Created
April 19, 2022 13:58
-
-
Save 1RedOne/561d090e8028331020ef2cd5bb2699f5 to your computer and use it in GitHub Desktop.
A script to update sublib VMs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module Az.Accounts | |
| Import-Module Az.Automation | |
| Import-Module Az.Compute | |
| <# | |
| .DESCRIPTION | |
| A runbook to iterate through VMs in this Sublib and tell them to patch, if they don't have a 'DontPatch' tag | |
| .NOTES | |
| AUTHOR: Stephen Owen | |
| LASTEDIT: April 14, 2022 | |
| #> | |
| write-output "This script will send a Run Command to all Running VMs in this Subscription" | |
| write-output "To exclude a VM from patching, add the `DontPatch:true` tag to the VM" | |
| get-command Invoke-AzVmInstallPatch | |
| function Patch-VM($VM){ | |
| $imageType = $VM.StorageProfile.ImageReference.Offer | |
| $LinuxVM = $false | |
| if ($imageType -like "*Ubuntu*"){ | |
| Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, an ubuntu varient, preping command" | |
| $LinuxVM = $true | |
| } | |
| if ($imageType -like "*cent*"){ | |
| Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, an cent varient, preping command" | |
| } | |
| if ($imageType -like "*RHEL*"){ | |
| Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a RedHat varient, preping command" | |
| } | |
| if ($imageType -like "*sles*"){ | |
| Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a SLES varient, preping command" | |
| } | |
| if ($imageType -like "*windows*"){ | |
| Write-Output "$($VM.Name)\Patching\FirePatch:> VM is $imageType, a Windows varient, preping command" | |
| } | |
| if ($LinuxVM){ | |
| $null = Invoke-AzVmInstallPatch -ResourceId $Vm.Id -RebootSetting "Always" -MaximumDuration PT2H -ClassificationToIncludeForLinux Critical,Security -AsJob -Linux | |
| } | |
| else{ | |
| $null = Invoke-AzVmInstallPatch -ResourceId $Vm.Id -Windows -RebootSetting "Always" -MaximumDuration PT2H -ClassificationToIncludeForWindows Critical,Security -AsJob | |
| } | |
| } | |
| $connectionName = "AzureRunAsConnection" | |
| try | |
| { | |
| # Get the connection "AzureRunAsConnection " | |
| $servicePrincipalConnection= Get-AutomationConnection -Name $connectionName | |
| "Logging in to Azure..." | |
| Connect-AzAccount ` | |
| -ServicePrincipal ` | |
| -TenantId $servicePrincipalConnection.TenantId ` | |
| -ApplicationId $servicePrincipalConnection.ApplicationId ` | |
| -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint | |
| } | |
| catch { | |
| if (!$servicePrincipalConnection) | |
| { | |
| $ErrorMessage = "Connection $connectionName not found." | |
| throw $ErrorMessage | |
| } else{ | |
| Write-Error -Message $_.Exception | |
| throw $_.Exception | |
| } | |
| } | |
| $context = get-azcontext | |
| $subName = $context.Subscription.Name | |
| Write-Output "running against context of $($subName)" | |
| if ($subName -notlike "*SubLib*"){ | |
| Write-Error "not running against sublib, exiting" | |
| exit | |
| } | |
| #Get all Azure VMs from all resource groups | |
| $RGs = Get-AzResourceGroup | |
| foreach ($RG in $RGs) | |
| { | |
| $VMs = Get-AzVm -ResourceGroupName $RG.ResourceGroupName | |
| foreach($VM in $VMs) | |
| { | |
| $VMDetail = Get-AzVm -ResourceGroupName $RG.ResourceGroupName -Name $VM.Name -Status | |
| $RGN = $VMDetail.ResourceGroupName | |
| foreach ($VMStatus in $VMDetail.Statuses) | |
| { | |
| $VMStatusDetail = $VMStatus.DisplayStatus | |
| } | |
| Write-Output "VM: $RGN\$($VM.Name) - [$VMStatusDetail]" | |
| if ($VMStatusDetail -ne "VM running"){ | |
| Write-Output "$($VM.Name):> VM offline with $VMStatusDetail, skipping" | |
| continue; | |
| } | |
| $canPatch = $true | |
| if ($vm.Tags) { | |
| if ($vm.Tags['DontPatch']) { | |
| $canPatch = $false | |
| write-output "$($VM.Name):> VM has DontPatch Tag, we should skip" | |
| } | |
| else{ | |
| write-output "$($VM.Name):> VM has tags, but didn't have 'DontPatch' tag assigned" | |
| } | |
| } | |
| else{ | |
| write-output "$($VM.Name):> VM has no tags" | |
| } | |
| if ($canPatch){ | |
| write-output "$($VM.Name)\Patching:> VM is OK to patch, proceed with firing command" | |
| Patch-VM -VM $VM | |
| } | |
| else{ | |
| write-output "$($VM.Name)\Patching:> !!!!!VM has 'DontPatch' tag assigned, skipping" | |
| } | |
| write-output "=============================================================================" | |
| } | |
| } | |
| Write-Output "Waiting on results" | |
| get-job | wait-job | |
| get-job | receive-job |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment