From 1a5ba10e07099b0ce5a4d8385251c50fbe36c8a1 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Mon, 6 Sep 2021 13:34:38 +0200 Subject: [PATCH] Published version of Subdomain Takeover check --- .../Effectory.Dns/Effectory.Dns.psd1 | 55 +- .../Get-BlobEffectoryDomainResources.ps1 | 1 + .../public/Get-EffectoryDomainResources.ps1 | 30 +- .../Set-BlobEffectoryDomainResources.ps1 | 2 +- .../public/VerifyEffectoryDomainResources.ps1 | 2 +- .../Effectory.Dns/0.0.4/Effectory.Dns.psd1 | 131 +++++ .../Effectory.Dns/0.0.4/Effectory.Dns.psm1 | 539 ++++++++++++++++++ .../Effectory.Dns/0.0.4/Effectory.Dns.zip | Bin 0 -> 5679 bytes .../Effectory.Dns/0.0.5/Effectory.Dns.psd1 | 131 +++++ .../Effectory.Dns/0.0.5/Effectory.Dns.psm1 | 539 ++++++++++++++++++ .../Effectory.Dns/0.0.5/Effectory.Dns.zip | Bin 0 -> 5679 bytes .../Effectory.Dns/1.0.6/Effectory.Dns.psd1 | 80 +++ .../Effectory.Dns/1.0.6/Effectory.Dns.psm1 | 539 ++++++++++++++++++ .../Effectory.Dns/1.0.6/Effectory.Dns.zip | Bin 0 -> 5214 bytes .../RunBooks/SubdomainTakeOverCheck.ps1 | 6 +- 15 files changed, 1983 insertions(+), 72 deletions(-) create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psd1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psm1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.zip create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.5/Effectory.Dns.psd1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.5/Effectory.Dns.psm1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.5/Effectory.Dns.zip create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psd1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psm1 create mode 100644 Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.zip diff --git a/Powershell/Modules/Effectory.Dns/Effectory.Dns/Effectory.Dns.psd1 b/Powershell/Modules/Effectory.Dns/Effectory.Dns/Effectory.Dns.psd1 index 0c69d39..60a4f6d 100644 --- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/Effectory.Dns.psd1 +++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/Effectory.Dns.psd1 @@ -12,10 +12,7 @@ RootModule = 'Effectory.Dns.psm1' # Version number of this module. -ModuleVersion = '0.0.3' - -# Supported PSEditions -# CompatiblePSEditions = @() +ModuleVersion = '1.0.6' # ID used to uniquely identify this module GUID = '1e64644e-639c-47d1-8816-c0e48390a6a7' @@ -32,41 +29,8 @@ Copyright = '(c) Effectory B.V. - Jurjen Ladenius. All rights reserved.' # Description of the functionality provided by this module Description = 'Functions to list, store, retrieve and check DNS bindings of resources that don''t exist anymore to prevent subdomain takeover.' -# Minimum version of the PowerShell engine required by this module -# PowerShellVersion = '' - -# Name of the PowerShell host required by this module -# PowerShellHostName = '' - -# Minimum version of the PowerShell host required by this module -# PowerShellHostVersion = '' - -# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# DotNetFrameworkVersion = '' - -# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. -# ClrVersion = '' - -# Processor architecture (None, X86, Amd64) required by this module -# ProcessorArchitecture = '' - # Modules that must be imported into the global environment prior to importing this module -RequiredModules = @('Az.Accounts','Az.Websites','Az.FrontDoor','Az.Storage','Az.Cdn','Az.Network','Az.TrafficManager','Az.ContainerInstance','Az.Resources', 'DnsClient-PS') - -# Assemblies that must be loaded prior to importing this module -# RequiredAssemblies = @() - -# Script files (.ps1) that are run in the caller's environment prior to importing this module. -#WScriptsToProcess = @('*') - -# Type files (.ps1xml) to be loaded when importing this module -# TypesToProcess = @() - -# Format files (.ps1xml) to be loaded when importing this module -# FormatsToProcess = @() - -# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess -# NestedModules = @() +RequiredModules = @('Az.Accounts','Az.ApiManagement','Az.Websites','Az.FrontDoor','Az.Storage','Az.Cdn','Az.Network','Az.TrafficManager','Az.ContainerInstance','Az.Resources', 'DnsClient-PS') # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. FunctionsToExport = @('Get-EffectoryDomainResources','Set-BlobEffectoryDomainResources','Get-BlobEffectoryDomainResources', 'VerifyEffectoryDomainResources') @@ -80,15 +44,6 @@ VariablesToExport = '*' # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. AliasesToExport = '*' -# DSC resources to export from this module -# DscResourcesToExport = @() - -# List of all modules packaged with this module -# ModuleList = @() - -# List of all files packaged with this module -# FileList = @() - # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. PrivateData = @{ @@ -122,11 +77,5 @@ PrivateData = @{ } # End of PrivateData hashtable -# HelpInfo URI of this module -# HelpInfoURI = '' - -# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. -# DefaultCommandPrefix = '' - } diff --git a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-BlobEffectoryDomainResources.ps1 b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-BlobEffectoryDomainResources.ps1 index 48d66af..443f453 100644 --- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-BlobEffectoryDomainResources.ps1 +++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-BlobEffectoryDomainResources.ps1 @@ -20,6 +20,7 @@ function Get-BlobEffectoryDomainResources { Get-AzStorageBlobContent -Context $context -CloudBlob $blob.ICloudBlob -Destination "$Env:temp/$($blob.Name).history.csv" -Force >$null $loadedResources = Import-CSV "$Env:temp/$($blob.Name).history.csv" Remove-Item -Path "$Env:temp/$($blob.Name).history.csv" + Write-Verbose "Retrieved resources from $($blob.Name)" } $loadedResources diff --git a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-EffectoryDomainResources.ps1 b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-EffectoryDomainResources.ps1 index 97e1a8c..a0e4313 100644 --- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-EffectoryDomainResources.ps1 +++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Get-EffectoryDomainResources.ps1 @@ -29,10 +29,10 @@ function Get-EffectoryDomainResources { $subscriptionId = $currentContext.Subscription } - Write-Host "Processing subscription $($currentContext.Name)" + Write-Verbose "Processing subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking WebApps and WebApp Slots for subscription $($currentContext.Name)" + Write-Verbose "Checking WebApps and WebApp Slots for subscription $($currentContext.Name)" $webApps = Get-AzWebApp [int]$webAppCounter = 0 [int]$webAppSlotCounter = 0 @@ -53,10 +53,10 @@ function Get-EffectoryDomainResources { } } } - Write-Host "Found $($webAppCounter) WebApps and $($webAppSlotsCounter) WebApp Slots for subscription $($currentContext.Name)" + Write-Verbose "Found $($webAppCounter) WebApps and $($webAppSlotsCounter) WebApp Slots for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking FrontDoor Endpoints for subscription $($currentContext.Name)" + Write-Verbose "Checking FrontDoor Endpoints for subscription $($currentContext.Name)" $frontDoors = Get-AzFrontDoor [int]$frontDoorEndPointCounter = 0 @@ -65,10 +65,10 @@ function Get-EffectoryDomainResources { $frontDoorEndPointCounter += $itemsFrontDoors.Count $result += $itemsFrontDoors } - Write-Host "Found $($frontDoorEndPointCounter) FrontDoor Endpoints for subscription $($currentContext.Name)" + Write-Verbose "Found $($frontDoorEndPointCounter) FrontDoor Endpoints for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking Storage Accounts for subscription $($currentContext.Name)" + Write-Verbose "Checking Storage Accounts for subscription $($currentContext.Name)" $storageAccounts = Get-AzStorageAccount | Where-Object { $_.CustomDomain.Name -like $effectoryDomainPattern } # storage accounts [int]$storageCounter = 0 @@ -77,10 +77,10 @@ function Get-EffectoryDomainResources { $storageCounter += $itemsStorage.Count $result += $itemsStorage } - Write-Host "Found $($storageCounter) Storage Accounts for subscription $($currentContext.Name)" + Write-Verbose "Found $($storageCounter) Storage Accounts for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking Cdn Endpoints for subscription $($currentContext.Name)" + Write-Verbose "Checking Cdn Endpoints for subscription $($currentContext.Name)" $cdnProfiles = Get-AzCdnProfile [int]$cdnCounter = 0 @@ -89,10 +89,10 @@ function Get-EffectoryDomainResources { $cdnCounter += $itemsCdn.Count $result += $itemsCdn } - Write-Host "Found $($cdnCounter) Cdn Endpoints for subscription $($currentContext.Name)" + Write-Verbose "Found $($cdnCounter) Cdn Endpoints for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking public IP addresses for subscription $($currentContext.Name)" + Write-Verbose "Checking public IP addresses for subscription $($currentContext.Name)" $ipAddresses = Get-AzPublicIpAddress | Where-Object DnsSettings -ne $null | Where-Object { $_.DnsSettings.DomainNameLabel -ne "" } [int]$ipCounter = 0 @@ -101,10 +101,10 @@ function Get-EffectoryDomainResources { $ipCounter += $itemsIpAddresses.Count $result += $itemsIpAddresses } - Write-Host "Found $($ipCounter) public IP addresses for subscription $($currentContext.Name)" + Write-Verbose "Found $($ipCounter) public IP addresses for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking Traffic Managers for subscription $($currentContext.Name)" + Write-Verbose "Checking Traffic Managers for subscription $($currentContext.Name)" $trafficManagers = Get-AzTrafficManagerProfile [int]$trafficManagerCounter = 0 @@ -113,10 +113,10 @@ function Get-EffectoryDomainResources { $trafficManagerCounter += $itemsTrafficManagers.Count $result += $itemsTrafficManagers } - Write-Host "Found $($trafficManagerCounter) Traffic Managers for subscription $($currentContext.Name)" + Write-Verbose "Found $($trafficManagerCounter) Traffic Managers for subscription $($currentContext.Name)" # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking Container groups for subscription $($currentContext.Name)" + Write-Verbose "Checking Container groups for subscription $($currentContext.Name)" $containerInstances = Get-AzContainerGroup if ($null -ne $containerInstances) { @@ -124,7 +124,7 @@ function Get-EffectoryDomainResources { } # ------------------------------------------------------------------------------------------------------------------ - Write-Host "Checking API Management for subscription $($currentContext.Name)" + Write-Verbose "Checking API Management for subscription $($currentContext.Name)" $apiManagementServices = Get-AzApiManagement if ($null -ne $apiManagementServices) { diff --git a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Set-BlobEffectoryDomainResources.ps1 b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Set-BlobEffectoryDomainResources.ps1 index 5d43f42..3e137e7 100644 --- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Set-BlobEffectoryDomainResources.ps1 +++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/Set-BlobEffectoryDomainResources.ps1 @@ -18,7 +18,7 @@ function Set-BlobEffectoryDomainResources { ) [string] $fileName = "$((Get-Date).ToString("yyyy-MM-dd HH-mm-ss")) - resources.csv" - Write-Host "Storing resources to $($fileName)" + Write-Verbose "Storing resources to $($fileName)" $context = New-AzStorageContext -ConnectionString $connectionString diff --git a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1 b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1 index 74c51ed..0b196a9 100644 --- a/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1 +++ b/Powershell/Modules/Effectory.Dns/Effectory.Dns/public/VerifyEffectoryDomainResources.ps1 @@ -25,7 +25,7 @@ function VerifyEffectoryDomainResources { [bool] $hasErrors = $false # ---------------------------------------------------------------------------------------------------------- - Write-Information "Comparing found resources with previously stored resources to find records that should've been deleted." + Write-Verbose "Comparing found resources with previously stored resources to find records that should've been deleted." foreach ($oldResource in $effectoryResourcesPrevious) { $currentItem = $effectoryResources.Where({$_.DomainName -eq $oldResource.DomainName}, 'First') diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psd1 b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psd1 new file mode 100644 index 0000000..da82a27 --- /dev/null +++ b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psd1 @@ -0,0 +1,131 @@ +# +# Module manifest for module 'Effectory.Dns' +# +# Generated by: Jurjen Ladenius +# +# Generated on: 8/11/2021 +# + +@{ + +# Script module or binary module file associated with this manifest. +RootModule = 'Effectory.Dns.psm1' + +# Version number of this module. +ModuleVersion = '0.0.4' + +# Supported PSEditions +# CompatiblePSEditions = @() + +# ID used to uniquely identify this module +GUID = '1e64644e-639c-47d1-8816-c0e48390a6a7' + +# Author of this module +Author = 'Jurjen Ladenius' + +# Company or vendor of this module +CompanyName = 'Effectory B.V.' + +# Copyright statement for this module +Copyright = '(c) Effectory B.V. - Jurjen Ladenius. All rights reserved.' + +# Description of the functionality provided by this module +Description = 'Functions to list, store, retrieve and check DNS bindings of resources that don''t exist anymore to prevent subdomain takeover.' + +# Minimum version of the PowerShell engine required by this module +# PowerShellVersion = '' + +# Name of the PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. +# ClrVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +RequiredModules = @('Az.Accounts','Az.ApiManagement','Az.Websites','Az.FrontDoor','Az.Storage','Az.Cdn','Az.Network','Az.TrafficManager','Az.ContainerInstance','Az.Resources', 'DnsClient-PS') + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +#WScriptsToProcess = @('*') + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. +FunctionsToExport = @('Get-BlobEffectoryDomainResources','Get-EffectoryDomainResources','Set-BlobEffectoryDomainResources','VerifyEffectoryDomainResources') + +# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '*' + +# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. +AliasesToExport = '*' + +# DSC resources to export from this module +# DscResourcesToExport = @() + +# List of all modules packaged with this module +# ModuleList = @() + +# List of all files packaged with this module +# FileList = @() + +# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. +PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + +} # End of PrivateData hashtable + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psm1 b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psm1 new file mode 100644 index 0000000..4e13500 --- /dev/null +++ b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.psm1 @@ -0,0 +1,539 @@ +#Region '.\classes\EffectoryDomainNameCheck.ps1' 0 +class EffectoryDomainNameCheck { + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceId = "" + [string] $ResourceGroupName = "" + [string] $ResourceName = "" + [string] $ResourceType = "" + [string] $DomainName = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" +} +#EndRegion '.\classes\EffectoryDomainNameCheck.ps1' 14 +#Region '.\private\CheckCdnEndpoints.ps1' 0 +function CheckCdnEndpoints() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Cdn.Models.Profile.PSProfile[]] $cdnProfiles, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($cdnProfile in $cdnProfiles) { + $cdnEndPoints = Get-AzCdnEndpoint -ProfileName $cdnProfile.Name -ResourceGroupName $cdnProfile.ResourceGroupName + foreach($cdnEndPoint in $cdnEndPoints) { + $resource = Get-AzResource -ResourceId $cdnEndPoint.Id + $cdnEffectory = Get-AzCdnCustomDomain -CdnEndpoint $cdnEndPoint | Where-Object HostName -Like $effectoryDomainPattern + + foreach($cdn in $cdnEffectory) { + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $cdn.Id; + ResourceName = $cdn.Name; + ResourceType = $cdn.Type; + ResourceGroupName = $cdn.ResourceGroupName; + DomainName = $cdn.HostName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + } + } + + $Result +} + +#EndRegion '.\private\CheckCdnEndpoints.ps1' 40 +#Region '.\private\CheckFrontDoorEndPoints.ps1' 0 +function CheckFrontDoorEndPoints() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.FrontDoor.Models.PSFrontDoor[]] $frontDoors, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($frontDoor in $frontDoors) { + $resource = Get-AzResource -ResourceId $frontDoor.Id + + if ($endPointHostNames = $frontDoor.FrontendEndpoints | Where-Object HostName -like $effectoryDomainPattern) { + foreach ($endPoint in $endPointHostNames) { + # frontdoor + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $endPoint.Id; + ResourceName = $endPoint.Name; + ResourceType = $endPoint.Type; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $endPoint.HostName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } } + } + + $Result +} +#EndRegion '.\private\CheckFrontDoorEndPoints.ps1' 37 +#Region '.\private\CheckIpAddresses.ps1' 0 +function CheckIpAddresses() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress[]] $ipAddresses, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + # public ip => Assume binding if an IP has a domain name. + + foreach($ipAddress in $ipAddresses) { + $resource = Get-AzResource -ResourceId $ipAddress.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $ipAddress.Id; + ResourceName = $ipAddress.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $ipAddress.DnsSettings.DomainNameLabel; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckIpAddresses.ps1' 34 +#Region '.\private\CheckStorageAccounts.ps1' 0 +function CheckStorageAccounts() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Management.Storage.Models.PSStorageAccount[]] $storageAccounts, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($storageAccount in $storageAccounts) { + $resource = Get-AzResource -ResourceId $storageAccount.Id + + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $storageAccount.Id; + ResourceName = $resource.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $storageAccount.CustomDomain.Name; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckStorageAccounts.ps1' 33 +#Region '.\private\CheckTrafficManagers.ps1' 0 +function CheckTrafficManagers() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.TrafficManager.Models.TrafficManagerProfile[]] $trafficManagers, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + # traffic manager => Assume binding + + foreach($trafficManager in $trafficManagers) { + $resource = Get-AzResource -ResourceId $trafficManager.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $trafficManager.Id; + ResourceName = $trafficManager.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $trafficManager.RelativeDnsName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckTrafficManagers.ps1' 34 +#Region '.\private\CheckWebApps.ps1' 0 +function CheckWebApps() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.WebApps.Models.PSSite[]] $webApps, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + $webAppsEffectory = $webApps | Where-Object {@($_.HostNames) -like $effectoryDomainPattern} + foreach ($webAppEffectory in $webAppsEffectory) { + foreach ($hostName in $webAppEffectory.HostNames | Where-Object {$_ -like $effectoryDomainPattern}) { + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $webAppEffectory.Id; + ResourceName = $webAppEffectory.Name; + ResourceType = $webAppEffectory.Type; + ResourceGroupName = $webAppEffectory.ResourceGroup; + DomainName = $hostName; + Tag_Team = $webAppEffectory.Tags.team + Tag_Product = $webAppEffectory.Tags.product + Tag_Environment = $webAppEffectory.Tags.environment + Tag_Data = $webAppEffectory.Tags.data + } + $Result += $domainNameCheck + } + } + + $Result +} +#EndRegion '.\private\CheckWebApps.ps1' 34 +#Region '.\private\DnsResolveHost.ps1' 0 +#Requires -Modules DnsClient-PS +function DnsResolveHost { + param( + [Parameter(Mandatory)] + [string] $domainName, + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $externalDNSServer = "8.8.8.8" +) + + try { + + $CnameChain = Resolve-Dns -query $domainName -QueryType A -NameServer $externalDNSServer -ContinueOnDnsError -ContinueOnEmptyResponse + $CnameChain.AllRecords.Where({$_.DomainName.Value -notlike "$($effectoryDomainPattern)."}, 'First').DomainName.Value + } + catch { + $null + } + + +} +#EndRegion '.\private\DnsResolveHost.ps1' 23 +#Region '.\private\GetDomainNameCheck.ps1' 0 +function GetDomainNameCheck () { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Management.WebSites.Models.Resource] $resource + ) + $Result = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $resource.Id; + ResourceName = $resource.Name; + ResourceType = $resource.Type; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + + $Result; +} +#EndRegion '.\private\GetDomainNameCheck.ps1' 22 +#Region '.\public\Get-BlobEffectoryDomainResources.ps1' 0 +function Get-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Retrieves the stored domain resources list + .DESCRIPTION + Retrieves the newest domain resources list from the CSV in Azure storage. + .PARAMETER connectionString + Connection string of the storage account to retrieve from. + #> + param( + [Parameter(Mandatory)] + [string] $connectionString + ) + + [EffectoryDomainNameCheck[]] $loadedResources = @() + $context = New-AzStorageContext -ConnectionString $connectionString + + $blob = Get-AzStorageBlob -Container "dangling-dns" -Context $context | Sort-Object -Property Name | Select-Object -Last 1 + if ($null -ne $blob) { + Get-AzStorageBlobContent -Context $context -CloudBlob $blob.ICloudBlob -Destination "$Env:temp/$($blob.Name).history.csv" -Force >$null + $loadedResources = Import-CSV "$Env:temp/$($blob.Name).history.csv" + Remove-Item -Path "$Env:temp/$($blob.Name).history.csv" + Write-Verbose "Retrieved resources from $($blob.Name)" + } + + $loadedResources +} +#EndRegion '.\public\Get-BlobEffectoryDomainResources.ps1' 28 +#Region '.\public\Get-EffectoryDomainResources.ps1' 0 +#Requires -Modules Az.Accounts,Az.Websites,Az.FrontDoor,Az.Storage,Az.Cdn,Az.Network,Az.TrafficManager,Az.ContainerInstance +function Get-EffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that have DNS records + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER subscriptionId + Optional Subscription Id to set the context to. Otherwise uses the current context. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $subscriptionId + ) + + # Initialize + [EffectoryDomainNameCheck[]]$result = @() + [string]$effectoryDomainPattern = "*.effectory.com" + + # Get subscription info + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$currentContext = $null + if (![string]::IsNullOrWhitespace($subscriptionId)) { + $currentContext = Set-AzContext -SubscriptionId $subscriptionId + } + else { + $currentContext = Get-AzContext + $subscriptionId = $currentContext.Subscription + } + + Write-Verbose "Processing subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking WebApps and WebApp Slots for subscription $($currentContext.Name)" + $webApps = Get-AzWebApp + [int]$webAppCounter = 0 + [int]$webAppSlotCounter = 0 + + if ($null -ne $webApps) { + # check webapps + $itemsWebApps = CheckWebApps -subscription $currentContext -webApps $webApps -effectoryDomainPattern $effectoryDomainPattern + $webAppCounter += $itemsWebApps.Count + $result += $itemsWebApps + + # check webapp slots + foreach ($webApp in $webApps) { + $slot = Get-AzWebAppSlot -WebApp $webApp + if ($null -ne $slot) { + $itemsWebAppSlots = CheckWebApps -subscription $currentContext -webApps $slot -effectoryDomainPattern $effectoryDomainPattern + $webAppSlotCounter += $itemsWebAppSlots.Count + $result += $itemsWebAppSlots + } + } + } + Write-Verbose "Found $($webAppCounter) WebApps and $($webAppSlotsCounter) WebApp Slots for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking FrontDoor Endpoints for subscription $($currentContext.Name)" + $frontDoors = Get-AzFrontDoor + [int]$frontDoorEndPointCounter = 0 + + if ($null -ne $frontDoors) { + $itemsFrontDoors = CheckFrontDoorEndPoints -subscription $currentContext -frontDoors $frontDoors -effectoryDomainPattern $effectoryDomainPattern + $frontDoorEndPointCounter += $itemsFrontDoors.Count + $result += $itemsFrontDoors + } + Write-Verbose "Found $($frontDoorEndPointCounter) FrontDoor Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Storage Accounts for subscription $($currentContext.Name)" + $storageAccounts = Get-AzStorageAccount | Where-Object { $_.CustomDomain.Name -like $effectoryDomainPattern } # storage accounts + [int]$storageCounter = 0 + + if ($null -ne $storageAccounts) { + $itemsStorage = CheckStorageAccounts -subscription $currentContext -storageAccounts $storageAccounts -effectoryDomainPattern $effectoryDomainPattern + $storageCounter += $itemsStorage.Count + $result += $itemsStorage + } + Write-Verbose "Found $($storageCounter) Storage Accounts for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Cdn Endpoints for subscription $($currentContext.Name)" + $cdnProfiles = Get-AzCdnProfile + [int]$cdnCounter = 0 + + if ($null -ne $cdnProfiles) { + $itemsCdn = CheckCdnEndpoints -subscription $currentContext -cdnProfiles $cdnProfiles -effectoryDomainPattern $effectoryDomainPattern + $cdnCounter += $itemsCdn.Count + $result += $itemsCdn + } + Write-Verbose "Found $($cdnCounter) Cdn Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking public IP addresses for subscription $($currentContext.Name)" + $ipAddresses = Get-AzPublicIpAddress | Where-Object DnsSettings -ne $null | Where-Object { $_.DnsSettings.DomainNameLabel -ne "" } + [int]$ipCounter = 0 + + if ($null -ne $ipAddresses) { + $itemsIpAddresses = CheckIpAddresses -subscription $currentContext -ipAddresses $ipAddresses -effectoryDomainPattern $effectoryDomainPattern + $ipCounter += $itemsIpAddresses.Count + $result += $itemsIpAddresses + } + Write-Verbose "Found $($ipCounter) public IP addresses for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Traffic Managers for subscription $($currentContext.Name)" + $trafficManagers = Get-AzTrafficManagerProfile + [int]$trafficManagerCounter = 0 + + if ($null -ne $trafficManagers) { + $itemsTrafficManagers = CheckTrafficManagers -subscription $currentContext -trafficManagers $trafficManagers -effectoryDomainPattern $effectoryDomainPattern + $trafficManagerCounter += $itemsTrafficManagers.Count + $result += $itemsTrafficManagers + } + Write-Verbose "Found $($trafficManagerCounter) Traffic Managers for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Container groups for subscription $($currentContext.Name)" + $containerInstances = Get-AzContainerGroup + + if ($null -ne $containerInstances) { + throw "Container groups are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking API Management for subscription $($currentContext.Name)" + $apiManagementServices = Get-AzApiManagement + + if ($null -ne $apiManagementServices) { + throw "API Management services are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + $result +} +#EndRegion '.\public\Get-EffectoryDomainResources.ps1' 137 +#Region '.\public\Set-BlobEffectoryDomainResources.ps1' 0 +function Set-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Stores the effectory domain resources list as csv in Azure storage. + .DESCRIPTION + Stores the effectory domain resources list as csv in Azure storage, while making a backup of the previous state. + .PARAMETER effectoryResources + Resources to be exported to CSV. + .PARAMETER connectionString + Connection string of the storage account to save to. + #> + + param( + [Parameter(Mandatory)] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [string] $connectionString + ) + + [string] $fileName = "$((Get-Date).ToString("yyyy-MM-dd HH-mm-ss")) - resources.csv" + Write-Verbose "Storing resources to $($fileName)" + + $context = New-AzStorageContext -ConnectionString $connectionString + + # move to history + $blobs = Get-AzStorageBlob -Container "dangling-dns" -Context $context + if ($null -ne $blobs) { + foreach ($blob in $blobs) { + Start-AzStorageBlobCopy -CloudBlob $blob.ICloudBlob -DestContainer "dangling-dns-history" -DestBlob $blob.Name -Context $context -Force >$null + Remove-AzStorageBlob -Container "dangling-dns" -Blob $blob.Name -Context $context -Force >$null + } + } + + # store as current + $effectoryResources | Export-Csv "$Env:temp/$($fileName)" + Set-AzStorageBlobContent -Context $context -Container "dangling-dns" -File "$Env:temp/$($fileName)" -Blob $fileName -Force >$null + Remove-Item -Path "$Env:temp/$($fileName)" +} +#EndRegion '.\public\Set-BlobEffectoryDomainResources.ps1' 39 +#Region '.\public\VerifyEffectoryDomainResources.ps1' 0 +function VerifyEffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that no longer exist, but have DNS records. + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER effectoryDomainPattern + The domain pattern to look for when enumerating hosts, e.g. '*.effectory.com' + .PARAMETER effectoryResources + The resources that currently exist. + .PARAMETER effectoryResourcesPrevious + The resources that existed previously. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResourcesPrevious + ) + + [bool] $hasErrors = $false + + # ---------------------------------------------------------------------------------------------------------- + Write-Verbose "Comparing found resources with previously stored resources to find records that should've been deleted." + foreach ($oldResource in $effectoryResourcesPrevious) { + $currentItem = $effectoryResources.Where({$_.DomainName -eq $oldResource.DomainName}, 'First') + + if (($null -eq $currentItem) -or ($currentItem.Count -eq 0)) { + # Host name no longer exists, so there should be no DNS record + # check + Write-Warning "Host name '$($oldResource.DomainName)' no longer exists. Checking DNS record for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $CName = DnsResolveHost -domainName $oldResource.DomainName -effectoryDomainPattern $effectoryDomainPattern -externalDNSServer "8.8.8.8" + if (($null -ne $CName) -and ($CName -ne "")) { + Write-Error "Host name '$($oldResource.DomainName)' no longer exists, but found DNS record '$($CName)' for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $hasErrors = $true + } + } + elseif (($oldResource.ResourceName -ne $currentItem.ResourceName) -or ($oldResource.ResourceId -ne $currentItem.ResourceId)) { + # found, but does not point to the same resource + # verify the DNS record to make sure it points to this resource + Write-Warning "Host name '$($oldResource.DomainName)' was found, but points to another resource. Assuming this was intentional." + } + } + + $hasErrors +} +#EndRegion '.\public\VerifyEffectoryDomainResources.ps1' 51 diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.zip b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.4/Effectory.Dns.zip new file mode 100644 index 0000000000000000000000000000000000000000..a8925e1841a37482dcef66adbdc0720716bf6a2d GIT binary patch literal 5679 zcmZ{oWl$VSwt#Ub3?3v9++70%8{FLq9)jE85L|*g!QCOa1!oBEFt`&KU~mX7@7`Pc zV|Qy`pRPW2s_XRk^HhIoiik)AaBy&FaOT?dnytE8W9%q!a4dLmaDQz$>Cd07EI>}K z-t1D2ZtTu(mRu8htB&|w0RP(gfI1`%Mq7lSN+ViYNy&oplyatYUF*fH@24x#C(2}i z*GUpz4tahy0jeORla*bbAs*{vu2v6E$NE+wc8xynAC}bB7T@?;F)eb^<*BL5CK?1Z zS`h6F&J`HV+VHuu*z+0$!tPlKgtzO}8tT}{YH}NfZXcd~aZbe!9+%g1pqu9$)%1yp z?Nyz9XIjjTX%KPh3!GLR*;$~mf`GLnyMuB|YlmBDGfV5aeTXwht9}o@kw0Kiq2@bt zLj|W216_g%`gb^W1Kio?jpq%Cb}xq$ed(aNw@Cq_5aaOd&5SpvH9(*yQ4#OW-x-O5wSr|lMGlWs zq0P_-b$%=i!rmv(ShSgD$*jk%>6UGXj^n+(xN3b(wu{AGrYIunp5#@TqM>6#H z#{O7$H%6!=De`TGC#QZH(b`a5{hzXd6DS-|Nr$1@1*gFDVc8YSwP$P(@g*q}e1}F) zUUDUL#iWUTBmG5fU2`|w5h)+}#?r?&;;-{6Pb9}K{R5ec%`9?8-aX%DmYJ{oO>Q)8 zM_kR$ePzs7hf={Q9`kznR0_M1Sxd8F+R6jegeqQxay9y=$xK+^hh1Ak$+2XKcUmnu z<9ZYti0eoCpHrRJiOY8$gedP>97_;7N3iFT^JumJz;sZJ1j(=&kwxpP z^4p?J75o8l7rxM(4sFfR*xv^fPCGpvn)(i5Z;O)*FE)_^7eSeDUQw&d@$}%zqMt4} z8w)b-4`kJ)r7F|G>J>YFRV)I~8RWbg(RZU2rPuYx2H&M#2!6}8Pz}nk3rZ5Z4f*p# z3SfPG>7&x{KqfH>jt}eZUk3|PP}4}}xe0sH#)-!b)nj41>@niU`BH>or~AwS-}BLF z2KS@%H^ywMiaUjmiV2q9V^NP>X+2m^d`6|o2Z%#+m8GfD_zNeAZ7=*W_?meFFt;&a z4ut|i_JgR$&&%?JeOfY-eN%&O7T5>0OPvCA8j|nQ2bp+ zlZ|jbkl@?u3e<-3HO?aMcxv-?sbip3KDXfcJi>((H+TexAsL-wuG33!(po(!N0w(T zYv&@`S!H8c)~V+v2ER~<`x<691@P-;Xp(DKC7Y*Um$5XWb;F2y;1ZImS-`_%uShz; zOZHQb;TqOkc(zL9*k=i=rfu{2u8YqYP}NaexJp^;%v*IrPT<}7c5dY*`Iw#Q(muS= zCv!Jarr`==H+7@Z;I;1U2mQD;r*uW#9?kd?q8{V3`=pRCFUJwC*|y zRmYtWn%#nb3}RvzvQ{UO9Zx#NzP^}jv^4rnn>T%akS-kr{v?_OPl#>?qL+^XH;N20 z1$i8hV|`HPm}2}Y@3b-ynTD9q7AABKENAB9akyN)72sUi6-*YB=h1e}U0I@dk&p_a z!q+nXAmy%!l&Me7u0aH!=Skas_lhJ#OR6dyZpApl3jF04i32*XAU&@@a4|6_C4V*_ zr^KM8)N~p}_Xe8Qu*46-Aeqf2D+p$lFEtL@H$)nR4b55w%7;T~33Zf)++Jm*hI7!3 z;Aua488YPk_j)of;XlgSdi#DIFeC(ZkD?P=T)1B%6s=US#h$P0I;LljI*c7J14|Knv+No9W3gXDtz( zAw2&*PCFI;N5!|i8?b5Yg2Ye)13NDe>G|@0VNtFoLnMY{wU8Zc$|2Y~wg3Y4-V;b& zy527!ZlJ5*hnVb%olB2x-78ww4UQaiwZb$PneJ5LuR2Zb+UbMtLsdm%nVht^$tvk{ z2kG}}jmOMKIZ+ZH(uXl&`$)egd4l&<>C5K^T?@zlj3*WB1Au6}%u7d&;y-CI^*qRO zNl`de{q2}}`YCo$22HmD1dLOFGa}Y0s5R`Hr8u#+V7}rM_3`+_x^_pGYA)kBf^eS-sWy+w{b>ZkDJFS14$a!BTxok&$mP>9&gl381Xt0K`~y3`@M z?-Br5mOP1_LdkYRuJX6w<68( zpQ0#Mq&3dy&fJELw|AwqB?o%#I+oOT^xYK*Dp5cs7Ixofbf=)My}&HXGHWp-Ag zYf7m+aNKvJkw#75z+w%Y>aa0$RGa6yA{PF@2)f6Gu@p$;RV&mRXeQksL1I>`H7m5P zzI+&^-rTy0XR-f%L~+~XVQjQPkY((5GboJ+Vv~DR8soJozFDSK6A-F&_hzGJDyC>G z+kmf$pYFyZE{FB5KtY@xeYiC=`F-*=!OnTBQkOM2wgQNr@K$3I?=`EK1ej0ADEQpFv~wrEp$72J!PAZ1cSdA{~msegUwDmI|YD>YWfI-}Msx|LCTI4ht%(ct;qkBE8C{Ij# zPQ}}Ma4u}r_B<@z-@F=n&|#dn~$HBMCtP&N-f7N^bs@rZ+!{Bqaap+B5f z3R{VQ;4qQpJc)w?&JTOD_EhIx?YhG^{1**eceo?fQB8{PhreaG2D0QL>bRsRUd(;G za1wkveKO}f2CCp{qQb?V1;(jxnah3=WUtM_prcVnOFbT90B=|YI74~_Ym*YTeU-j6 zBY8ZE?P_&xx7tUH>X0#}GE8XnZ5>=59REK0jTd{x3SJwdnxYQQFEdD#V`t0@RHH+c zzU)ok&o@~bl8 zY-B$l%J_p@I*L?6Es}?rEdn`e*u|8vxL1eVs+GwZ*+s@+n&$e8@K+$XGk@oUM2gO& ziv%U$D$;$2U`6|O5m)I_INyY*;(Q$G9tYEIJOXW#{fBT-E^am51Tj|;u4{j{BU&8Q zS`zEd#k4JW<@Ni{@>7k6Yyvm1W1E-CFJ6$|b8F9LQYBB6<*M{fYeF%A-+BYs#7|ID zV!WgOW;I3BxwlRl^s^-thH$BJ&c-hDA*c)3K5pJsKH$?3+Fb1)c$R`tiJb^t$APKY z(V1)8yTpG*hpglJMHngeTHhF_2i8+^D{Qe;Ifn;~3J2UBWw$pF5pF)mOf!;Mpt6%m zmV~5~$$yUN3g-}tWi*;Y9PVAfL%aK0hr*iS(>A55$u_)Yt!hu=D|%Zny@48eiuuB# zP~!l1G=z1BR!WY)hZkH5Fct^8sIHC|1jO0rJuHbdU#vvqGt!AWEv)^#X z6i3$R%7wi5$hF~X9%k>3cm+Akr|6wRD>=xajcKzJ^fQ@&$T0brmBtf+I#(edW_0Js zS+55lo0}oZ+mR0-V}eD^7W4g?x1QNtFau}U7=|5Q({cA#l-JVJ*5ks0qBM)6 zBBwt0Je63IxBpy58-T zg>Piu(&!9!=$JCDqWIh9_+3r&bx=h6&B{<2mvwZU@SfRTk20VPP;x9>qYwC`nm6q3GHpIkm4sS_he)=XTnMxC2*? zOi~$pRf<|}M!meokR(Waj`5-C>69qBsmhGuP3TfIW+H3jrzwuRgCtLyyKG${qcuL; zUGJuEZB>#`E3515W{6~M3>>Om=C9U`)w^`Cv6PkqeEe3?m9#^Bo?$?4* ztt+alNg!U`hA*2RU7u>W>FAA~S2%$8`0B z&%?)`xR1NPXC``%(*<8MDT#N~DR%O=?fOLY#KO4VkQrBJ=sti?eq1kK#dL0}zc+BB z!r@5ouPF*3JTo!*n09~&60-`}wI;f_i<@R7?a><_6MpgzI!p4C2ox#&Dj&E|i2_V0 z&pW=fLt5yv6lfLvEVlh{b5_pw-q{NEmDKYy*&-n;8}YfZsGg$NZXvRC`HRmi6^lNs zZdfdQ`5;`kee1Z1VhcYz2iYa2`+@oU1cIc2^ESZ&K2N`Ktu~Cw0eEpR`J^B z+BNdy!0B!Vz4yAKmV83Z7_F@$g`9g1|5-@0x-{*AzLwV>?o|XN6~M=jI(wLw&y7?E zfBUYoDseg$dji$Y!s^DRD_cgra9~<`|KrSQE#6Ix*QLh1Q-W~WgJeWzim*``X~_aa z6JS_YL5>dD`MF+fJCIPy4GBkw-pgu_U=Z1GdwGd zCuMtLjy|s+V@>-AGE#QQINHCY3gf1^BK9-%5c@^aPtqx*D|HMCs-i+gi)f`<@r**h zA!Fd5J`z+%`TFoayi`7kJhI7vMN_W7ezfNh+@pc1!G$(x|z4*;xS+NEwVfNZ6{RljX^yGJ5wF)HNl z9OgACz7S>Y#tpYZAmrq{b6IlT^c&UGu0-*wvsYq?HWYNE(5cg2go3xhQ^WH%*Ccy) zr+FKAA9A@2qs(p*Ij6a@1_}_%{8rhAa2v-rw@lS6!S9B!lW0cm(<~xnvgJbZSnTY3 z`U@HU2r+Z>C$rT!^sHC7bab3$;8FkKt!!@ma5a!(Qk)-mbhD{_;xRU|c%~i6R`wXI zn7?^io>k?JlNh++Pa@S5wWF(h@G*xM?{g+0B4~ia+qN3In1|3kE|3eC`}kXOo~PI9 z8fk2I3dN5+u<#c`Eps(vGxKNDH++5 zpx}04I)tTBTi$W(>E{bZ|1*rp;_HX}sl`yfSe%-cUP|6K=9d>G?ny`m)2J&7j)Fep z#wzOa8rtOdI=1R^Tx`QXPOXRDI=-W^H(_VMy;~DCMR)`;xc^V7(*7k?|6cF^Iscbn z#rW49JltD2H0~Xq$HGN;&&v+ozq8YM`9Jl4Gyd~q{qKxVf63hcmbeaF|ITPpnE2<- eGFbaR42z)Be=(5%>V< Assume binding if an IP has a domain name. + + foreach($ipAddress in $ipAddresses) { + $resource = Get-AzResource -ResourceId $ipAddress.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $ipAddress.Id; + ResourceName = $ipAddress.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $ipAddress.DnsSettings.DomainNameLabel; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckIpAddresses.ps1' 34 +#Region '.\private\CheckStorageAccounts.ps1' 0 +function CheckStorageAccounts() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Management.Storage.Models.PSStorageAccount[]] $storageAccounts, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($storageAccount in $storageAccounts) { + $resource = Get-AzResource -ResourceId $storageAccount.Id + + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $storageAccount.Id; + ResourceName = $resource.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $storageAccount.CustomDomain.Name; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckStorageAccounts.ps1' 33 +#Region '.\private\CheckTrafficManagers.ps1' 0 +function CheckTrafficManagers() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.TrafficManager.Models.TrafficManagerProfile[]] $trafficManagers, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + # traffic manager => Assume binding + + foreach($trafficManager in $trafficManagers) { + $resource = Get-AzResource -ResourceId $trafficManager.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $trafficManager.Id; + ResourceName = $trafficManager.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $trafficManager.RelativeDnsName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckTrafficManagers.ps1' 34 +#Region '.\private\CheckWebApps.ps1' 0 +function CheckWebApps() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.WebApps.Models.PSSite[]] $webApps, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + $webAppsEffectory = $webApps | Where-Object {@($_.HostNames) -like $effectoryDomainPattern} + foreach ($webAppEffectory in $webAppsEffectory) { + foreach ($hostName in $webAppEffectory.HostNames | Where-Object {$_ -like $effectoryDomainPattern}) { + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $webAppEffectory.Id; + ResourceName = $webAppEffectory.Name; + ResourceType = $webAppEffectory.Type; + ResourceGroupName = $webAppEffectory.ResourceGroup; + DomainName = $hostName; + Tag_Team = $webAppEffectory.Tags.team + Tag_Product = $webAppEffectory.Tags.product + Tag_Environment = $webAppEffectory.Tags.environment + Tag_Data = $webAppEffectory.Tags.data + } + $Result += $domainNameCheck + } + } + + $Result +} +#EndRegion '.\private\CheckWebApps.ps1' 34 +#Region '.\private\DnsResolveHost.ps1' 0 +#Requires -Modules DnsClient-PS +function DnsResolveHost { + param( + [Parameter(Mandatory)] + [string] $domainName, + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $externalDNSServer = "8.8.8.8" +) + + try { + + $CnameChain = Resolve-Dns -query $domainName -QueryType A -NameServer $externalDNSServer -ContinueOnDnsError -ContinueOnEmptyResponse + $CnameChain.AllRecords.Where({$_.DomainName.Value -notlike "$($effectoryDomainPattern)."}, 'First').DomainName.Value + } + catch { + $null + } + + +} +#EndRegion '.\private\DnsResolveHost.ps1' 23 +#Region '.