From c1f54bf0f88b7379f445257a46f11b08e92e6f8b Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Tue, 12 Mar 2024 17:32:15 +0100 Subject: [PATCH] New key vault and web app settings --- Custom roles/Storage Data Contributor.json | 3 +- Custom roles/Storage Data Reader.json | 3 +- Powershell/Lists/Azure/AlertRules.ps1 | 2 +- Powershell/Lists/Azure/KeyVaults.ps1 | 84 +++++++++++++++++ Powershell/Lists/Azure/Resources.ps1 | 18 +++- Powershell/Lists/Azure/WebApps.ps1 | 47 ++++++++++ .../DevOps/RepositoriesWithTestAccept.ps1 | 92 +++++++++++++++++++ Powershell/Tools/KeyVault Settings.ps1 | 48 ++++++++++ Powershell/Tools/WebApp Settings.ps1 | 38 +++----- 9 files changed, 305 insertions(+), 30 deletions(-) create mode 100644 Powershell/Lists/Azure/KeyVaults.ps1 create mode 100644 Powershell/Lists/DevOps/RepositoriesWithTestAccept.ps1 create mode 100644 Powershell/Tools/KeyVault Settings.ps1 diff --git a/Custom roles/Storage Data Contributor.json b/Custom roles/Storage Data Contributor.json index 82c55bc..b227a28 100644 --- a/Custom roles/Storage Data Contributor.json +++ b/Custom roles/Storage Data Contributor.json @@ -73,6 +73,7 @@ "/subscriptions/eec75831-812e-4b06-a7a4-ec28a5126238", "/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8", "/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea", - "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6" + "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", + "/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc" ] } \ No newline at end of file diff --git a/Custom roles/Storage Data Reader.json b/Custom roles/Storage Data Reader.json index 9ddf0f2..058d4db 100644 --- a/Custom roles/Storage Data Reader.json +++ b/Custom roles/Storage Data Reader.json @@ -56,6 +56,7 @@ "/subscriptions/eec75831-812e-4b06-a7a4-ec28a5126238", "/subscriptions/c4b0c496-dbc1-483b-890b-fc46012125d8", "/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea", - "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6" + "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", + "/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc" ] } diff --git a/Powershell/Lists/Azure/AlertRules.ps1 b/Powershell/Lists/Azure/AlertRules.ps1 index 14afcd2..669c48a 100644 --- a/Powershell/Lists/Azure/AlertRules.ps1 +++ b/Powershell/Lists/Azure/AlertRules.ps1 @@ -1,6 +1,6 @@ #Connect-AzAccount -$access_token = (Get-AzAccessToken).Token +$access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token $ofs = ', ' function GetSmartDetectorActionGroupIds { diff --git a/Powershell/Lists/Azure/KeyVaults.ps1 b/Powershell/Lists/Azure/KeyVaults.ps1 new file mode 100644 index 0000000..604f637 --- /dev/null +++ b/Powershell/Lists/Azure/KeyVaults.ps1 @@ -0,0 +1,84 @@ +#Connect-AzAccount + +class ResourceCheck { + [string] $ResourceId = "" + [string] $Location = "" + [string] $ResourceName = "" + [string] $ResourceGroup = "" + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" + [string] $Tag_Deployment = "" + [string] $Tag_CreatedOnDate = "" + [string] $Prop_EnablePurgeProtection = "" + [string] $Prop_EnableRbacAuthorization = "" + [string] $Prop_EnableSoftDelete = "" + [string] $Prop_PublicNetworkAccess = "" +} + + +Write-Host "======================================================================================================================================================================" +Write-Host "Creating key vault resource overview." +Write-Host "======================================================================================================================================================================" + + $subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" + + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date azure_key_vaults.csv" + +# rm $fileName + +foreach ($subscription in $subscriptions) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + Set-AzContext -SubscriptionId $subscription.Id + + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $allResourceGroups = Get-AzResourceGroup + [ResourceCheck[]]$Result = @() + + foreach ($group in $allResourceGroups) { + + Write-Host $group.ResourceGroupName + + $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName + + foreach ($vault in $allVaults) { + + $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName + + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId + $resourceCheck.Location = $vaultWithAllProps.Location + $resourceCheck.ResourceName = $vaultWithAllProps.VaultName + $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.Name + $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team + $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product + $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment + $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data + $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment + $resourceCheck.Prop_EnablePurgeProtection = $vaultWithAllProps.EnablePurgeProtection + $resourceCheck.Prop_EnableRbacAuthorization = $vaultWithAllProps.EnableRbacAuthorization + $resourceCheck.Prop_EnableSoftDelete = $vaultWithAllProps.EnableSoftDelete + $resourceCheck.Prop_PublicNetworkAccess = $vaultWithAllProps.PublicNetworkAccess + + $Result += $resourceCheck + + + } + } + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation +} + +Write-Host "======================================================================================================================================================================" +Write-Host "Done." + diff --git a/Powershell/Lists/Azure/Resources.ps1 b/Powershell/Lists/Azure/Resources.ps1 index ef0fa65..04f1c37 100644 --- a/Powershell/Lists/Azure/Resources.ps1 +++ b/Powershell/Lists/Azure/Resources.ps1 @@ -18,6 +18,8 @@ class ResourceCheck { [string] $Tag_Split = "" [string] $Tag_CreatedOnDate = "" [string] $Tag_Deployment = "" + [string] $ManagedIndentity_Name = "" + [string] $ManagedIndentity_PrincipalId = "" } Write-Host "========================================================================================================================================================================" @@ -36,8 +38,8 @@ Set-AzContext -SubscriptionId $subscription.Id $allResources = Get-AzResource [ResourceCheck[]]$Result = @() - foreach ($resource in $allResources) { - + foreach ($resource in $allResources) + { [ResourceCheck] $resourceCheck = [ResourceCheck]::new() $resourceCheck.ResourceId = $resource.ResourceId $resourceCheck.Id = $resource.Id @@ -56,6 +58,18 @@ Set-AzContext -SubscriptionId $subscription.Id $resourceCheck.Tag_Split = $resource.Tags.split $resourceCheck.Tag_CreatedOnDate = $resource.Tags.CreatedOnDate $resourceCheck.Tag_Deployment = $resource.Tags.drp_deployment + + try { + $managedIdentity = $null + $managedIdentity = Get-AzSystemAssignedIdentity -Scope $resource.ResourceId -erroraction 'silentlycontinue' + $resourceCheck.ManagedIndentity_Name = $managedIdentity.Name + $resourceCheck.ManagedIndentity_PrincipalId = $managedIdentity.PrincipalId + } + catch { + $resourceCheck.ManagedIndentity_Name = "" + $resourceCheck.ManagedIndentity_PrincipalId = "" + } + $Result += $resourceCheck } diff --git a/Powershell/Lists/Azure/WebApps.ps1 b/Powershell/Lists/Azure/WebApps.ps1 index 52dcf01..4b21885 100644 --- a/Powershell/Lists/Azure/WebApps.ps1 +++ b/Powershell/Lists/Azure/WebApps.ps1 @@ -1,5 +1,38 @@ #Connect-AzAccount +function GetDeployment { + + param ( + [string] $siteName, + [string] $resourceGroupName, + [string] $subscriptionId, + [string] $slotName = "" + ) + + $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token + + $url = "" + if ($slotName -ne "") { + $url = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$siteName/slots/$slotName/deployments?api-version=2022-03-01" + } + else { + $url = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$siteName/deployments?api-version=2022-03-01" + } + + # GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/slots/{slot}/deploymentStatus/{deploymentStatusId}?api-version=2022-03-01 + $head = @{ Authorization =" Bearer $access_token" } + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $response | ForEach-Object { + $responseValue = $_.value + if ($responseValue.Length -gt 0) { + return $responseValue[0].properties.last_success_end_time + } + else { + return "" + } + } +} + class ResourceCheck { [string] $ResourceId = "" [string] $Kind = "" @@ -14,12 +47,16 @@ class ResourceCheck { [string] $Tag_Product = "" [string] $Tag_Environment = "" [string] $Tag_Data = "" + [string] $Tag_Deployment = "" [string] $Tag_CreatedOnDate = "" [string] $Prop_HttpsOnly = "" [string] $Prop_PhpVersion = "" [string] $Prop_RemoteDebuggingEnabled = "" [string] $Prop_MinTlsVersion = "" [string] $Prop_FtpsState = "" + [string] $Prop_Http20Enabled = "" + [string] $Prop_Identity = "" + [string] $LastDeployDate = "" } @@ -69,11 +106,15 @@ foreach ($subscription in $subscriptions) $resourceCheck.Tag_Environment = $webApp.Tags.environment $resourceCheck.Tag_Data = $webApp.Tags.data $resourceCheck.Tag_CreatedOnDate = $webApp.