From 6957def2721b3a291d17140a6ed254345f780005 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Wed, 19 Jun 2024 16:50:53 +0200 Subject: [PATCH] Cost opmization, key vault, service connection and webapps list updates --- .../Azure/2024-05-22 1357 azure_webapps.csv | 8 -- .../Lists/Azure/KeyVaultNonRBACSecrets.ps1 | 101 ++++++++++++++++++ Powershell/Lists/Azure/WebApps.ps1 | 8 +- .../Lists/DevOps/ServiceConnections.ps1 | 2 +- ...torage Account Azure Defender settings.ps1 | 8 +- 5 files changed, 111 insertions(+), 16 deletions(-) delete mode 100644 Powershell/Lists/Azure/2024-05-22 1357 azure_webapps.csv create mode 100644 Powershell/Lists/Azure/KeyVaultNonRBACSecrets.ps1 diff --git a/Powershell/Lists/Azure/2024-05-22 1357 azure_webapps.csv b/Powershell/Lists/Azure/2024-05-22 1357 azure_webapps.csv deleted file mode 100644 index dffbfdf..0000000 --- a/Powershell/Lists/Azure/2024-05-22 1357 azure_webapps.csv +++ /dev/null @@ -1,8 +0,0 @@ -"ResourceId","Kind","Location","ResourceName","ResourceGroup","ResourceType","State","ManagementGroupId","ManagementGroupName","SubscriptionId","SubscriptionName","Tag_Team","Tag_Product","Tag_Environment","Tag_Data","Tag_Deployment","Tag_CreatedOnDate","Prop_HttpsOnly","Prop_PhpVersion","Prop_RemoteDebuggingEnabled","Prop_MinTlsVersion","Prop_FtpsState","Prop_Http20Enabled","Prop_Identity","LastDeployDate" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/dotnet-amsterdam/providers/Microsoft.Web/sites/dotnetamsterdam","app","West Europe","dotnetamsterdam","dotnet-amsterdam","Microsoft.Web/sites","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","11/05/2018 19:13:56","False","","False","1.2","Disabled","False","","" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/CustomerData-Test/providers/Microsoft.Web/sites/effcdtest","functionapp","West Europe","effcdtest","CustomerData-Test","Microsoft.Web/sites","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","07/24/2021 06:38:22","True","5.6","False","1.2","Disabled","True","SystemAssigned","" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/CustomerData-Test/providers/Microsoft.Web/sites/effcdtest/slots/stage","functionapp","West Europe","effcdtest/stage","CustomerData-Test","Microsoft.Web/sites/slots","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","07/24/2021 06:39:02","False","","False","1.2","Disabled","False","","" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/dummy-test-group/providers/Microsoft.Web/sites/ditisdenaam","functionapp","West Europe","ditisdenaam","dummy-test-group","Microsoft.Web/sites","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","02/06/2021 17:58:42","True","5.6","False","1.2","Disabled","True","SystemAssigned","" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/dummy-test-group/providers/Microsoft.Web/sites/ditisdenaam/slots/stage","functionapp","West Europe","ditisdenaam/stage","dummy-test-group","Microsoft.Web/sites/slots","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","05/04/2023 12:57:26","False","","False","1.2","Disabled","True","","" -"/subscriptions/33fc60b1-a502-44da-acf5-b9fe22b1ea6f/resourceGroups/team-gray-bot/providers/Microsoft.Web/sites/teamgray","functionapp","West Europe","teamgray","team-gray-bot","Microsoft.Web/sites","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","33fc60b1-a502-44da-acf5-b9fe22b1ea6f","Visual Studio Premium met MSDN (Erik AD)","","","","","","03/29/2021 10:20:56","True","","False","1.2","Disabled","False","","08/08/2022 13:00:11" -"/subscriptions/23e654c9-ed9d-424e-b69a-6a0be116a3ce/resourceGroups/dashboards/providers/Microsoft.Web/sites/import-google-analytics-me2","functionapp","West Europe","import-google-analytics-me2","dashboards","Microsoft.Web/sites","Running","/providers/Microsoft.Management/managementGroups/e9792fd7-4044-47e7-a40d-3fba46f1cd09","Tenant Root Group","23e654c9-ed9d-424e-b69a-6a0be116a3ce","Dev/Test Hans","blue","poc","test","","","10/30/2020 16:58:49","True","5.6","False","1.2","Disabled","False","SystemAssigned","" diff --git a/Powershell/Lists/Azure/KeyVaultNonRBACSecrets.ps1 b/Powershell/Lists/Azure/KeyVaultNonRBACSecrets.ps1 new file mode 100644 index 0000000..04eb23b --- /dev/null +++ b/Powershell/Lists/Azure/KeyVaultNonRBACSecrets.ps1 @@ -0,0 +1,101 @@ +#Connect-AzAccount + +[string] $userObjectId = "c6025a2e-416c-42da-96ef-dd507382793a" #Should be interactive user (this one is Jurjen) + +class ResourceCheck { + [string] $ManagementGroupId = "" + [string] $ManagementGroupName = "" + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceGroup = "" + [string] $ResourceId = "" + [string] $Location = "" + [string] $ResourceName = "" + [string] $Secret_Key = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" + [string] $Tag_Deployment = "" + [string] $Tag_CreatedOnDate = "" +} + +Write-Host "======================================================================================================================================================================" +Write-Host "Creating key vault secrets overview for key vaults with access policies." +Write-Host "======================================================================================================================================================================" + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date