\private\GetDomainNameCheck.ps1' 0 +function GetDomainNameCheck () { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Management.WebSites.Models.Resource] $resource + ) + $Result = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $resource.Id; + ResourceName = $resource.Name; + ResourceType = $resource.Type; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + + $Result; +} +#EndRegion '.\private\GetDomainNameCheck.ps1' 22 +#Region '.\public\Get-BlobEffectoryDomainResources.ps1' 0 +function Get-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Retrieves the stored domain resources list + .DESCRIPTION + Retrieves the newest domain resources list from the CSV in Azure storage. + .PARAMETER connectionString + Connection string of the storage account to retrieve from. + #> + param( + [Parameter(Mandatory)] + [string] $connectionString + ) + + [EffectoryDomainNameCheck[]] $loadedResources = @() + $context = New-AzStorageContext -ConnectionString $connectionString + + $blob = Get-AzStorageBlob -Container "dangling-dns" -Context $context | Sort-Object -Property Name | Select-Object -Last 1 + if ($null -ne $blob) { + Get-AzStorageBlobContent -Context $context -CloudBlob $blob.ICloudBlob -Destination "$Env:temp/$($blob.Name).history.csv" -Force >$null + $loadedResources = Import-CSV "$Env:temp/$($blob.Name).history.csv" + Remove-Item -Path "$Env:temp/$($blob.Name).history.csv" + Write-Verbose "Retrieved resources from $($blob.Name)" + } + + $loadedResources +} +#EndRegion '.\public\Get-BlobEffectoryDomainResources.ps1' 28 +#Region '.\public\Get-EffectoryDomainResources.ps1' 0 +#Requires -Modules Az.Accounts,Az.Websites,Az.FrontDoor,Az.Storage,Az.Cdn,Az.Network,Az.TrafficManager,Az.ContainerInstance +function Get-EffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that have DNS records + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER subscriptionId + Optional Subscription Id to set the context to. Otherwise uses the current context. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $subscriptionId + ) + + # Initialize + [EffectoryDomainNameCheck[]]$result = @() + [string]$effectoryDomainPattern = "*.effectory.com" + + # Get subscription info + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$currentContext = $null + if (![string]::IsNullOrWhitespace($subscriptionId)) { + $currentContext = Set-AzContext -SubscriptionId $subscriptionId + } + else { + $currentContext = Get-AzContext + $subscriptionId = $currentContext.Subscription + } + + Write-Verbose "Processing subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking WebApps and WebApp Slots for subscription $($currentContext.Name)" + $webApps = Get-AzWebApp + [int]$webAppCounter = 0 + [int]$webAppSlotCounter = 0 + + if ($null -ne $webApps) { + # check webapps + $itemsWebApps = CheckWebApps -subscription $currentContext -webApps $webApps -effectoryDomainPattern $effectoryDomainPattern + $webAppCounter += $itemsWebApps.Count + $result += $itemsWebApps + + # check webapp slots + foreach ($webApp in $webApps) { + $slot = Get-AzWebAppSlot -WebApp $webApp + if ($null -ne $slot) { + $itemsWebAppSlots = CheckWebApps -subscription $currentContext -webApps $slot -effectoryDomainPattern $effectoryDomainPattern + $webAppSlotCounter += $itemsWebAppSlots.Count + $result += $itemsWebAppSlots + } + } + } + Write-Verbose "Found $($webAppCounter) WebApps and $($webAppSlotsCounter) WebApp Slots for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking FrontDoor Endpoints for subscription $($currentContext.Name)" + $frontDoors = Get-AzFrontDoor + [int]$frontDoorEndPointCounter = 0 + + if ($null -ne $frontDoors) { + $itemsFrontDoors = CheckFrontDoorEndPoints -subscription $currentContext -frontDoors $frontDoors -effectoryDomainPattern $effectoryDomainPattern + $frontDoorEndPointCounter += $itemsFrontDoors.Count + $result += $itemsFrontDoors + } + Write-Verbose "Found $($frontDoorEndPointCounter) FrontDoor Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Storage Accounts for subscription $($currentContext.Name)" + $storageAccounts = Get-AzStorageAccount | Where-Object { $_.CustomDomain.Name -like $effectoryDomainPattern } # storage accounts + [int]$storageCounter = 0 + + if ($null -ne $storageAccounts) { + $itemsStorage = CheckStorageAccounts -subscription $currentContext -storageAccounts $storageAccounts -effectoryDomainPattern $effectoryDomainPattern + $storageCounter += $itemsStorage.Count + $result += $itemsStorage + } + Write-Verbose "Found $($storageCounter) Storage Accounts for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Cdn Endpoints for subscription $($currentContext.Name)" + $cdnProfiles = Get-AzCdnProfile + [int]$cdnCounter = 0 + + if ($null -ne $cdnProfiles) { + $itemsCdn = CheckCdnEndpoints -subscription $currentContext -cdnProfiles $cdnProfiles -effectoryDomainPattern $effectoryDomainPattern + $cdnCounter += $itemsCdn.Count + $result += $itemsCdn + } + Write-Verbose "Found $($cdnCounter) Cdn Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking public IP addresses for subscription $($currentContext.Name)" + $ipAddresses = Get-AzPublicIpAddress | Where-Object DnsSettings -ne $null | Where-Object { $_.DnsSettings.DomainNameLabel -ne "" } + [int]$ipCounter = 0 + + if ($null -ne $ipAddresses) { + $itemsIpAddresses = CheckIpAddresses -subscription $currentContext -ipAddresses $ipAddresses -effectoryDomainPattern $effectoryDomainPattern + $ipCounter += $itemsIpAddresses.Count + $result += $itemsIpAddresses + } + Write-Verbose "Found $($ipCounter) public IP addresses for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Traffic Managers for subscription $($currentContext.Name)" + $trafficManagers = Get-AzTrafficManagerProfile + [int]$trafficManagerCounter = 0 + + if ($null -ne $trafficManagers) { + $itemsTrafficManagers = CheckTrafficManagers -subscription $currentContext -trafficManagers $trafficManagers -effectoryDomainPattern $effectoryDomainPattern + $trafficManagerCounter += $itemsTrafficManagers.Count + $result += $itemsTrafficManagers + } + Write-Verbose "Found $($trafficManagerCounter) Traffic Managers for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Container groups for subscription $($currentContext.Name)" + $containerInstances = Get-AzContainerGroup + + if ($null -ne $containerInstances) { + throw "Container groups are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking API Management for subscription $($currentContext.Name)" + $apiManagementServices = Get-AzApiManagement + + if ($null -ne $apiManagementServices) { + throw "API Management services are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + $result +} +#EndRegion '.\public\Get-EffectoryDomainResources.ps1' 137 +#Region '.\public\Set-BlobEffectoryDomainResources.ps1' 0 +function Set-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Stores the effectory domain resources list as csv in Azure storage. + .DESCRIPTION + Stores the effectory domain resources list as csv in Azure storage, while making a backup of the previous state. + .PARAMETER effectoryResources + Resources to be exported to CSV. + .PARAMETER connectionString + Connection string of the storage account to save to. + #> + + param( + [Parameter(Mandatory)] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [string] $connectionString + ) + + [string] $fileName = "$((Get-Date).ToString("yyyy-MM-dd HH-mm-ss")) - resources.csv" + Write-Verbose "Storing resources to $($fileName)" + + $context = New-AzStorageContext -ConnectionString $connectionString + + # move to history + $blobs = Get-AzStorageBlob -Container "dangling-dns" -Context $context + if ($null -ne $blobs) { + foreach ($blob in $blobs) { + Start-AzStorageBlobCopy -CloudBlob $blob.ICloudBlob -DestContainer "dangling-dns-history" -DestBlob $blob.Name -Context $context -Force >$null + Remove-AzStorageBlob -Container "dangling-dns" -Blob $blob.Name -Context $context -Force >$null + } + } + + # store as current + $effectoryResources | Export-Csv "$Env:temp/$($fileName)" + Set-AzStorageBlobContent -Context $context -Container "dangling-dns" -File "$Env:temp/$($fileName)" -Blob $fileName -Force >$null + Remove-Item -Path "$Env:temp/$($fileName)" +} +#EndRegion '.\public\Set-BlobEffectoryDomainResources.ps1' 39 +#Region '.\public\VerifyEffectoryDomainResources.ps1' 0 +function VerifyEffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that no longer exist, but have DNS records. + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER effectoryDomainPattern + The domain pattern to look for when enumerating hosts, e.g. '*.effectory.com' + .PARAMETER effectoryResources + The resources that currently exist. + .PARAMETER effectoryResourcesPrevious + The resources that existed previously. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResourcesPrevious + ) + + [bool] $hasErrors = $false + + # ---------------------------------------------------------------------------------------------------------- + Write-Verbose "Comparing found resources with previously stored resources to find records that should've been deleted." + foreach ($oldResource in $effectoryResourcesPrevious) { + $currentItem = $effectoryResources.Where({$_.DomainName -eq $oldResource.DomainName}, 'First') + + if (($null -eq $currentItem) -or ($currentItem.Count -eq 0)) { + # Host name no longer exists, so there should be no DNS record + # check + Write-Warning "Host name '$($oldResource.DomainName)' no longer exists. Checking DNS record for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $CName = DnsResolveHost -domainName $oldResource.DomainName -effectoryDomainPattern $effectoryDomainPattern -externalDNSServer "8.8.8.8" + if (($null -ne $CName) -and ($CName -ne "")) { + Write-Error "Host name '$($oldResource.DomainName)' no longer exists, but found DNS record '$($CName)' for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $hasErrors = $true + } + } + elseif (($oldResource.ResourceName -ne $currentItem.ResourceName) -or ($oldResource.ResourceId -ne $currentItem.ResourceId)) { + # found, but does not point to the same resource + # verify the DNS record to make sure it points to this resource + Write-Warning "Host name '$($oldResource.DomainName)' was found, but points to another resource. Assuming this was intentional." + } + } + + $hasErrors +} +#EndRegion '.