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $webApp.Tags.drp_deployment $resourceCheck.Prop_HttpsOnly = $webApp.HttpsOnly $resourceCheck.Prop_PhpVersion = $webApp.SiteConfig.PhpVersion $resourceCheck.Prop_RemoteDebuggingEnabled = $webApp.SiteConfig.RemoteDebuggingEnabled $resourceCheck.Prop_MinTlsVersion = $webApp.SiteConfig.MinTlsVersion $resourceCheck.Prop_FtpsState = $webApp.SiteConfig.FtpsState + $resourceCheck.Prop_Http20Enabled = $webApp.SiteConfig.Http20Enabled + $resourceCheck.Prop_Identity = $webApp.Identity.Type + $resourceCheck.LastDeployDate = GetDeployment -siteName $webApp.Name -resourceGroupName $group.ResourceGroupName -subscriptionId $subscription.Id $Result += $resourceCheck @@ -99,11 +140,16 @@ foreach ($subscription in $subscriptions) $resourceCheck.Tag_Environment = $slot.Tags.environment $resourceCheck.Tag_Data = $slot.Tags.data $resourceCheck.Tag_CreatedOnDate = $slot.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $slot.Tags.drp_deployment $resourceCheck.Prop_HttpsOnly = $slot.HttpsOnly $resourceCheck.Prop_PhpVersion = $slot.SiteConfig.PhpVersion $resourceCheck.Prop_RemoteDebuggingEnabled = $slot.SiteConfig.RemoteDebuggingEnabled $resourceCheck.Prop_MinTlsVersion = $slot.SiteConfig.MinTlsVersion $resourceCheck.Prop_FtpsState = $slot.SiteConfig.FtpsState + $resourceCheck.Prop_Http20Enabled = $slot.SiteConfig.Http20Enabled + $resourceCheck.Prop_Identity = $slot.Identity.Type + + $resourceCheck.LastDeployDate = GetDeployment -siteName $webApp.Name -resourceGroupName $group.ResourceGroupName -subscriptionId $subscription.Id -slotName $slotName $Result += $resourceCheck } @@ -114,3 +160,4 @@ foreach ($subscription in $subscriptions) Write-Host "======================================================================================================================================================================" Write-Host "Done." + diff --git a/Powershell/Lists/DevOps/RepositoriesWithTestAccept.ps1 b/Powershell/Lists/DevOps/RepositoriesWithTestAccept.ps1 new file mode 100644 index 0000000..b9aeb09 --- /dev/null +++ b/Powershell/Lists/DevOps/RepositoriesWithTestAccept.ps1 @@ -0,0 +1,92 @@ + +class Repository { + [string] $Id = "" + [string] $Name = "" + [string] $DefaultBranch = "" + [string] $IsDisabled = "" + [string] $WebUrl = "" + [string] $LastDefaultChange = "" + [string] $HasTest = "" + [string] $LastTestChange = "" + [string] $HasAccept = "" + [string] $LastAcceptChange = "" +} + +[string] $url = "" +[string] $repositoryId = "" +[string] $branchName = "" +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date repositories with test and accept.csv" + +[string] $token = "yixqmupncd3b72zij4y5lfsenepak5rtvlba3sj33tvxvc4s7a6q" #"{INSERT_PERSONAL_ACCESS_TOKEN}" +$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)")) +$head = @{ Authorization =" Basic $token" } +[string] $organization = "effectory" +[string] $project = "Survey%20Software" + +Write-Host "========================================================================================================================================================================" +Write-Host "Creating repository overview." +Write-Host "========================================================================================================================================================================" + +$repos = az repos list --organization "https://dev.azure.com/$organization/" --project "survey software" | ConvertFrom-Json | Select-Object + +[Repository[]]$Result = @() + +foreach ($repo in $repos) +{ + Write-Host $repo.name + + [Repository] $repository = [Repository]::new() + $repository.Id = $repo.id + $repository.Name = $repo.name + $repository.DefaultBranch = $repo.defaultBranch + $repository.IsDisabled = $repo.isDisabled + $repository.WebUrl = $repo.webUrl + + if ($true -ne $repo.isDisabled) + { + $repositoryId = $repo.id + $branchName = $repo.defaultBranch + $branchName = $branchName.Replace("refs/heads/", "") + + try { + $url="https://dev.azure.com/$organization/$project/_apis/git/repositories/$repositoryId/commits?searchCriteria.itemVersion.version=$branchName&searchCriteria.