you are counting on newer AzureRM cmdlet in your script while you forgot to update the modules, see Azure Automation troubleshooting for more details.
My script gathers information via the Azure Resource Model from several subscriptions, how could I grant my script access to those security scopes?
Luckly for us, Azure Automation can easily take care of this wih RunAs accounts: it creates an Azure AD application, a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription.
I just had to give the Azure Automation account access to my other subscriptions via Access control, as shown here:
As my Azure Automation runbook was going to be invoked by a Logic App I did not have to setup an execution schedule or Webhook.
Azure Automation gives you an exceptionally rich experience via the Azure portal in testing, executing and monitoring scripts: see docs on how to track runbook job execution. This, for example, is the execution history of my runbook.
Once I verified the script was doing its job, I was ready to move to the next step, which I will share in my next post.