Merge branch 'microsoft:master' into master

Author: rcarboneras

samples/manage/azure-arc-enabled-sql-server/modify-license-type/README.md

@@ -3,14 +3,13 @@ services: Azure Arc-enabled SQL Server
 platforms: Azure
 author: anosov1960
 ms.author: sashan
-ms.date: 6/4/2023
+ms.date: 7/5/2023
 ---
 
 
 # Overview
 
-This script allows you to to set or change the license type on all Azure-connected SQL Servers
-on a specific resource, in a single resource group, a specific subscription, a list of subscriptions or all subscriptions to which you have access. By default, it sets the specified license type value on the servers where it is undefined. But you can request to set it on all servers in the selected scope.
+This script provides a scaleable solution to set or change the license type and/or enable or disable the ESU policy on all Azure-connected SQL Servers in a specified scope.
 
 You can specify a single subscription to scan, or provide a list of subscriptions as a .CSV file.
 If not specified, all subscriptions your role has access to are scanned.
@@ -28,11 +27,12 @@ The script accepts the following command line parameters:
 
 | **Parameter**                                          | **Value**                                                                       | **Description** |
 |:--|:--|:--|
-|-SubId|subscription_id *or* a file_name|Optional: subscription id or a .csv file with the list of subscriptions<sup>1</sup>. If not specified all subscriptions will be scanned|
-|-ResourceGroup |resource_group_name|Optional: Limit the scope  to a specific resource group|
-|-MachineName |machine_name|Optional: Limit the scope to a specific machine|
-|-LicenceType | "Paid", "PAYG" or "LicenseOnly"| Required: Specifies the license type value |
-|-Force|\$True or \$False (default)|Optional. Set the new license type for all installed extensions. By default the value is set only if license type is undefined.|
+|-SubId|subscription_id *or* a file_name|Optional: Subscription id or a .csv file with the list of subscriptions<sup>1</sup>. If not specified all subscriptions will be scanned|
+|-ResourceGroup |resource_group_name|Optional: Limits the scope  to a specific resource group|
+|-MachineName |machine_name|Optional: Limits the scope to a specific machine|
+|-LicenceType | "Paid", "PAYG" or "LicenseOnly"| Optional: Sets the license type to the specified value |
+|-EnableESU | "Yes", "No" | Optional. Enables the ESU policy the value is "Yrs" or disables it if the value is "No". To enable, the license type must be "Paid" or "PAYG"|
+|-Force| |Optional. Forces the change of the license type to the specified value on all installed extensions. If -Force is not specified, the -LicenseType value is set only if undefined. Ignored if -LicenseType  is not specified|
 
 <sup>1</sup>You can create a .csv file using the following command and then edit to remove the subscriptions you don't  want to scan.
 ```PowerShell
@@ -52,15 +52,31 @@ The following command will scan all the subscriptions to which the user has acce
 The following command will scan the subscription `<sub_id>` and set the license type value to "Paid" on all servers.
 
 ```PowerShell
-.\modify-license-type.ps1 -SubId <sub_id> -LicenseType Paid -Force $True
+.\modify-license-type.ps1 -SubId <sub_id> -LicenseType Paid -Force
 ```
 
 ## Example 3
 
-The following command will scan resource group <resource_group_name> in the subscription `<sub_id>` and set the license type value to "PAYG" on all servers.
+The following command will scan resource group `<resource_group_name>` in the subscription `<sub_id>` and set the license type value to "PAYG" on all servers.
 
