-
Notifications
You must be signed in to change notification settings - Fork 134
/
mdm_onboarding.ps1
243 lines (209 loc) · 10.2 KB
/
mdm_onboarding.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
<#
.DESCRIPTION
Adds the Monitoring Metrics Publisher role assignment to the specified AKS cluster
.PARAMETER SubscriptionId
Subscription Id that the AKS cluster is in
.PARAMETER ClusterResourceGroup
Resource Group name that the AKS cluster is in
.PARAMETER clusterName
Name of the AKS cluster.
#>
param(
[Parameter(mandatory = $true)]
[string]$SubscriptionId,
[Parameter(mandatory = $true)]
[string]$ClusterResourceGroup,
[Parameter(mandatory = $true)]
[string] $clusterName
)
# checks the required Powershell modules exist and if not exists, request the user permission to install
$azAccountModule = Get-Module -ListAvailable -Name Az.Accounts
$azAksModule = Get-Module -ListAvailable -Name Az.Aks
$azResourcesModule = Get-Module -ListAvailable -Name Az.Resources
if (($null -eq $azAccountModule) -or ($null -eq $azAksModule) -or ($null -eq $azResourcesModule)) {
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host("Running script as an admin...")
Write-Host("")
}
else {
Write-Host("Please run the script as an administrator") -ForegroundColor Red
Stop-Transcript
exit
}
$message = "This script will try to install the latest versions of the following Modules : `
Az.Resources, Az.Accounts and Az.Aks using the command`
`'Install-Module {Insert Module Name} -Repository PSGallery -Force -AllowClobber -ErrorAction Stop -WarningAction Stop'
`If you do not have the latest version of these Modules, this troubleshooting script may not run."
$question = "Do you want to Install the modules and run the script or just run the script?"
$choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]
$choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes, Install and run'))
$choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Continue without installing the Module'))
$choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Quit'))
$decision = $Host.UI.PromptForChoice($message, $question, $choices, 0)
switch ($decision) {
0 {
if ($null -eq $azResourcesModule) {
try {
Write-Host("Installing Az.Resources...")
Install-Module Az.Resources -Repository PSGallery -Force -AllowClobber -ErrorAction Stop
}
catch {
Write-Host("Close other powershell logins and try installing the latest modules forAz.Accounts in a new powershell window: eg. 'Install-Module Az.Accounts -Repository PSGallery -Force'") -ForegroundColor Red
exit
}
}
if ($null -eq $azAccountModule) {
try {
Write-Host("Installing Az.Accounts...")
Install-Module Az.Accounts -Repository PSGallery -Force -AllowClobber -ErrorAction Stop
}
catch {
Write-Host("Close other powershell logins and try installing the latest modules forAz.Accounts in a new powershell window: eg. 'Install-Module Az.Accounts -Repository PSGallery -Force'") -ForegroundColor Red
exit
}
}
if ($null -eq $azAksModule) {
try {
Write-Host("Installing Az.Aks...")
Install-Module Az.Aks -Repository PSGallery -Force -AllowClobber -ErrorAction Stop
}
catch {
Write-Host("Close other powershell logins and try installing the latest modules for Az.Aks in a new powershell window: eg. 'Install-Module Az.Aks -Repository PSGallery -Force'") -ForegroundColor Red
exit
}
}
}
1 {
if ($null -eq $azResourcesModule) {
try {
Import-Module Az.Resources -ErrorAction Stop
}
catch {
Write-Host("Could not import Az.Resources...") -ForegroundColor Red
Write-Host("Close other powershell logins and try installing the latest modules for Az.Resources in a new powershell window: eg. 'Install-Module Az.Resources -Repository PSGallery -Force'") -ForegroundColor Red
Stop-Transcript
exit
}
}
if ($null -eq $azAccountModule) {
try {
Import-Module Az.Accounts -ErrorAction Stop
}
catch {
Write-Host("Could not import Az.Accounts...") -ForegroundColor Red
Write-Host("Close other powershell logins and try installing the latest modules for Az.Accounts in a new powershell window: eg. 'Install-Module Az.Accounts -Repository PSGallery -Force'") -ForegroundColor Red
Stop-Transcript
exit
}
}
if ($null -eq $azAksModule) {
try {
Import-Module Az.Aks -ErrorAction Stop
}
catch {
Write-Host("Could not import Az.Aks... Please reinstall this Module") -ForegroundColor Red
Stop-Transcript
exit
}
}
}
2 {
Write-Host("")
Stop-Transcript
exit
}
}
}
try {
Write-Host("")
Write-Host("Trying to get the current Az login context...")
