121 lines
5.3 KiB
PowerShell
121 lines
5.3 KiB
PowerShell
|
|
write-host "1:" . $PSScriptRoot
|
|
write-host "2:" . $(Get-Location)
|
|
|
|
# $test = $(Get-Location)
|
|
|
|
$EnvPath = "$PSScriptRoot/env.ps1"
|
|
|
|
|
|
|
|
# ===== 1) Env laden =====
|
|
if (-not (Test-Path -Path $EnvPath)) {
|
|
throw "Env-Datei '$EnvPath' wurde nicht gefunden. Bitte Pfad prüfen."
|
|
} else {
|
|
Write-Host "ENV-File found: $EnvPath"
|
|
}
|
|
|
|
|
|
|
|
Write-Host "🧩 Lade Umgebungsvariablen aus: $EnvPath" -ForegroundColor Cyan
|
|
. $EnvPath # dot-source: lädt Variablen in den aktuellen Scope
|
|
|
|
# ===== 2) Pflichtwerte validieren =====
|
|
$missing = @()
|
|
|
|
if ([string]::IsNullOrWhiteSpace($subscriptionId)) { $missing += 'subscriptionId' }
|
|
if ([string]::IsNullOrWhiteSpace($rgName)) { $missing += 'rgName' }
|
|
if ([string]::IsNullOrWhiteSpace($appPlanName)) { $missing += 'appPlanName' }
|
|
if ([string]::IsNullOrWhiteSpace($webAppName)) { $missing += 'webAppName' }
|
|
if ([string]::IsNullOrWhiteSpace($sqlServerName)) { $missing += 'sqlServerName' }
|
|
if ([string]::IsNullOrWhiteSpace($sqlDbName)) { $missing += 'sqlDbName' }
|
|
if ([string]::IsNullOrWhiteSpace($keyVaultName)) { $missing += 'keyVaultName' }
|
|
if ([string]::IsNullOrWhiteSpace($appInsightsName)) { $missing += 'appInsightsName' }
|
|
if ([string]::IsNullOrWhiteSpace($runtimeStack)) { $missing += 'runtimeStack' }
|
|
if ([string]::IsNullOrWhiteSpace($projectPath)) { $missing += 'projectPath' }
|
|
if ([string]::IsNullOrWhiteSpace($location)) { $missing += 'location' }
|
|
if ([string]::IsNullOrWhiteSpace($aadAdminObjectId)) { $missing += 'aadAdminObjectId' }
|
|
if ([string]::IsNullOrWhiteSpace($aadAdminDisplay)) { $missing += 'aadAdminDisplay' }
|
|
|
|
if ($missing.Count -gt 0) {
|
|
throw "Fehlende Pflichtvariablen in '$EnvPath': $($missing -join ', ')"
|
|
}
|
|
|
|
|
|
|
|
$hasSpAppId = -not [string]::IsNullOrWhiteSpace($spAppId)
|
|
$hasSpClientSecret = -not [string]::IsNullOrWhiteSpace($spClientSecret)
|
|
$hasSpCertPath = -not [string]::IsNullOrWhiteSpace($spCertPath)
|
|
|
|
# ===== Login & Subscription setzen =====
|
|
Write-Host "Cloud auf AzureCloud setzen..." -ForegroundColor Cyan
|
|
az cloud set --name AzureCloud | Out-Null # Sicherheits-Check gegen falsche Cloud [3](https://moldstud.com/articles/p-mastering-azure-sql-databases-a-comprehensive-guide-to-creating-and-managing-with-azure-cli)
|
|
|
|
if ($hasSpAppId -and ($hasSpClientSecret -or $hasSpCertPath)) {
|
|
Write-Host "Azure Login (Service Principal)..." -ForegroundColor Cyan
|
|
if ($spClientSecret) {
|
|
az login --service-principal --username $spAppId --password $spClientSecret --tenant $tenantId | Out-Null
|
|
} else {
|
|
az login --service-principal --username $spAppId --certificate $spCertPath --tenant $tenantId | Out-Null
|
|
}
|
|
} else {
|
|
Write-Host "Azure Login (Benutzer, Tenant fixiert)..." -ForegroundColor Cyan
|
|
az login --tenant $tenantId | Out-Null
|
|
}
|
|
|
|
|
|
#Write-Host "Subscription setzen: $subscriptionId" -ForegroundColor Cyan
|
|
#az account set --subscription $subscriptionId | Out-Null # aktive Subscription definieren [1](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database)[4](https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet)
|
|
|
|
|
|
# Ressourcengruppe
|
|
#az group create -n $RgName -l $Location
|
|
|
|
# App Service Plan (Linux, B1 reicht meist für wenige User)
|
|
#az appservice plan create -n $AppPlanName -g $RgName --is-linux --sku B1
|
|
|
|
# Web App (Linux, .NET 9)
|
|
#az webapp create -g $RgName -p $AppPlanName -n $WebAppName --runtime "$RuntimeStack"
|
|
|
|
|
|
|
|
|
|
|
|
# System-assigned Managed Identity aktivieren
|
|
az webapp identity assign -g $RgName -n $WebAppName
|
|
$principalId = az webapp show -g $RgName -n $WebAppName --query identity.principalId -o tsv
|
|
|
|
# Azure SQL Server + DB
|
|
az sql server create -g $RgName -n $SqlServerName -l $Location -u "sqladmin" -p (New-Guid).Guid
|
|
az sql db create -g $RgName -s $SqlServerName -n $SqlDbName --service-objective S0
|
|
|
|
# Azure AD Admin auf SQL Server setzen (damit AAD-basierte User & MI erstellt werden können)
|
|
az sql server ad-admin create `
|
|
-g $RgName -s $SqlServerName `
|
|
--display-name $AadAdminDisplay `
|
|
--object-id $AadAdminObjectId
|
|
# (CLI-Referenz zu 'az sql server ad-admin': siehe Doku) # [2](https://learn.microsoft.com/en-us/cli/azure/sql/server/ad-admin?view=azure-cli-latest)
|
|
|
|
# Firewall-Regel für dein Notebook (lokaler Zugriff/Tools wie DataGrip)
|
|
$myIp = (Invoke-RestMethod -Uri "https://api.ipify.org")
|
|
az sql server firewall-rule create -g $RgName -s $SqlServerName -n "allow-notebook" --start-ip-address $myIp --end-ip-address $myIp
|
|
|
|
# Key Vault
|
|
az keyvault create -n $KeyVaultName -g $RgName -l $Location
|
|
|
|
# WebApp Managed Identity -> Key Vault: Secret-Rechte
|
|
az keyvault set-policy -n $KeyVaultName -g $RgName --object-id $principalId --secret-permissions get list
|
|
|
|
# App Insights (optional, empfohlen)
|
|
az monitor app-insights component create -g $RgName -l $Location -a $AppInsightsName
|
|
$ikey = az monitor app-insights component show -g $RgName -a $AppInsightsName --query instrumentationKey -o tsv
|
|
|
|
# App Settings
|
|
az webapp config appsettings set -g $RgName -n $WebAppName --settings `
|
|
ASPNETCORE_ENVIRONMENT=Production `
|
|
APPINSIGHTS_INSTRUMENTATIONKEY=$ikey `
|
|
WEBSITE_RUN_FROM_PACKAGE=1
|
|
|
|
Write-Host "Infrastruktur erstellt. WebApp:" "https://$WebAppName.azurewebsites.net"
|
|
Write-Host "Nächster Schritt: DNS CNAME für $domain -> $WebAppName.azurewebsites.net setzen und TXT (asuid) zur Verifizierung im Azure Portal abrufen."
|