\public\VerifyEffectoryDomainResources.ps1' 51 diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.5/Effectory.Dns.zip b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/0.0.5/Effectory.Dns.zip new file mode 100644 index 0000000000000000000000000000000000000000..eed0c8230ac21f162066dcd5f365b18a2832a0ac GIT binary patch literal 5679 zcmZ{oWl$VSwt#UB7biHu2e-iq1O|6^cXt_la3?syf=h6h;0*3IxCM6)mIU72efwi~ z>%Bf*=hUgL?(gTR{!|qZkqF@6;LzaA^cXal2^1vRQQ+WM@ZjM7-f&XZ)>amtF7CeU zlFlCNt{#?LQ@ZQU_*^)Fb&J9ENa_H4gb;OhJUnWo(7t!(_%AxIZ%dpsjNHs@Szt!>T?Z9?qo{oJ*dG}RU{e5{xjd0}+8$qUx2WK8QJ zyli0lG|r8fFG`s+D>(xJM6ncix&XbEj0EkOl~n&fuidDRRQG?*AC}@=p5AMxj*f0< zZSD9l6Y@{ke@K3cGN__GDP%9n;o;A0WmsR|5`wLz8-RPn+cVdzx6x}w(JV@}6$w{0 ziOW*)M(dCiA%GgRlc1}hE42==`hEwWq?w3dbZJ;j=}qCZ`{h26a7tjQr@aY(i6TMQ ztYO?v8}M9;bCM!AI5uY4aT@G@2J>GTa4ZHdqrKb-Q z^`bT`C47HWBf_MSJQ&x^&Qz;AnZ8nzl`!2Yu<{IGG~u`%xYMzYMTC+AKp!Gvk8{fB z+4P+6C5DYN&O|EHt*o&pv@&i}0 z0;wl0*>O+{t<}-Nztv?uhFYC#i0jbW1|Lrx!lqlidQqN9GtyClvhJ?>Gpk+hA%&y1 zRrn)*jHou}vyg=dzN6)ilLnpuRg|ufbY;!}jt?ncfZxTlJiRVGrzHWV+s$(UvG`D%DjO2Y7hOc%`&#sWfHo)jK@ZxzQN)3d+$k0C+ z1-^TFP(&q3lWRA)xOB{l(>lu3`woIkp>P~Z7$un0Y{PLRW4Da8{~|kw)W`HNtXW^# z3VgxKpv#HqXsoTO9XzB-iMda)R(f>f_+63r#Iv#&9>ZJbpp(>oAB11rq;=TYb6&of zaxk#-7(dt=#}dVKQPJ=Tls1gZ-%yHKl^rd`oO>OgtlzXjuR+Y2eBg{ONSw$%=rU$X z9-MA1mxI%2ydbiG8pKNXC*5^3vtsu}i0YZexfG#m3~M1ZpLPcal<8R`PBLmnWYPAf zL|mM$j6e9vjW;~6Q%hq!VgH!YWw*CmOV0?MOP0QEw-+6*?gR*bO;Beomi?|O@pSkj z*nkXn;!>ZTEhLR8T^f5=Q@fEXa}?0};t43vo*!v+FvEM+NCK@!5|ef8pcze4JWhSs z;(U5Wjgnm@v9a03U^ixmYfeF^vsPnEDk7Sj~b zG04znxFf~jyGfYecD@|)MAOY^oaFQ7P{czd;PU+W2qSdYqJ>NMF@D}Wu-fhWl=Wjp`{qHch8GuRmX;1MUHdr3y!_LDc zFG-_#nt2O|(k++sFfEz-F48N4p{OFkIa^~sO55e^7PaAHhA?Dffygh-g=?)ka1><$ z(w)Uos!08_5ei=0vfqQsbt}#GWnYSsv1|xpa$ibtjOCOxvbR`ni3J{6O{!f0khEtq zO^29;3ncmvOTH9_LT0iT4Wki7nOOv%q)i-_@BSi5?@dFoYcp68x3P%!3A zIx}c?xsQ@;_nW2_$6Q^%Y_cE8@ENpgLc3mhLy!1xhP#LBQpzA>x`TUgC zY$sd*B8XXEJF=sCOSH&8pV@v}=^Sj6`&#(tI?9a{H*^e}F%_M1p$jZ9ZKIZwC&ROm zvwIWgs=T!-rh*eu()PPRzNE^TQ@=YbLX!X+eGvxJAo{w?Jg zFEv0do@-Qh>5o-1$018ZHC?;k7ae>+a8+kr(K=O~E3oQcwy}|^_-pQ)-kfl zFMBUqy73O?F!P|?2;TG!IQqD=pm;~q5eIk;(YW7zM>l;(S1dX8Vws%4RQw<-wCO&5 zq=q{sG`|D?D};$%$VQDwW-{dx>;7iC$BRWS4NINh#4@^h~338ae2@o2e!U0b1i6_*U5 z#@93wl=RX-%GM)iS0{qc_o3@}dP9rNRuHSe$bVEjjSzi@9Q5rW=sm{8Am6yxbeD0C|>)aLWlx*X0l%z9p z8#zkqa2Rq#wRn{H`WukgPZ)ZZ5?KbGU)?2N_|*k2^cXVbl22{8O|*$G`Q5^TE$VMO zJta9tP7xHDh^E(vK}N6l&YomYhU64`7Dxk-pea#B2?g!6r6xWkfEpe=o2rYSe3yL5 zJ&oU|^NU;HM>uiVqm`N}>B}31c8Uhb{|*${APhSp^T|!7E+Z&H>|x2SE5=n8A1GVt z6g_lKY*FGOs;}p&t&J<8WEM4XcL#>=Bs$;Bfpa;SAGauB_}gGaHt>Kodz!JGX3OS& zfqZot1^f~o5ycrXpO8|{k7Bm4u>FMyx%DiVu3q9CyF}?;oUg#})E_E(vSLg6>yN?4 zpVM@tfLU}FAyiU?>Mxoqq)bja;o5C55pcQnOf9*=Ikg>8HhSmpyo$DUPZ6_vdwwVI zirEBs-d|-s9adn!a7EL+Mugx&I=BB9G~+(l)Cg1831VB1+&x@e{M?11>UEWhGCwcg zJ)>9wne^XkqE*$?x7dKDJ8jLK*5&)GiABBuJfCsTSPI4StK}Q?HBz2WVe#wL8s9YU zYz4<@ws#&rvpDXbQa(0&8yRj9#}4GHt3aV@sH<3Lm3>nSO4>3cl-=a1tQUjziV#4>YuK@Pfkyvp)R`kCIK=4 zQzZ$#^jAn}6P>|M+`E!I0x9Q~yvf6R_{FKa_#JtVfns3y;9eI5IDFHL_{lzZDq>su z1i^9KeZ0Q~cDZQO6j7stYWoIcLfgFZqp=i-4Iaj&P^qEtZk5$wG}o%&i|g~LqPj5c zz5LYCi+y9Kdf;v8_1Bw$H$7IGpZ=5ur|yCyNc~cU0A>65V@by1Pw&LD(jhO6U51lc z#fY^i7&a4G-tSM);OmpVoCB3bcZZ(Ht-xh{_g(I2HB^(5=h2ufcL>W@L~XY;g`0(s zH!cFdFMpeJo`aNeHBjLat{{oZT;?*i0_=4;81%GCXzAx8jL5NnA{X56E$LIT}`*;a=tk8`K>KU5Qf^z+2S$04^M3o*@ z>b5WQu)t(xm{$SWKVNWVk(^PJ`;IMjBKRjhiha2+!Je*4QqU4yKf*-81^G5qFGeK# zZ0xY$2vEx{6-z3v8qM>bEebhy)XkKzq)(gNs*TAN*-cu1miFFOI0yvoD%ceiPt%@u z6Q{zti}uOEI6uKPfbGg>0` zMhffh&8$6i?d{9%>hBtFnIvvd=MNxtz-IvlpPd7{Y2|!TmbLa&5#jcq_*np%1u8q4 zL}^%Bxtw);cO-{U0>E$qakOs<5A7+a9)&f_uYE>EgKc!jM#YiDU-YqXb_+H767!Ws zzQzgebmZL=S{XV10bXbsj?pKOTmC0bww(tJPmWlGB}2I~9CzrZLDLA5jAjecy4gP5 zIpwJhx>6DF8M!WU!`qDF6ez%9KEvP=Udcgz)RZwl#W0tR6CEMi3{%4C4+ z*W`EH7+FThkoF8l+e5F4>a$((n7b6kI&L%$JQQb?;+Dr-yh|(^P zi(L9W^Kcs7n=>WFHv5QArPPSMq*IMN^J6=8N^F@K8-7cr2}}B=b;M2MxHWG4Cc7*$ z_ESZZq>0A|v_vrK%Nk+J=VBa=qtg5pkZKZp6rr_^X))E1?zL8$d4dU_nblN(v2;5i`73^KVmLBy2px+xCI zBe$|2X|;ztwM_x*D1r8Q0e7>!os@9_^U~Bt<(-`uz$^RvaYmFuDvqUl^g+LL^B3_o z`$zV9)n785*S0@dh*XJsj=mbhn_s$kG0kHgL3gs|VKU3$sRIEWYC@7z7V%2Y1b`B|VFNlt(@=1KfFL0Ph9zqdlW z9H&od-!EIK8>^BzK2s-)L>W#n;+!q5oXob(@CTxK6X!@(O=%D|wCWSKc;AhWdff}e zwymkGr+5N&R<})MoaXp9v~{v)H<<~%dAok*&9PO9>Q68x>uiF2iPX6V(_M{MHK|&A zaD?4Ynn$nHCYpGecg*pW*-}Y6 z|BRj+bD#Ho$xil}qz}DkQvB3euh7NUzULR!n{dYU7nxCYmd*?GqV|6EF1~A9?SsAt zH8w})KuvKl;gyNW$Bbh{Pcf_DJsYB%r^HzRX|L|&gz#_QkgJpcafnD!kQ`*G5(Si0 zk$-;cfV9+Y$=@bmE%xK(;i`h|gR2$l8>x>q*)kz3+xu%HQC$V_UJuHH+R^ z{is;v>T#q_$If{(9b$Ac);9K=Ymn7lx7m29sG-1PX($XcE z2981bH*$2??)S|S`@y6#ZdfGx(X))!7zU9Yx3BHjN~A!jWQ(%6R7NpyW(CvwiGJ`B zo|Nr3bKG^q1Z&1ePeUcQtkc6=>IiPyyY~SG-eN-}10-ESI+Ev}Ayw3TDR})p!2dm$PP5pObjss1pt< zI%B-kj+i(VY1KU0U)?p3qzK=J`PyHeY4fLO`GRrQFdfpj7(MMJW2%W;Jf4w=S`CZ1 zyGDT~B{!n1J-Crp2!x!RPi`yj+X3SmT9qi^dPhZ;I0FG^O6_{B{ z(`Eh^p5Rw5gIKdiM9x{RoWVlG@_=>r5!|N9?HyB9ODM$%RtoL7V}?bPbgpbzK8u56 z??4gbPa$S*zErjvr{2wPZk?T1S$H%*ft4*yf_H;yCM5-lrw`j&7v2+N%U4>_Y~{Z~ z6$-X5D{`v5u#+KMfh3Z>vAa4t#~<^6c-Gm3h@OKSzV_8e%lQaBll))dzW&;mSmf!m zx<{JWn?VU6hZGGV)G=2B;-D)PS`I9zllp?%b-L29jXx_#us}i<#rSOEK7o;NDv9Xc zBzcb;(~)=TbrqfGJ^}tv^q-@MEdBw=#;pc&C7)>M7$oKVe;F*aIp-2y0o46YWt5TJVac94jxTZ72pxX;Ql|QO82)^{m1(7&-{N0 zR*Zk0!NU>5<)PP;zZEUR6X%=K{iBjf#Qn4XZ^nOqtpA;1{I|^gZ;9)~_3sRu>9T*m e3Do{y)}}%9zZl4W--Uxi_&Y}bu4;t;=>7-Kquts7 literal 0 HcmV?d00001 diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psd1 b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psd1 new file mode 100644 index 0000000..2e9cbb8 --- /dev/null +++ b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psd1 @@ -0,0 +1,80 @@ +# +# Module manifest for module 'Effectory.Dns' +# +# Generated by: Jurjen Ladenius +# +# Generated on: 8/11/2021 +# + +@{ + +# Script module or binary module file associated with this manifest. +RootModule = 'Effectory.Dns.psm1' + +# Version number of this module. +ModuleVersion = '1.0.6' + +# ID used to uniquely identify this module +GUID = '1e64644e-639c-47d1-8816-c0e48390a6a7' + +# Author of this module +Author = 'Jurjen Ladenius' + +# Company or vendor of this module +CompanyName = 'Effectory B.V.' + +# Copyright statement for this module +Copyright = '(c) Effectory B.V. - Jurjen Ladenius. All rights reserved.' + +# Description of the functionality provided by this module +Description = 'Functions to list, store, retrieve and check DNS bindings of resources that don''t exist anymore to prevent subdomain takeover.' + +# Modules that must be imported into the global environment prior to importing this module +RequiredModules = @('Az.Accounts','Az.ApiManagement','Az.Websites','Az.FrontDoor','Az.Storage','Az.Cdn','Az.Network','Az.TrafficManager','Az.ContainerInstance','Az.Resources', 'DnsClient-PS') + +# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. +FunctionsToExport = @('Get-BlobEffectoryDomainResources','Get-EffectoryDomainResources','Set-BlobEffectoryDomainResources','VerifyEffectoryDomainResources') + +# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '*' + +# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. +AliasesToExport = '*' + +# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. +PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + +} # End of PrivateData hashtable + +} diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psm1 b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psm1 new file mode 100644 index 0000000..4e13500 --- /dev/null +++ b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.psm1 @@ -0,0 +1,539 @@ +#Region '.\classes\EffectoryDomainNameCheck.ps1' 0 +class EffectoryDomainNameCheck { + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceId = "" + [string] $ResourceGroupName = "" + [string] $ResourceName = "" + [string] $ResourceType = "" + [string] $DomainName = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" +} +#EndRegion '.\classes\EffectoryDomainNameCheck.ps1' 14 +#Region '.\private\CheckCdnEndpoints.ps1' 0 +function CheckCdnEndpoints() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Cdn.Models.Profile.PSProfile[]] $cdnProfiles, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($cdnProfile in $cdnProfiles) { + $cdnEndPoints = Get-AzCdnEndpoint -ProfileName $cdnProfile.Name -ResourceGroupName $cdnProfile.ResourceGroupName + foreach($cdnEndPoint in $cdnEndPoints) { + $resource = Get-AzResource -ResourceId $cdnEndPoint.Id + $cdnEffectory = Get-AzCdnCustomDomain -CdnEndpoint $cdnEndPoint | Where-Object HostName -Like $effectoryDomainPattern + + foreach($cdn in $cdnEffectory) { + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $cdn.Id; + ResourceName = $cdn.Name; + ResourceType = $cdn.Type; + ResourceGroupName = $cdn.ResourceGroupName; + DomainName = $cdn.HostName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + } + } + + $Result +} + +#EndRegion '.\private\CheckCdnEndpoints.ps1' 40 +#Region '.\private\CheckFrontDoorEndPoints.ps1' 0 +function CheckFrontDoorEndPoints() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.FrontDoor.Models.PSFrontDoor[]] $frontDoors, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($frontDoor in $frontDoors) { + $resource = Get-AzResource -ResourceId $frontDoor.Id + + if ($endPointHostNames = $frontDoor.FrontendEndpoints | Where-Object HostName -like $effectoryDomainPattern) { + foreach ($endPoint in $endPointHostNames) { + # frontdoor + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $endPoint.Id; + ResourceName = $endPoint.Name; + ResourceType = $endPoint.Type; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $endPoint.HostName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } } + } + + $Result +} +#EndRegion '.