Azure Runbook – A complete (simple) example


I meant to write about Azure Runbooks (also known as Azure Automation) for quite a while.

I had the chance to be involved in the operations of a solution I helped architect.  When you get beyond trivial Azure Solution, like on premise, you’ll want to have some automations.  For instance, you’ll want to:

  • Clean up data at the end of the day
  • Probe a few services for health check
  • Execute some data batch
  • etc.

Azure is mature enough already that you could do that with other technology.  For instance a mix of Scheduler and Web Job.  But those approaches are a little complicated for PowerShell automation and not ideal for long-running workflows.

Azure Automation is more appropriate for those scenarios.

The example

I’ll give a simple example here.  We’ll build an automation scanning a blob container and deleting all the blobs matching a certain name pattern.  That job will run every hour.

I’ll construct that using a PowerShell workflow.  I won’t go into the graphical tool yet nor will I create a custom PowerShell module.  As you’ll see the script will only take a few lines.  Such simple workflow do not mandate modules or graphical workflows in my opinion.

Creating a Resource Group

I won’t go into ARM templates but we’ll build this example into a Resource Group so at the very least, you’ll be able to destroy all artefacts in one go at the end (by destroying the Resource Group).

So let’s go in the Preview Portal to create a new Resource Group.  In the home page, select Resource groups.

Steps

Then select Add.

Steps

This should pop up the following blade.

Steps

As Resource Group Name, type SampleAutomations.

Select the Subscription you wanna use.

Locate the Resource Group where it’s more convenient for you.

Then click on the Create button at the bottom of the blade.

Creating Automation Account

Let’s create an Automation Account.

Steps

Give it a unique name (I used myfirstautomation), ensure it is in the resource group we created and in a suitable region (not all regions are supported yet) and click the Create button.

Exploring Automation Account

Let’s open the newly created account.

Steps

Runbooks are PowerShell workflows.  In a nutshell those are a mix of PowerShell scripts and Workflow Foundation (WF) worflows.  They allow long running workflows, pauses, restart, etc.  You already have a runbook, it’s the tutorial runbook.  You can look at it.

Assets come in different forms:

  • Schedules
  • Modules
  • Certificates
  • Connections
  • Variables
  • Credentials

We are going to use a schedule to run our run book.  We are also going to use variables to store configuration about our run book.

Creating Storage Account

Before we create our run book we need a storage account.

We’re going to create a storage account within the Resource Group we’ve created.  Click the plus button at the top left of the portal.

Steps

Select Data + Storage then select Storage Account.

Steps

Then at the bottom of the Storage Account pane, select “Resource Manager” and click Create.

Name the account something unique (I used mysample2015).

In Resource Group, make sure to select the resource group you just created.  Make sure the location suits you and click Create.

Steps

Creating Storage Container

Using your favorite Azure Storage tool (I used CloudXplorer), create a container named my-watched-container.

For the runbook to access to container, we’ll use a Shared Access Signature (SAS) token.  Whenever you can, use the access mechanism giving as little access as possible.  This way, if your assets get compromised, the attacker can do less damage than if you stick the keys of the castle in there.  This is the least privilege principle and you should always apply it.

So, for that newly created container, create a SAS token allowing for listing and deleting.  This is what our runbook will do:  list the blobs, delete the ones matching a certain pattern.

Creating Variables

Let’s create the variables for our run book.

Go back to the run book, select assets then select variables then add variable.

Give it accountName as a Name, leave the default string type there and for value, input the name of the storage account you created.  Then click create.

Steps

Do the same for the following:

Name Value
containerName my-watched-container
pattern draft
sas The value of the sas token you created for your container.  This should start with the question mark of the query string.

For the last one, select the encrypted option.

Steps

This will make the variable inaccessible to operators in the future.  It’s an added level of security.

You should have the following variables defined.

Steps

Creating Runbook

Let’s create the runbook.  Let’s close the Variables and Assets blade.

Let’s select the Runbooks box and click the Add a run book button. Select Quick Create.

For Name, input CleanBlobs. For Runbook type, choose PowerShell Workflow. Hit the Create button.

This is the code of our Workflow. Let’s paste in the following:

workflow CleanBlobs
{
InlineScript
{
# Here we load all the variables we defined earlier
$account = Get-AutomationVariable -Name ‘accountName’
$container = Get-AutomationVariable -Name ‘containerName’
$sas = Get-AutomationVariable -Name ‘sas’
$pattern = Get-AutomationVariable -Name ‘pattern’

# Construct a context for the storage account based on a SAS
$context = New-AzureStorageContext -StorageAccountName $account -SasToken $sas

# List all the blobs in the container
$blobs = Get-AzureStorageBlob -container $container -Context $context

$filteredBlobs = $blobs | where-object {$_.Name.ToUpper().Contains($pattern.ToUpper())}

$filteredBlobs | ForEach-Object {Remove-AzureStorageBlob -blob $_.Name -Context $context -Container $container}
}
}

You can see how we are using the variables by calling the cmdlet Get-AutomationVariable. You could actually discover that by opening the Assets tree view on the left of the edit pane.

We can then test our Run book by hitting the test button on top. First you might want to insert a few empty file in your blob container, with some containing the word “draft” in them.  Once the workflow ran, it should have deleted the draft files.

Scheduling Runbook

Let’s schedule the runbook.  First let’s publish it.  Close the test pane and click the Publish button.

Steps

Then click the Schedule button and Link a schedule to your runbook.

Steps

We didn’t create any schedule yet, so let’s create one in place.  Give it any name, set the recurrence to hourly and hit the create button.

By default the start time will be 30 minutes from now.  At the time I wrote this blog, there was a little bug in the interface forbidding me to put it in 5 minutes (because of time zone calculations).  That might be fix by the time you try it.

Click ok and your workbook is scheduled.

Summary

Azure Automation is a powerful tool to automate tasks within Azure.

In this article I only touched the surface.  I will try to go further in future posting.

3 thoughts on “Azure Runbook – A complete (simple) example

  1. Pingback: 21-11-2015-2015 - Magnus Udbjørg

  2. Pingback: Shutting down VMs on schedule in Azure | Vincent-Philippe Lauzon's blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s