 ```PowerShell
-.\modify-license-type.ps1 -SubId <sub_id> -ResourceGroup <resource_group_name> -LicenseType PAYG -Force $True
+.\modify-license-type.ps1 -SubId <sub_id> -ResourceGroup <resource_group_name> -LicenseType PAYG -Force
+```
+
+## Example 4
+
+The following command will set License Type to 'Paid" and enables ESU on all servers in the subscriptions `<sub_id>` and the resource group `<resource_group_name>`.
+
+```console
+.\modify-license-type.ps1 -SubId <sub_id> -ResourceGroup <resource_group_name> -LicenseType Paid -EnableESU Yes -Force
+```
+
+## Example 5
+
+The following command will disable ESU on all servers in the subscriptions `<sub_id>`.
+    
+```console
+.\modify-license-type.ps1 -SubId <sub_id> -EnableESU No 
 ```
 
 # Running the script using Cloud Shell
@@ -81,11 +97,7 @@ This option is recommended because Cloud shell has the Azure PowerShell modules
     curl https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/manage/azure-arc-enabled-sql-server/modify-license-type/modify-license-type.ps1 -o modify-license-type.ps1
     ```
 
-1. Run the script. The following command will set License Type to 'Paid" on all servers in all the subscriptions your role has access to.
-
-    ```console
-   .//modify-license-type.ps1 -LicenseType Paid -Force $true
-    ```
+1. Run the script.
 
 > [!NOTE]
 > - To paste the commands into the shell, use `Ctrl-Shift-V` on Windows or `Cmd-v` on MacOS.
@@ -122,8 +134,4 @@ Use the following steps to run the script in a PowerShell session on your PC.
     Connect-AzAccount -TenantID (Get-AzureADTenantDetail).ObjectId
     ```
 
-1. Run the script using the desired scope. The following command will set License Type to 'Paid" on all servers in the specified subscription.
-
-    ```console
-   .//modify-license-type.ps1 -SubId <sub_id> -LicenseType Paid -Force $true
-    ```
+1. Run the script. 

samples/manage/azure-arc-enabled-sql-server/modify-license-type/modify-license-type.ps1

@@ -1,22 +1,23 @@
 #
-# This script provides a scaleable solution to set or change the license type on all Azure-connected SQL Servers
-# in a specific subscription, a list of subscruiptions or the entire account. By default, it sets the new license
-# type value only on the servers where it is undefined.
+# This script provides a scaleable solution to set or change the license type and/or enable or disable the ESU policy 
+# on all Azure-connected SQL Servers in a specified scope.
 #
 # You can specfy a single subscription to scan, or provide subscriptions as a .CSV file with the list of IDs.
 # If not specified, all subscriptions your role has access to are scanned.
 #
 # The script accepts the following command line parameters:
 #
-# -SubId [subscription_id] | [csv_file_name]    (Limit scope to specific subscriptions. Accepts a .csv file with the list of subscriptions.
+# -SubId [subscription_id] | [csv_file_name]    (Optional. Limits the scope to specific subscriptions. Accepts a .csv file with the list of subscriptions.
 #                                               If not specified all subscriptions will be scanned)
-# -ResourceGroup [resource_goup]                (Limit scope  to a specific resoure group)
-# -MachineName [machine_name]                   (Limit scope to a specific machine)
-# -LicenseType [license_type_value]             (Specific LT value)
-# -Force                                        (Required. Set the new license type on all installed extensions.
-#                                               By default the value is set only if license type is undefined undefined)
+# -ResourceGroup [resource_goup]                (Optional. Limits the scope to a specific resoure group)
+# -MachineName [machine_name]                   (Optional. Limits the scope to a specific machine)
+# -LicenseType [license_type_value]             (Optional. Sets the license type to the specified value)
+# -EnabelESU  [Yes or No]                       (Optional. Enables the ESU policy the value is "Yes" or disables it if the value is "No"
+#                                               To enable, the license type must be "Paid" or "PAYG"
+# -Force                                        (Optional. Forces the chnahge of the license type to the specified value on all installed extensions.
+#                                               If Force is not specified, the -LicenseType value is set only if undefined. Ignored if -LicenseType  is not specified
 #
-# The script uses a function ConvertTo-HashTable that was created by Adam Bertram (@adam-bertram).
+# This script uses a function ConvertTo-HashTable that was created by Adam Bertram (@adam-bertram).
 # The function was originally published on https://4sysops.com/archives/convert-json-to-a-powershell-hash-table/
 # and is used here with the author's permission.
 #
@@ -28,40 +29,16 @@ param (
     [string] $ResourceGroup,
     [Parameter (Mandatory= $false)]
     [string] $MachineName,
-    [Parameter (Mandatory= $true)]
+    [Parameter (Mandatory= $false)]
     [ValidateSet("PAYG","Paid","LicenseOnly", IgnoreCase=$false)]
     [string] $LicenseType,
     [Parameter (Mandatory= $false)]
-    [boolean] $Force=$false
+    [ValidateSet("Yes","No", IgnoreCase=$false)]
+    [string] $EnableESU,
+    [Parameter (Mandatory= $false)]
+    [switch] $Force
 )
 
-function CheckModule ($m) {
-
-    # This function ensures that the specified module is imported into the session
-    # If module is already imported - do nothing
-
-    if (!(Get-Module | Where-Object {$_.Name -eq $m})) {
-         # If module is not imported, but available on disk then import
-        if (Get-Module -ListAvailable | Where-Object {$_.Name -eq $m}) {
-            Import-Module $m
-        }
-        else {
-