\private\CheckFrontDoorEndPoints.ps1' 37 +#Region '.\private\CheckIpAddresses.ps1' 0 +function CheckIpAddresses() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Network.Models.PSPublicIpAddress[]] $ipAddresses, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + # public ip => Assume binding if an IP has a domain name. + + foreach($ipAddress in $ipAddresses) { + $resource = Get-AzResource -ResourceId $ipAddress.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $ipAddress.Id; + ResourceName = $ipAddress.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $ipAddress.DnsSettings.DomainNameLabel; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckIpAddresses.ps1' 34 +#Region '.\private\CheckStorageAccounts.ps1' 0 +function CheckStorageAccounts() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Management.Storage.Models.PSStorageAccount[]] $storageAccounts, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + foreach($storageAccount in $storageAccounts) { + $resource = Get-AzResource -ResourceId $storageAccount.Id + + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $storageAccount.Id; + ResourceName = $resource.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $storageAccount.CustomDomain.Name; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckStorageAccounts.ps1' 33 +#Region '.\private\CheckTrafficManagers.ps1' 0 +function CheckTrafficManagers() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.TrafficManager.Models.TrafficManagerProfile[]] $trafficManagers, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + # traffic manager => Assume binding + + foreach($trafficManager in $trafficManagers) { + $resource = Get-AzResource -ResourceId $trafficManager.Id + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $trafficManager.Id; + ResourceName = $trafficManager.Name; + ResourceType = $resource.ResourceType; + ResourceGroupName = $resource.ResourceGroupName; + DomainName = $trafficManager.RelativeDnsName; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + $Result += $domainNameCheck + } + + $Result +} +#EndRegion '.\private\CheckTrafficManagers.ps1' 34 +#Region '.\private\CheckWebApps.ps1' 0 +function CheckWebApps() { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.WebApps.Models.PSSite[]] $webApps, + [Parameter(Mandatory)] + [string]$effectoryDomainPattern + ) + [EffectoryDomainNameCheck[]]$Result = @() + + $webAppsEffectory = $webApps | Where-Object {@($_.HostNames) -like $effectoryDomainPattern} + foreach ($webAppEffectory in $webAppsEffectory) { + foreach ($hostName in $webAppEffectory.HostNames | Where-Object {$_ -like $effectoryDomainPattern}) { + $domainNameCheck = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $webAppEffectory.Id; + ResourceName = $webAppEffectory.Name; + ResourceType = $webAppEffectory.Type; + ResourceGroupName = $webAppEffectory.ResourceGroup; + DomainName = $hostName; + Tag_Team = $webAppEffectory.Tags.team + Tag_Product = $webAppEffectory.Tags.product + Tag_Environment = $webAppEffectory.Tags.environment + Tag_Data = $webAppEffectory.Tags.data + } + $Result += $domainNameCheck + } + } + + $Result +} +#EndRegion '.\private\CheckWebApps.ps1' 34 +#Region '.\private\DnsResolveHost.ps1' 0 +#Requires -Modules DnsClient-PS +function DnsResolveHost { + param( + [Parameter(Mandatory)] + [string] $domainName, + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $externalDNSServer = "8.8.8.8" +) + + try { + + $CnameChain = Resolve-Dns -query $domainName -QueryType A -NameServer $externalDNSServer -ContinueOnDnsError -ContinueOnEmptyResponse + $CnameChain.AllRecords.Where({$_.DomainName.Value -notlike "$($effectoryDomainPattern)."}, 'First').DomainName.Value + } + catch { + $null + } + + +} +#EndRegion '.\private\DnsResolveHost.ps1' 23 +#Region '.\private\GetDomainNameCheck.ps1' 0 +function GetDomainNameCheck () { + param( + [Parameter(Mandatory)] + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$subscription, + [Parameter(Mandatory)] + [Microsoft.Azure.Management.WebSites.Models.Resource] $resource + ) + $Result = [EffectoryDomainNameCheck] @{ + SubscriptionId = $subscriptionId; + SubscriptionName = $subscription.Name; + ResourceId = $resource.Id; + ResourceName = $resource.Name; + ResourceType = $resource.Type; + Tag_Team = $resource.Tags.team + Tag_Product = $resource.Tags.product + Tag_Environment = $resource.Tags.environment + Tag_Data = $resource.Tags.data + } + + $Result; +} +#EndRegion '.\private\GetDomainNameCheck.ps1' 22 +#Region '.\public\Get-BlobEffectoryDomainResources.ps1' 0 +function Get-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Retrieves the stored domain resources list + .DESCRIPTION + Retrieves the newest domain resources list from the CSV in Azure storage. + .PARAMETER connectionString + Connection string of the storage account to retrieve from. + #> + param( + [Parameter(Mandatory)] + [string] $connectionString + ) + + [EffectoryDomainNameCheck[]] $loadedResources = @() + $context = New-AzStorageContext -ConnectionString $connectionString + + $blob = Get-AzStorageBlob -Container "dangling-dns" -Context $context | Sort-Object -Property Name | Select-Object -Last 1 + if ($null -ne $blob) { + Get-AzStorageBlobContent -Context $context -CloudBlob $blob.ICloudBlob -Destination "$Env:temp/$($blob.Name).history.csv" -Force >$null + $loadedResources = Import-CSV "$Env:temp/$($blob.Name).history.csv" + Remove-Item -Path "$Env:temp/$($blob.Name).history.csv" + Write-Verbose "Retrieved resources from $($blob.Name)" + } + + $loadedResources +} +#EndRegion '.\public\Get-BlobEffectoryDomainResources.ps1' 28 +#Region '.\public\Get-EffectoryDomainResources.ps1' 0 +#Requires -Modules Az.Accounts,Az.Websites,Az.FrontDoor,Az.Storage,Az.Cdn,Az.Network,Az.TrafficManager,Az.ContainerInstance +function Get-EffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that have DNS records + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER subscriptionId + Optional Subscription Id to set the context to. Otherwise uses the current context. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter()] + [string] $subscriptionId + ) + + # Initialize + [EffectoryDomainNameCheck[]]$result = @() + [string]$effectoryDomainPattern = "*.effectory.com" + + # Get subscription info + [Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext]$currentContext = $null + if (![string]::IsNullOrWhitespace($subscriptionId)) { + $currentContext = Set-AzContext -SubscriptionId $subscriptionId + } + else { + $currentContext = Get-AzContext + $subscriptionId = $currentContext.Subscription + } + + Write-Verbose "Processing subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking WebApps and WebApp Slots for subscription $($currentContext.Name)" + $webApps = Get-AzWebApp + [int]$webAppCounter = 0 + [int]$webAppSlotCounter = 0 + + if ($null -ne $webApps) { + # check webapps + $itemsWebApps = CheckWebApps -subscription $currentContext -webApps $webApps -effectoryDomainPattern $effectoryDomainPattern + $webAppCounter += $itemsWebApps.Count + $result += $itemsWebApps + + # check webapp slots + foreach ($webApp in $webApps) { + $slot = Get-AzWebAppSlot -WebApp $webApp + if ($null -ne $slot) { + $itemsWebAppSlots = CheckWebApps -subscription $currentContext -webApps $slot -effectoryDomainPattern $effectoryDomainPattern + $webAppSlotCounter += $itemsWebAppSlots.Count + $result += $itemsWebAppSlots + } + } + } + Write-Verbose "Found $($webAppCounter) WebApps and $($webAppSlotsCounter) WebApp Slots for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking FrontDoor Endpoints for subscription $($currentContext.Name)" + $frontDoors = Get-AzFrontDoor + [int]$frontDoorEndPointCounter = 0 + + if ($null -ne $frontDoors) { + $itemsFrontDoors = CheckFrontDoorEndPoints -subscription $currentContext -frontDoors $frontDoors -effectoryDomainPattern $effectoryDomainPattern + $frontDoorEndPointCounter += $itemsFrontDoors.Count + $result += $itemsFrontDoors + } + Write-Verbose "Found $($frontDoorEndPointCounter) FrontDoor Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Storage Accounts for subscription $($currentContext.Name)" + $storageAccounts = Get-AzStorageAccount | Where-Object { $_.CustomDomain.Name -like $effectoryDomainPattern } # storage accounts + [int]$storageCounter = 0 + + if ($null -ne $storageAccounts) { + $itemsStorage = CheckStorageAccounts -subscription $currentContext -storageAccounts $storageAccounts -effectoryDomainPattern $effectoryDomainPattern + $storageCounter += $itemsStorage.Count + $result += $itemsStorage + } + Write-Verbose "Found $($storageCounter) Storage Accounts for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Cdn Endpoints for subscription $($currentContext.Name)" + $cdnProfiles = Get-AzCdnProfile + [int]$cdnCounter = 0 + + if ($null -ne $cdnProfiles) { + $itemsCdn = CheckCdnEndpoints -subscription $currentContext -cdnProfiles $cdnProfiles -effectoryDomainPattern $effectoryDomainPattern + $cdnCounter += $itemsCdn.Count + $result += $itemsCdn + } + Write-Verbose "Found $($cdnCounter) Cdn Endpoints for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking public IP addresses for subscription $($currentContext.Name)" + $ipAddresses = Get-AzPublicIpAddress | Where-Object DnsSettings -ne $null | Where-Object { $_.DnsSettings.DomainNameLabel -ne "" } + [int]$ipCounter = 0 + + if ($null -ne $ipAddresses) { + $itemsIpAddresses = CheckIpAddresses -subscription $currentContext -ipAddresses $ipAddresses -effectoryDomainPattern $effectoryDomainPattern + $ipCounter += $itemsIpAddresses.Count + $result += $itemsIpAddresses + } + Write-Verbose "Found $($ipCounter) public IP addresses for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Traffic Managers for subscription $($currentContext.Name)" + $trafficManagers = Get-AzTrafficManagerProfile + [int]$trafficManagerCounter = 0 + + if ($null -ne $trafficManagers) { + $itemsTrafficManagers = CheckTrafficManagers -subscription $currentContext -trafficManagers $trafficManagers -effectoryDomainPattern $effectoryDomainPattern + $trafficManagerCounter += $itemsTrafficManagers.Count + $result += $itemsTrafficManagers + } + Write-Verbose "Found $($trafficManagerCounter) Traffic Managers for subscription $($currentContext.Name)" + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking Container groups for subscription $($currentContext.Name)" + $containerInstances = Get-AzContainerGroup + + if ($null -ne $containerInstances) { + throw "Container groups are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + Write-Verbose "Checking API Management for subscription $($currentContext.Name)" + $apiManagementServices = Get-AzApiManagement + + if ($null -ne $apiManagementServices) { + throw "API Management services are not implemented yet." + } + + # ------------------------------------------------------------------------------------------------------------------ + $result +} +#EndRegion '.