azure_key_vault_secrets.csv" + +$managementGroups = Get-AzManagementGroup + +foreach ($managementGroup in $managementGroups) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + Write-Host "Management group [$($managementGroup.Name)]" + + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" + + foreach ($subscription in $subscriptions) + { + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) + $subscriptionId = $scope.Replace("/subscriptions/", "") + Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" + Set-AzContext -SubscriptionId $subscriptionId | Out-Null + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $allResourceGroups = Get-AzResourceGroup + [ResourceCheck[]]$Result = @() + + foreach ($group in $allResourceGroups) { + + $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName + + foreach ($vault in $allVaults) { + + Write-Host $vault.VaultName + + $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName + + if ($vaultWithAllProps.EnableRbacAuthorization -ne "TRUE") { + + Write-Host " -- processing..." + + Set-AzKeyVaultAccessPolicy -VaultName $vault.VaultName -ObjectId $userObjectId -PermissionsToSecrets "List" + + $secrets = Get-AzKeyVaultSecret -VaultName $vault.VaultName + + foreach($secret in $secrets) + { + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.Name + $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName + $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId + $resourceCheck.Location = $vaultWithAllProps.Location + $resourceCheck.ResourceName = $vaultWithAllProps.VaultName + $resourceCheck.Secret_Key = $secret.Name + $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team + $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product + $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment + $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data + $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment + + $Result += $resourceCheck + } + + Remove-AzKeyVaultAccessPolicy -VaultName $vault.VaultName -ObjectId $userObjectId + } + } + } + + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + } +} +Write-Host "======================================================================================================================================================================" +Write-Host "Done." + diff --git a/Powershell/Lists/Azure/WebApps.ps1 b/Powershell/Lists/Azure/WebApps.ps1 index 7d69823..33f1b52 100644 --- a/Powershell/Lists/Azure/WebApps.ps1 +++ b/Powershell/Lists/Azure/WebApps.ps1 @@ -78,7 +78,7 @@ foreach ($managementGroup in $managementGroups) Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Write-Host "Management group [$($managementGroup.Name)]" - $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" | Where-Object DisplayName -NotLike "Visual Studio*" foreach ($subscription in $subscriptions) { @@ -94,12 +94,12 @@ foreach ($managementGroup in $managementGroups) foreach ($group in $allResourceGroups) { - Write-Host $group.ResourceGroupName - $allWebApps = Get-AzWebApp -ResourceGroupName $group.ResourceGroupName foreach ($webApp in $allWebApps) { + Write-Host $webApp.Name + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = $webApp.Id $resourceCheck.Kind = $webApp.Kind @@ -133,6 +133,8 @@ foreach ($managementGroup in $managementGroups) foreach ($slotTemp in $allSlots) { + Write-Host $slotTemp.Name + [string] $slotName = $slotTemp.Name.Split("/")[1] $slot = Get-AzWebAppSlot -Name $webApp.Name -ResourceGroupName $webApp.ResourceGroup -Slot $slotName diff --git a/Powershell/Lists/DevOps/ServiceConnections.ps1 b/Powershell/Lists/DevOps/ServiceConnections.ps1 index 27292e0..5a519d8 100644 --- a/Powershell/Lists/DevOps/ServiceConnections.ps1 +++ b/Powershell/Lists/DevOps/ServiceConnections.ps1 @@ -17,7 +17,7 @@ Write-Host "==================================================================== Write-Host "Creating service connection overview." Write-Host "========================================================================================================================================================================" -$token = "{INSERT_PERSONAL_ACCESS_TOKEN}" +$token = "adlgsqh2uoedv6rf44hjd47z3ssuo5zonrqicif4ctjqlqqtlhdq" $token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)")) $organization = "effectory" $project = "Survey%20Software" diff --git a/Powershell/Tools/Storage Account Azure Defender settings.ps1 b/Powershell/Tools/Storage Account Azure Defender settings.ps1 index e969406..875997f 100644 --- a/Powershell/Tools/Storage Account Azure Defender settings.ps1 +++ b/Powershell/Tools/Storage Account Azure Defender settings.ps1 @@ -117,11 +117,11 @@ foreach ($managementGroup in $managementGroups) $resourceCheck.PreviousOverrideSubscription = GetAzureDefender -resourceId $resource.Id # set overrideSubscriptionLevelSettings - if ($resourceCheck.Tag_BackupPolicy.ToLower() -eq "ignore" -and $resourceCheck.PreviousOverrideSubscription -eq "False") { - $resourceCheck.Action = "Turned off" + # if ($resourceCheck.Tag_BackupPolicy.ToLower() -eq "ignore" -and $resourceCheck.PreviousOverrideSubscription -eq "False") { + # $resourceCheck.Action = "Turned off" - TurnOffAzureDefender -resourceId $resource.Id - } + # TurnOffAzureDefender -resourceId $resource.Id + # } $Result += $resourceCheck }