mirror of
https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering
synced 2026-02-27 18:52:18 +01:00
Custom Storage Data role and RBAC scripter
This commit is contained in:
Jurjen Ladenius
59414
2021-11-18 azure_rbac.csv
Normal file
59414
2021-11-18 azure_rbac.csv
Normal file
File diff suppressed because it is too large
Load Diff
65
Custom roles/Storage Data Contributor.json
Normal file
65
Custom roles/Storage Data Contributor.json
Normal file
@@ -0,0 +1,65 @@
|
||||
{
|
||||
"properties": {
|
||||
"roleName": "Storage Data Contributor",
|
||||
"description": "Allows for read, write and delete access to Azure Storage blob containers and data / tables and entities / queues and queue messages",
|
||||
"assignableScopes": [
|
||||
"/subscriptions/a134faf1-7a89-4f2c-8389-06d00bd5e2a7",
|
||||
"/subscriptions/3190b0fd-4a66-4636-a204-5b9f18be78a6",
|
||||
"/subscriptions/0e4ba075-f7d9-4f31-860c-3cb8673f1f08",
|
||||
"/subscriptions/2372e452-d101-4fb1-b9ed-664b8cd68e40",
|
||||
"/subscriptions/86945e42-fa5a-4bbc-948f-3f5407f15d3e",
|
||||
"/subscriptions/e6daa42b-c939-4ef9-b384-c0cec82b7757",
|
||||
"/subscriptions/31b26889-ee10-480e-be6a-da5d8a58f19f",
|
||||
"/subscriptions/8c282de4-a7df-458e-b151-e10ca7b49966",
|
||||
"/subscriptions/0ecf52e9-a2b1-4938-b0b1-f7c1878de642",
|
||||
"/subscriptions/70cae949-5013-4c40-b718-911dbf9b9a80",
|
||||
"/subscriptions/f9ab522b-4895-492d-b8a8-ca6e1f60c2a8",
|
||||
"/subscriptions/6e2b45e4-5e7b-4628-8827-ec44e23d2f6b",
|
||||
"/subscriptions/2c20594a-bb4e-4103-8e3c-017f6ca01431",
|
||||
"/subscriptions/54794e27-b714-4346-81bc-05eae7ccb5a5",
|
||||
"/subscriptions/fced11a2-8ba7-4596-9ff4-de8b47713c48",
|
||||
"/subscriptions/7feeb150-9ee0-4aea-992a-5f3a89d933e6",
|
||||
"/subscriptions/4db5ca42-c8f1-4392-a9fc-96937874ef74",
|
||||
"/subscriptions/5df09d5a-b1c1-48b8-b72c-ebe9b27e0e0c",
|
||||
"/subscriptions/0c50e758-0cfb-4d35-9d52-b39ba918ce30",
|
||||
"/subscriptions/5e1ac47a-0729-4546-b93f-469d92c5ac4a",
|
||||
"/subscriptions/7cc36153-a8a4-4566-86bc-fec178ed176a",
|
||||
"/subscriptions/31cb867e-4cb5-47d3-b12a-7692cf746376",
|
||||
"/subscriptions/baed3117-d2f3-4289-977d-6d4429d9e983",
|
||||
"/subscriptions/63cc34fe-1aea-4cef-8402-5869c9fff78b" ],
|
||||
"permissions": [
|
||||
{
|
||||
"actions": [
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/write",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
|
||||
],
|
||||
"notActions": [],
|
||||
"dataActions": [
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
|
||||
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
|
||||
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
|
||||
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
|
||||
],
|
||||
"notDataActions": []
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,6 @@
|
||||
#Connect-AzAccount
|
||||
Import-Module Az.Accounts
|
||||
Import-Module Az.Resources
|
||||
|
||||
class ResourceCheck {
|
||||
[string] $ResourceId = ""
|
||||
@@ -29,7 +31,7 @@ Write-Host "====================================================================
|
||||
|
||||
$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled"
|
||||
|
||||
$fileName = "c:\temp\2020-10-21 azure_rbac.csv"
|
||||
$fileName = "2021-11-24 azure_rbac.csv"
|
||||
$fileExists = Test-Path $fileName
|
||||
If ($fileExists -eq $True) {
|
||||
Remove-Item $fileName
|
||||
@@ -39,6 +41,42 @@ foreach ($subscription in $subscriptions)
|
||||
{
|
||||
Set-AzContext -SubscriptionId $subscription.Id
|
||||
|
||||
$resourceGroups = Get-AzResourceGroup
|
||||
|
||||
foreach ($resourceGroup in $resourceGroups) {
|
||||
|
||||
[ResourceCheck[]]$Result = @()
|
||||
|
||||
try {
|
||||
$roleAssignments = Get-AzRoleAssignment -Scope $resourceGroup.ResourceId
|
||||
|
||||
foreach($roleAssignment in $roleAssignments) {
|
||||
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
|
||||
$resourceCheck.ResourceId = $resourceGroup.ResourceId
|
||||
$resourceCheck.Kind = "ResourceGroup"
|
||||
$resourceCheck.Location = $resourceGroup.Location
|
||||
$resourceCheck.ResourceGroupName = $resourceGroup.ResourceGroupName
|
||||
$resourceCheck.SubscriptionId = $subscription.Id
|
||||
$resourceCheck.SubscriptionName = $subscription.Name
|
||||
$resourceCheck.Tag_Team = $resourceGroup.Tags.team
|
||||
$resourceCheck.Tag_Product = $resourceGroup.Tags.product
|
||||
$resourceCheck.Tag_Environment = $resourceGroup.Tags.environment
|
||||
$resourceCheck.Tag_Data = $resourceGroup.Tags.data
|
||||
$resourceCheck.Tag_Delete = $resourceGroup.Tags.delete
|
||||
$resourceCheck.Tag_Split = $resourceGroup.Tags.split
|
||||
$resourceCheck.RBAC_RoleAssignmentId = $roleAssignment.RoleAssignmentId
|
||||
$resourceCheck.RBAC_Scope = $roleAssignment.Scope
|
||||
$resourceCheck.RBAC_DisplayName = $roleAssignment.DisplayName
|
||||
$resourceCheck.RBAC_SignInName = $roleAssignment.SignInName
|
||||
$resourceCheck.RBAC_RoleDefinitionName = $roleAssignment.RoleDefinitionName
|
||||
|
||||
$Result += $resourceCheck
|
||||
}
|
||||
} catch {
|
||||
}
|
||||
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
|
||||
}
|
||||
|
||||
$allResources = Get-AzResource
|
||||
|
||||
foreach ($resource in $allResources) {
|
||||
@@ -46,7 +84,7 @@ Set-AzContext -SubscriptionId $subscription.Id
|
||||
[ResourceCheck[]]$Result = @()
|
||||
|
||||
try {
|
||||
$roleAssignments = Get-AzRoleAssignment -ResourceGroupName $resource.ResourceGroupName -ResourceName $resource.ResourceName -ResourceType $resource.ResourceType # | Where-Object Scope -EQ "/"
|
||||
$roleAssignments = Get-AzRoleAssignment -Scope $resource.ResourceId
|
||||
|
||||
foreach($roleAssignment in $roleAssignments) {
|
||||
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
|
||||
|
||||
Reference in New Issue
Block a user