\public\Get-EffectoryDomainResources.ps1' 137 +#Region '.\public\Set-BlobEffectoryDomainResources.ps1' 0 +function Set-BlobEffectoryDomainResources { + <# + .SYNOPSIS + Stores the effectory domain resources list as csv in Azure storage. + .DESCRIPTION + Stores the effectory domain resources list as csv in Azure storage, while making a backup of the previous state. + .PARAMETER effectoryResources + Resources to be exported to CSV. + .PARAMETER connectionString + Connection string of the storage account to save to. + #> + + param( + [Parameter(Mandatory)] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [string] $connectionString + ) + + [string] $fileName = "$((Get-Date).ToString("yyyy-MM-dd HH-mm-ss")) - resources.csv" + Write-Verbose "Storing resources to $($fileName)" + + $context = New-AzStorageContext -ConnectionString $connectionString + + # move to history + $blobs = Get-AzStorageBlob -Container "dangling-dns" -Context $context + if ($null -ne $blobs) { + foreach ($blob in $blobs) { + Start-AzStorageBlobCopy -CloudBlob $blob.ICloudBlob -DestContainer "dangling-dns-history" -DestBlob $blob.Name -Context $context -Force >$null + Remove-AzStorageBlob -Container "dangling-dns" -Blob $blob.Name -Context $context -Force >$null + } + } + + # store as current + $effectoryResources | Export-Csv "$Env:temp/$($fileName)" + Set-AzStorageBlobContent -Context $context -Container "dangling-dns" -File "$Env:temp/$($fileName)" -Blob $fileName -Force >$null + Remove-Item -Path "$Env:temp/$($fileName)" +} +#EndRegion '.\public\Set-BlobEffectoryDomainResources.ps1' 39 +#Region '.\public\VerifyEffectoryDomainResources.ps1' 0 +function VerifyEffectoryDomainResources { + <# + .SYNOPSIS + Find resources in Azure that no longer exist, but have DNS records. + .DESCRIPTION + Gets all resources that have hostnames. + .PARAMETER effectoryDomainPattern + The domain pattern to look for when enumerating hosts, e.g. '*.effectory.com' + .PARAMETER effectoryResources + The resources that currently exist. + .PARAMETER effectoryResourcesPrevious + The resources that existed previously. + #> + param( + [Parameter(Mandatory)] + [string] $effectoryDomainPattern, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResources, + [Parameter(Mandatory)] + [AllowNull()] + [EffectoryDomainNameCheck[]] $effectoryResourcesPrevious + ) + + [bool] $hasErrors = $false + + # ---------------------------------------------------------------------------------------------------------- + Write-Verbose "Comparing found resources with previously stored resources to find records that should've been deleted." + foreach ($oldResource in $effectoryResourcesPrevious) { + $currentItem = $effectoryResources.Where({$_.DomainName -eq $oldResource.DomainName}, 'First') + + if (($null -eq $currentItem) -or ($currentItem.Count -eq 0)) { + # Host name no longer exists, so there should be no DNS record + # check + Write-Warning "Host name '$($oldResource.DomainName)' no longer exists. Checking DNS record for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $CName = DnsResolveHost -domainName $oldResource.DomainName -effectoryDomainPattern $effectoryDomainPattern -externalDNSServer "8.8.8.8" + if (($null -ne $CName) -and ($CName -ne "")) { + Write-Error "Host name '$($oldResource.DomainName)' no longer exists, but found DNS record '$($CName)' for '$($oldResource.ResourceName)' ($($oldResource.ResourceType))." + $hasErrors = $true + } + } + elseif (($oldResource.ResourceName -ne $currentItem.ResourceName) -or ($oldResource.ResourceId -ne $currentItem.ResourceId)) { + # found, but does not point to the same resource + # verify the DNS record to make sure it points to this resource + Write-Warning "Host name '$($oldResource.DomainName)' was found, but points to another resource. Assuming this was intentional." + } + } + + $hasErrors +} +#EndRegion '.\public\VerifyEffectoryDomainResources.ps1' 51 diff --git a/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.zip b/Powershell/Modules/Effectory.Dns/build/Effectory.Dns/1.0.6/Effectory.Dns.zip new file mode 100644 index 0000000000000000000000000000000000000000..31a97c1d497c14477214371fd4a34ea0f35f4381 GIT binary patch literal 5214 zcmZ{oRZtvEx`uI0g1ZGDAUMH;I|=TtK_&!u2rj`r!CeA_4ia1j9|$_Q3_7@b2<*TA z*^Aw+J>6CPR!jBMS6@{>8mg#h#7Ia;SV%l_w6*qd zcJt+u`|Qr;;%>t`uDAS|h!;PwHZ7+j~bK4n>CO4Dc9u{s^g;d1p>OrMSzTxR9c;6)8hsORBr&HS2LHoyC-#lN9LKnb+> zu6g0D>z>T^2wyWUWSGsxQ6 z7F2xY!7j>RDA|D9@KmNtelXZimZ}2@94KP9S>gP7$zIj$Dym55tdY@Z=^-lmF5+o# zfMZHBkS*#D7`#!ztp>k38mJi$UC7c&`MP> zbNQ~ldg(88Cu&ekoUR>fYaw9~=gw1)v?K+j5A|ipYY-$pJSFW7j&J&?IlzxeyMkk5 z?S>*zMzfUzur5+%+#74cA>qg|Wut&rjTcXW_^%4*F4D-V1NL|mOA4Y`!nEu9HhELN zGDjN=w&rMhD%+CMjuUbiiy~KaY=b6*&OU+5v4qni4~MCK>> zM3AP2W`d8I5LCrXfVPTxJ7Q5vu8C?=%9Fx5H;^GVkK=Gv4nCP7&eKbQ=TX~cg72HF zIt|?1DJ9T_A9GVfXjvjCs4A}OuA7Kgl-1dsXq6`MUq_O~w^b?@0eW6@*CqUPr~WOF z@g3qHKm~0Glv#KJX3gIOcBoE0VHG~V;&0))Q+^Z5SzA1enrQc|&{G)ZzU_?i;q`?3 z*R>}hOJbmC_G^}yW%?rt;2^hm%*0#q{%-eKC7N(@;J~{_A!PVp2ax1qq88P2ja&s7 zeBrKjF6wRJiy$%cV2#We?J%dgCD(_xW^KEAT9=<@d>Y&RXzF`Mq^r@$8^Pc< zBPlZF-9ffd)m!97VZ`Ys{;Jfp(L(~wQeRG4dlc`F6ylHA-fGg&$)kh^(rwl>@i^}Y z+n60s2iL~aH@~}MoHPW}dYQ3TG7`QY$sR*#ksb=}LpzE~*((}PGo)x5OsBc3dDJ;W zMYLwa0lg8yq0LG-wMFSg*RF<2{USF3FfTyJ>^+rGTmQamBqx%S+36{&aHSVEI{Cvl zJ@6vlQkT|2lX5j1@zLy>bIM!7Z1A$?z05y3V`Il=Po?VXmkT(giSe zp$sM7Wi~p97042QU0y;s&^;$u=O0b1KQFZRwzmmOq9_ymEwy5abeG^AiB+7Sn2%NwV=wfYDYFMV4rR7qvF=2AYiFx1^m8+g3 zB;@*$vPYO2pc%(IY%ur7Hko^uBLc+q)9<@J5g@3ly|!qXuGU4M>X@3?w}X6U=_&Py zi|yi5B-k%&D_Wu95(b>OQETv7^$kG0gU`IbWN3{AJcVdqZN6aob;(pLH~wIg9M4vK zqa?cO_6wm&FfKX`NB$kc#wBW}Nvb%Oa`N)({1@29WSc2}@@(&$d%$wVC0SLKtME}$Jr0cvmYp~ z=2n!{f2_vnaG2<{oky{KWi6^X5(f`qSxu!&D3+B^)lRxMq*_G{O*(}i_J=Z(>gbI5 ze99?}XAoxR{4HnH z33{{;G7WjaZ$9@_LTNbQ0l8~;t|4#WWH44HC>tGRZSF}{oOX70~{h4eNY%Tw4 z{afmxi;lS75MkgB4^U0;w<@{7+TrBO!sKvbBcP85<=NtHQE{F&Yc$ShkSLHTZ69J6 zUkF3^?g*tXT6x65`#xQ5XjEoN4tqJXaNrrGEI}661PjE{@@YaU+6pci`MqY>AQ?d=QASN z4v0w7hh9VuQv!EG5OlMMgr`S9LN7_^VM=6~&-CIZ^~~=MpF;Nm3tpAf`ilg+xRS>v z4m=5e`(NX7Bh)lsA``F-dvK_j4PQ7?^ea*v;7tlJ0Av_SG%!MC;Vr2NH}SIdHy&V6 z@tyCSFSUmmS-Oz4HBp2UwEHxY=*lXkkR_KB$~NeIL2f z%p7!@R<{dOKxH(@bA+Tchvb5yAF?-!Im5!XXCjoBGhqgX2~%7$rCYJS!h_>~=$NUB zZJ5vA1(_wL>B|dbGFgYv$&+Y3=%`b&Iq8S%wZO!E%0EujP#Yi7JCJ5!w?F1qv@Cmw zTh=)WIr%JDLVc$F)tA#@1&%YP42?^qDDIR~+pi!QS3wr0xCTza_I2o;gT=-79XJ}E zr>Pjz)6$(2?<<1G{MW#Y8iq#JE0A=jwW)*JeD5X6$OnMOJ;5PIp>#e-rQS$8<^BK` zw+zz$p>t_3GRm+Hze(iyw0%H(+vsI#vPPV38gMfxkLtmx^!q(jz@g-3kx4^Hw9?a; zlYy;-7F@oDT%9=CMMze0*t3N2;A!tAsAeqaRjv+o$zPVcsK#>?LiI+rg-X+Cv1AWk zy#m7kmbuzb9ZEO`S-li5EO5+&8@{pdyy&&Chj(!Xb3)%*bcZX?+=h8BRBrT=Y4+Zy zXe#WV-@8P|iZ##6RpZG%(arwxfYz5G`E(m4&UVI4;8&oM?)$ss^lJR+=#g@|3k`KP zATke71Xz5KF-(67E(J3g!((5R5*8+$RoO!G4ux8^aJ`6R1#qE3vlzW1&qWA@rB;jnbT zQ+tzTfAW3AQWOl2jVkw13KDd--;=$gKI;bTid+kvH*(wLi`K+6FS#H7n&}qIk%y}1 znx=X_^X}YP`0?b?iswjHjX)a{DgHD#L5$l{VPUl9;r>IdqDnL5xxK=NG?_%$0`(T?e{_+iE1xi1`5L!@fl&r)B z$PdH9(_2nTYv!6@X5zeN^3;(lW|6&#|*n#kd*Z3QQNk#xuCl$7)>%>*^7OVg>)2b zib$vF{c@G2!@rF7+$3Joy`3j`e<4<2PWt0)4DB8d7dRG$wa!%|R-8uwVjd^sEhcd5 z>-vn9K);gmX7hZ~5wi6BeRJ`#+DkEsPquwSfIc8mn8h2u`rG~HAv8I zO}0^xxVqGI)9}@DnuJSFoxDd|bNC_3h1wY>mx4%0r)=w(RcA%NUqg5kC@}am4W;sB zGGZ0)Py@(prTfV>@e4L=l^`I>M7786#`IfoJsqD4oTJJmGH6sR=w`e@TWCnG(XO0l-?n@oUn@qo-6YAQW!*DzGPZa(Vw}q2y zn9(P=PaG=MPDlqsFYd6)sEKw6L(A|@rDR?6rFb~uH`*TDF(`8;%4PU&kX2*w5SpS+ z6WX%nHqsI8fgSdTB7uAK+Q=0zOPT`#VQ#Al7U%FvZfXQLV|turDhoe4LiuS4d@NMw zChEtI?Gioh^Wf)jGembgBI036Jg?nswL3-box^)*{2W`rkk4VtKG;8*aDPd6B|m95 zCMGPwI6o?W;&;!_V|r!9mK4+IEj^x6E%}g6H*_zA=hQBfBb6a6>9;O|kKxnW zsM)j9y!gnqx()@H-&=N$c-Z$%guS4%SvbCWV;(A}*OspZrC@&eg*95XBz+|`JB>ND zIFnN6SRXW`JxL591Vc)yzLg)r{8Un^^^R+bQkH`04Q0BzfNj*K)+vNQl!<;eXQyCE zHHS``o$|=FtXoFC!FD|hz%oXlV{X9ZL~QWPKIB5R04q25dILeYcn5&3Koi zFKV*#)^W?X@$1hj8HBCvRZbI3rZx@<6PPv7($L1&^}9^{WLby<9bjWs+N^3i5rf;Z9=1!zf7LPK4vf>}kE$mOWOb7*Hd68$!SB-0v)HfTEGZ{vAvgSuT$+1{JG^9)g6Dx`-;jGl&Sv!Ij*@{yo~Eu z*L-c{PLId^t*^Q`h~(7V{9VQ#s)wX)(3TzP`CY;!fU?_Q3@Y~M8*-WwARR1T^hG&% zt`b8wsUrXA0*E%(X(QAk{84h_;pVi0^R%BbN>0Jpg=uF&&N}-5=G=g8;2= zII3RxUAaZS>p$7bWbs}7tfQP%4P|mvrB(9G6+8`V(v)YKGt}|fA-If!rQ^R9#GKyG zDBwe@L%yY{tV*6te>si`w6?u*=*&^jEb5<>-+ecAQcHLf=X0So>zpK3{vZ>Tl_q9V zPFXq!)5bS0|3Qrn+iY7caqLej z@0j~fkSRGI*<;V@p>HzYd6;}~%{ppW2Vyd(=S_L3Z+=%eTm)t5W+2&tmS#ENR6 zU-FK@zM*0joIDWL#Q5^?IyJDIc`PfU9I zOdr2f(f-vd4Z+6qo>9|->&Z&fQ7=8lgxYuW^j!Eh^6>Z+3qnYI(pi*AM}CY#nZ)VFRHVdYQsF`YFRYN+Cxn zET04Tsk^U;^;(pjPcW6U+Npc>hiiNLX(l1VwLoPPSmd%l&Ag-_;oxRn_t*$_VZeK?bVm=?GYfLB)Dew2T z%q)M8?G+kyYXT#HI=E;6rIsB8h=nXv=mI$~$BabuY7G=%D}NRcus{-y_i2woarJGbon>iLhx-$b0s?%bMds3N0CBK>~`j_EH4_s{nF z@9}^6IGlg&AtR9^IXC$DqZiL3qxbv%oqt$W{?7kq{O8B|-x=|LxxfE*eonmq&X`bk g`}