Initialize.ps1 not run, Trigger "Server Started" not triggered for keyvault registration

Oliver · January 24, 2023, 12:53pm

Product: PowerShell Universal
Version: 3.7.7

Hello!
I’m trying to automatically register an azure keyvault in my PSU instance running on Azure with SQL and Git active.

The trigger:

New-PSUTrigger -Name "Register Azure KeyVault" -EventType "ServerStarted" -Environment "Integrated" -TriggerScript "Register Az.KeyVault.ps1"

When triggered manually, the script does its job successfully, and I can then create variables in the secret store. However, the trigger does not execute the script when I reboot the server. I do have a single instance, however every reboot list a new instance in the computers list on the server. Does that confuse PSU?

Similar, I have setup initialize.ps1 to register the Keyvault as well, which is not executed, as far as I can tell. I guess I’d prefer the initialize.ps1 way so the secrets are available when the other config files (authentication.ps1) are evaluated so I can store the openid client secret in the keyvault instead of plaintext in the code and in git… But I seem to do something wrong here… Unfortunately the initialize.ps1 is not really documented, it seems…

Can someone hint me in a good direction? Are more information needed? Thankful for any help here

Best regards, Oliver

Matt.Harris · January 24, 2023, 4:51pm

I had the same problem last week. I created an initialize.ps1 script with the intention to register key vault, however this would not start on boot. I am currently running the script manually when reboot my container with the intention to pick this problem up later down the line.

Oliver · January 25, 2023, 6:52am

Thanks for your reply! Glad (and sad) to hear I’m not alone then. Hopefully we’ll find a solution here, can’t be running an automation system when we can’t even automate its startup, can we

Matt.Harris · January 25, 2023, 9:34am

I have taken another look at my Initialize.ps1 script.

I have left in there my script to register keyvault and thrown in another line just to check the file actually runs

Invoke-PSUScript -environment "Integrated" -name "KeyVaultRegister.ps1"
Write-Output "Am I working?" > /root/.PowerShellUniversal/Repository/.universal/test.txt

On boot, I can see the test file is created. So, I know the script is running.

Following the boot, I run the 1st line again in another script, and it seems to kick KeyVault into action.

I suspect the problem is the KeyVault module is not loaded yet:

2023-01-25 09:19:31.490 +00:00 [ERR] Failed to read secret :The term 'Az.KeyVault\Get-AzKeyVaultSecret' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I will continue to look into this.

Oliver · January 25, 2023, 9:50am

I haven’t found any indication that the initialize script was run on my end, but I’ll modify it like your example and test again. I have a few lines in there manually loading the module, let me see if I can find my source again

Got it: Sharing an example of using the Initialize.ps1 to connect an Azure KeyVault

Matt.Harris · January 25, 2023, 10:31am

OK, I think I have it…

I had to modify my Initialize.ps1 script to load to following:

Import-Module -Name /root/.PowerShellUniversal/Repository/Modules/Az.Accounts/ -verbose | Out-Null
Import-Module -Name /root/.PowerShellUniversal/Repository/Modules/Az.KeyVault/ -verbose | Out-Null
Invoke-PSUScript -environment "Integrated" -name "KeyVaultRegister.ps1"

I had to import the modules and give them a chance to load. Following that, my keys registered.

Oliver · January 25, 2023, 10:51am

Hmm I’m wondering, running in a linux container, if I need to capitalize my script name to Initialize.ps1 too? Let me try that in a bit

Matt.Harris · January 25, 2023, 11:01am

Yep, Linux will do that to you (The way it should be )

I’m Running the Linux Container too on Azure Container Instances.

Oliver · January 25, 2023, 11:04am

Well, needs some documentation Thanks for the insights!

Matt.Harris · January 25, 2023, 11:10am

Anytime

Oliver · January 25, 2023, 1:08pm

No luck even with capitalization, no hint in the log that it ran or failed…

adam · January 25, 2023, 1:36pm

If it’s finding the script and trying to run it, you should see a log message. Here’s the associated code from the PSU server.

            var repoPath = configurationService.GetSetting(ConfigurationSetting.RepositoryPath);
            var initScript = Path.Combine(repoPath, ".universal", "initialize.ps1");
            if (!File.Exists(initScript)) return;

            SetLoadingInfo("Running initialization script...");

            try
            {
                using (var rs = GetRunspace())
                {
                    using (var powerShell = PowerShell.Create())
                    {
                        powerShell.AddStatement().AddScript($". '{initScript}'");
                        powerShell.Invoke();

                        if (powerShell.HadErrors)
                        {
                            foreach (var error in powerShell.Streams.Error)
                            {
                                logger.LogError(error.Exception, "Exception:");
                            }
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                logger.LogError(ex, "Error running initialization script.");
            }

Oliver · January 25, 2023, 3:27pm

Hi Adam,
thanks for the codeblock, I’ll take a look at the situation again later.

Best, Oliver