$account = Get-AzContext -ErrorAction Stop
Write-Host("Successfully fetched current AzContext context...") -ForegroundColor Green
Write-Host("")
}
catch {
Write-Host("")
Write-Host("Could not fetch AzContext..." ) -ForegroundColor Red
Write-Host("")
}
if ($account.Account -eq $null) {
try {
Write-Host("Please login...")
Connect-AzAccount -subscriptionid $SubscriptionId
}
catch {
Write-Host("")
Write-Host("Could not select subscription with ID : " + $SubscriptionId + ". Please make sure the ID you entered is correct and you have access to the cluster" ) -ForegroundColor Red
Write-Host("")
Stop-Transcript
exit
}
}
else {
if ($account.Subscription.Id -eq $SubscriptionId) {
Write-Host("Subscription: $SubscriptionId is already selected. Account details: ")
$account
}
else {
try {
Write-Host("Current Subscription:")
$account
Write-Host("Changing to subscription: $SubscriptionId")
Set-AzContext -SubscriptionId $SubscriptionId
}
catch {
Write-Host("")
Write-Host("Could not select subscription with ID : " + $SubscriptionId + ". Please make sure the ID you entered is correct and you have access to the cluster" ) -ForegroundColor Red
Write-Host("")
Stop-Transcript
exit
}
}
}
#
# Check AKS cluster existance and access check
#
Write-Host("Checking aks cluster exists...")
$cluster = Get-AzAks -ResourceGroupName $ClusterResourceGroup -Name $clusterName -ErrorVariable notPresent -ErrorAction SilentlyContinue
if ($notPresent) {
Write-Host("")
Write-Host("Could not find Aks cluster. Please make sure that specified cluster exists: '" + $clusterName + "'is correct and you have access to the cluster") -ForegroundColor Red
Write-Host("")
Stop-Transcript
exit
}
Write-Host("Successfully checked specified cluster exists details...") -ForegroundColor Green
# Check to see if Service Principal exists, if it does, use that. Else, use MSI
$servicePrincipalMsiClientId = ""
if ($cluster.ServicePrincipalProfile -ne $null -and $cluster.ServicePrincipalProfile.clientId -ne $null -and $cluster.ServicePrincipalProfile.clientId -ne "") {
$servicePrincipalMsiClientId = $cluster.ServicePrincipalProfile.clientId
$clusterResourceId = $cluster.Id
} else {
$ResourceDetailsArray = Get-AzResource -ResourceGroupName $ClusterResourceGroup -Name $clusterName -ResourceType "Microsoft.ContainerService/managedClusters" -ExpandProperties -ErrorAction Stop -WarningAction Stop
if ($ResourceDetailsArray -ne $null -and $ResourceDetailsArray[0].properties.addonprofiles.omsagent -ne $null -and $ResourceDetailsArray[0].properties.addonprofiles.omsagent.identity -ne $null) {
$servicePrincipalMsiClientId = $ResourceDetailsArray[0].properties.addonprofiles.omsagent.identity.clientId
$clusterResourceId = $ResourceDetailsArray[0].ResourceId
}
}
#
# Add Monitoring Metrics Publisher role assignment to the AKS cluster resource
#
if ($servicePrincipalMsiClientId -ne "") {
New-AzRoleAssignment -ApplicationId $servicePrincipalMsiClientId -scope $clusterResourceId -RoleDefinitionName "Monitoring Metrics Publisher" -ErrorVariable assignmentError -ErrorAction SilentlyContinue
if ($assignmentError) {
$roleAssignment = Get-AzRoleAssignment -scope $clusterResourceId -RoleDefinitionName "Monitoring Metrics Publisher" -ErrorVariable getAssignmentError -ErrorAction SilentlyContinue
if ($assignmentError.Exception -match "role assignment already exists" -or ( $roleAssignment -and $roleAssignment.ObjectType -like "ServicePrincipal" )) {
Write-Host("Monitoring Metrics Publisher role assignment already exists on the cluster resource : '" + $clusterName + "'") -ForegroundColor Green
}
else {
Write-Host("Failed to add Monitoring Metrics Publisher role assignment to cluster : '" + $clusterName + "' , error : $assignmentError") -ForegroundColor Red
}
}
else {
Write-Host("Successfully added Monitoring Metrics Publisher role assignment to cluster : '" + $clusterName + "'") -ForegroundColor Green
}
}
else {
Write-Host("Unable to find service principal/msi associated with the cluster : '" + $clusterName + "'") -ForegroundColor Green
}