-            # If module is not imported, not available on disk, but is in online gallery then install and import
-            if (Find-Module -Name $m | Where-Object {$_.Name -eq $m}) {
-                Install-Module -Name $m -Force -Verbose -Scope CurrentUser
-                Import-Module $m
-            }
-            else {
-
-                # If module is not imported, not available and not in online gallery then abort
-                write-host "Module $m not imported, not available and not in online gallery, exiting."
-                EXIT 1
-            }
-        }
-    }
-}
-
 function ConvertTo-Hashtable {
     [CmdletBinding()]
     [OutputType('hashtable')]
@@ -101,6 +78,60 @@ function ConvertTo-Hashtable {
     }
 }
 
+# This function checks if the specified module is imported into the session and if not installes and/or imports it
+function LoadModule
+{
+    param (
+        [parameter(Mandatory = $true)][string] $name
+    )
+
+    $retVal = $true
+
+    if (!(Get-Module -Name $name))
+    {
+        $retVal = Get-Module -ListAvailable | Where-Object {$_.Name -eq $name}
+
+        if ($retVal)
+        {
+            try
+            {
+                Import-Module $name -ErrorAction SilentlyContinue
+            }
+            catch
+            {
+                write-host "The request to lload module $($name) failed with the following error:"
+                write-host $_.Exception.Message                
+                $retVal = $false
+            }
+        }
+        else {
+
+            # If module is not imported, not available on disk, but is in online gallery then install and import
+            if (Find-Module -Name $name) {
+                Install-Module -Name $name -Force -Verbose -Scope CurrentUser
+                try
+                {
+                Import-Module $name -ErrorAction SilentlyContinue
+                }
+                catch
+                {
+                    write-host "The request to lload module $($name) failed with the following error:"
+                    write-host $_.Exception.Message                
+                    $retVal = $false
+                }
+            }
+            else {
+
+                # If module is not imported, not available and not in online gallery then abort
+                write-host "Module $($name) not imported, not available and not in online gallery, exiting."
+                EXIT 1
+            }
+        }
+    }
+
+    return $retVal
+}
+
 #
 # Suppress warnings
 #
@@ -113,7 +144,7 @@ $requiredModules = @(
     "Az.ConnectedMachine",
     "Az.ResourceGraph"
 )
-$requiredModules | Foreach-Object {CheckModule $_}
+$requiredModules | Foreach-Object {LoadModule $_}
 
 # Subscriptions to scan
 
@@ -178,21 +209,50 @@ foreach ($sub in $subscriptions){
             ExtensionType = $r.extensionType
         }
 
+        $WriteSettings = $false
         $settings = @{}
         $settings = $r.properties.settings | ConvertTo-Json | ConvertFrom-Json | ConvertTo-Hashtable
 
-        if ($settings.ContainsKey("LicenseType")) {
-            if ($Force) {
-                if ($settings["LicenseType"] -ne $LicenseType ) {
+        # set the license type or update (if -Force). ESU  must be disabled to set to LicenseOnly. 
+        $LO_Allowed = (!$settings["enableExtendedSecurityUpdates"] -and !$EnableESU) -or  ($EnableESU -eq "No")
+            
+        if ($LicenseType) {
+            if (($LicenseType -eq "LicenseOnly") -and !$LO_Allowed) {
+                write-host "ESU must be disabled before license type can be set to $($LicenseType)"
+            } else {
+                if ($settings.ContainsKey("LicenseType")) {
+                    if ($Force) {
+                        $settings["LicenseType"] = $LicenseType
+                        $WriteSettings = $true
+                    }
+                } else {
                     $settings["LicenseType"] = $LicenseType
-                    Write-Host "Resource group: [$($r.resourceGroup)] Connected machine: [$($r.MachineName)] : License type: [$($settings["LicenseType"])]"
-                    Set-AzConnectedMachineExtension @setId -Settings $settings -NoWait | Out-Null
+                    $WriteSettings = $true
                 }
             }
-        } else {
-            $settings["LicenseType"] = $LicenseType
-            Write-Host "Resource group: [$($r.resourceGroup)] Connected machine: [$($r.MachineName)] : License type: [$($settings["LicenseType"])]"
-            Set-AzConnectedMachineExtension @setId -Settings $settings -NoWait | Out-Null
+            
+        }
+        
+        # Enable ESU for qualified license types or disable 
+        if ($EnableESU) {
+            if (($settings["LicenseType"] | select-string "Paid","PAYG") -or  ($EnableESU -eq "No")) {
+                $settings["enableExtendedSecurityUpdates"] = ($EnableESU -eq "Yes")
+                $settings["esuLastUpdatedTimestamp"] = [DateTime]::UtcNow.ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
+                $WriteSettings = $true
+            } else {
+                write-host "The configured license type does not support ESUs" 
+            }
+        }
+
+        If ($WriteSettings) {
+            Write-Host "Resource group: [$($r.resourceGroup)] Connected machine: [$($r.MachineName)] : License type: [$($settings["LicenseType"])] : Enable ESU: [$($settings["enableExtendedSecurityUpdates"])]"
+            try { 
+                Set-AzConnectedMachineExtension @setId -Settings $settings -NoWait | Out-Null
+            } catch {
+                write-host "The request to modify the extenion object failed with the following error:"
+                write-host $_.Exception.Message
+                {continue}
+            }
         }
     }
 }