write-host "1:" . $PSScriptRoot write-host "2:" . $(Get-Location) # $test = $(Get-Location) $EnvPath = "$PSScriptRoot/env.ps1" # ===== 1) Env laden ===== if (-not (Test-Path -Path $EnvPath)) { throw "Env-Datei '$EnvPath' wurde nicht gefunden. Bitte Pfad prüfen." } else { Write-Host "ENV-File found: $EnvPath" } Write-Host "🧩 Lade Umgebungsvariablen aus: $EnvPath" -ForegroundColor Cyan . $EnvPath # dot-source: lädt Variablen in den aktuellen Scope # ===== 2) Pflichtwerte validieren ===== $missing = @() if ([string]::IsNullOrWhiteSpace($subscriptionId)) { $missing += 'subscriptionId' } if ([string]::IsNullOrWhiteSpace($rgName)) { $missing += 'rgName' } if ([string]::IsNullOrWhiteSpace($appPlanName)) { $missing += 'appPlanName' } if ([string]::IsNullOrWhiteSpace($webAppName)) { $missing += 'webAppName' } if ([string]::IsNullOrWhiteSpace($sqlServerName)) { $missing += 'sqlServerName' } if ([string]::IsNullOrWhiteSpace($sqlDbName)) { $missing += 'sqlDbName' } if ([string]::IsNullOrWhiteSpace($keyVaultName)) { $missing += 'keyVaultName' } if ([string]::IsNullOrWhiteSpace($appInsightsName)) { $missing += 'appInsightsName' } if ([string]::IsNullOrWhiteSpace($runtimeStack)) { $missing += 'runtimeStack' } if ([string]::IsNullOrWhiteSpace($projectPath)) { $missing += 'projectPath' } if ([string]::IsNullOrWhiteSpace($location)) { $missing += 'location' } if ([string]::IsNullOrWhiteSpace($aadAdminObjectId)) { $missing += 'aadAdminObjectId' } if ([string]::IsNullOrWhiteSpace($aadAdminDisplay)) { $missing += 'aadAdminDisplay' } if ($missing.Count -gt 0) { throw "Fehlende Pflichtvariablen in '$EnvPath': $($missing -join ', ')" } $hasSpAppId = -not [string]::IsNullOrWhiteSpace($spAppId) $hasSpClientSecret = -not [string]::IsNullOrWhiteSpace($spClientSecret) $hasSpCertPath = -not [string]::IsNullOrWhiteSpace($spCertPath) # ===== Login & Subscription setzen ===== Write-Host "Cloud auf AzureCloud setzen..." -ForegroundColor Cyan az cloud set --name AzureCloud | Out-Null # Sicherheits-Check gegen falsche Cloud [3](https://moldstud.com/articles/p-mastering-azure-sql-databases-a-comprehensive-guide-to-creating-and-managing-with-azure-cli) if ($hasSpAppId -and ($hasSpClientSecret -or $hasSpCertPath)) { Write-Host "Azure Login (Service Principal)..." -ForegroundColor Cyan if ($spClientSecret) { az login --service-principal --username $spAppId --password $spClientSecret --tenant $tenantId | Out-Null } else { az login --service-principal --username $spAppId --certificate $spCertPath --tenant $tenantId | Out-Null } } else { Write-Host "Azure Login (Benutzer, Tenant fixiert)..." -ForegroundColor Cyan az login --tenant $tenantId | Out-Null } #Write-Host "Subscription setzen: $subscriptionId" -ForegroundColor Cyan #az account set --subscription $subscriptionId | Out-Null # aktive Subscription definieren [1](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database)[4](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet) # Ressourcengruppe #az group create -n $RgName -l $Location # App Service Plan (Linux, B1 reicht meist für wenige User) #az appservice plan create -n $AppPlanName -g $RgName --is-linux --sku B1 # Web App (Linux, .NET 9) #az webapp create -g $RgName -p $AppPlanName -n $WebAppName --runtime "$RuntimeStack" # System-assigned Managed Identity aktivieren az webapp identity assign -g $RgName -n $WebAppName $principalId = az webapp show -g $RgName -n $WebAppName --query identity.principalId -o tsv # Azure SQL Server + DB az sql server create -g $RgName -n $SqlServerName -l $Location -u "sqladmin" -p (New-Guid).Guid az sql db create -g $RgName -s $SqlServerName -n $SqlDbName --service-objective S0 # Azure AD Admin auf SQL Server setzen (damit AAD-basierte User & MI erstellt werden können) az sql server ad-admin create ` -g $RgName -s $SqlServerName ` --display-name $AadAdminDisplay ` --object-id $AadAdminObjectId # (CLI-Referenz zu 'az sql server ad-admin': siehe Doku) # [2](https://learn.microsoft.com/en-us/cli/azure/sql/server/ad-admin?view=azure-cli-latest) # Firewall-Regel für dein Notebook (lokaler Zugriff/Tools wie DataGrip) $myIp = (Invoke-RestMethod -Uri "https://api.ipify.org") az sql server firewall-rule create -g $RgName -s $SqlServerName -n "allow-notebook" --start-ip-address $myIp --end-ip-address $myIp # Key Vault az keyvault create -n $KeyVaultName -g $RgName -l $Location # WebApp Managed Identity -> Key Vault: Secret-Rechte az keyvault set-policy -n $KeyVaultName -g $RgName --object-id $principalId --secret-permissions get list # App Insights (optional, empfohlen) az monitor app-insights component create -g $RgName -l $Location -a $AppInsightsName $ikey = az monitor app-insights component show -g $RgName -a $AppInsightsName --query instrumentationKey -o tsv # App Settings az webapp config appsettings set -g $RgName -n $WebAppName --settings ` ASPNETCORE_ENVIRONMENT=Production ` APPINSIGHTS_INSTRUMENTATIONKEY=$ikey ` WEBSITE_RUN_FROM_PACKAGE=1 Write-Host "Infrastruktur erstellt. WebApp:" "https://$WebAppName.azurewebsites.net" Write-Host "Nächster Schritt: DNS CNAME für $domain -> $WebAppName.azurewebsites.net setzen und TXT (asuid) zur Verifizierung im Azure Portal abrufen."