`$top=1&api-version=6.0" + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $repository.LastDefaultChange = $response.value[0].committer.date + } + catch { + $repository.LastDefaultChange = "" + } + + try { + $branchName = "test" + $url="https://dev.azure.com/$organization/$project/_apis/git/repositories/$repositoryId/commits?searchCriteria.itemVersion.version=$branchName&searchCriteria.`$top=1&api-version=6.0" + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $repository.HasTest = "True" + $repository.LastTestChange = $response.value[0].committer.date + } + catch { + $repository.HasTest = "False" + $repository.LastTestChange = "" + } + + try { + $branchName = "accept" + $url="https://dev.azure.com/$organization/$project/_apis/git/repositories/$repositoryId/commits?searchCriteria.itemVersion.version=$branchName&searchCriteria.`$top=1&api-version=6.0" + $response = Invoke-RestMethod -Uri $url -Method GET -Headers $head + $repository.HasAccept = "True" + $repository.LastAcceptChange = $response.value[0].committer.date + } + catch { + $repository.HasAccept = "False" + $repository.LastAcceptChange = "" + } + } + + $Result += $repository +} + +$Result | Export-Csv -Path $fileName -Append -NoTypeInformation + +Write-Host "========================================================================================================================================================================" +Write-Host "Done." \ No newline at end of file diff --git a/Powershell/Tools/KeyVault Settings.ps1 b/Powershell/Tools/KeyVault Settings.ps1 new file mode 100644 index 0000000..91eac63 --- /dev/null +++ b/Powershell/Tools/KeyVault Settings.ps1 @@ -0,0 +1,48 @@ +#Connect-AzAccount + +# Set alias for az exe +Set-Alias -Name az -Value "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" + + +Write-Host "======================================================================================================================================================================" +Write-Host "Updating key vault resource settings." +Write-Host "======================================================================================================================================================================" + +$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" | Where Name -NotLike "Visual Studio*" | Where Name -NotLike "*test*" + +foreach ($subscription in $subscriptions) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + Set-AzContext -SubscriptionId $subscription.Id + az account set --subscription $subscription.Id + + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + $allResourceGroups = Get-AzResourceGroup + + foreach ($group in $allResourceGroups) { + + $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName + + foreach ($vault in $allVaults) { + Write-Host "Checking vault $($vault.VaultName)..." + + $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName + + if ($vaultWithAllProps.EnableSoftDelete -ne "TRUE") { + Write-Host "Enable Soft Delete $($vault.VaultName)" + az keyvault update --name $vault.VaultName --resource-group $group.ResourceGroupName --set properties.enableSoftDelete=true | out-null + } + if ($vaultWithAllProps.EnablePurgeProtection -ne "TRUE") { + Write-Host "Enable purge protection $($vault.VaultName)" + az keyvault update --name $vault.VaultName --resource-group $group.ResourceGroupName --enable-purge-protection | out-null + } + } + } +} + +Write-Host "======================================================================================================================================================================" +Write-Host "Done." + + diff --git a/Powershell/Tools/WebApp Settings.ps1 b/Powershell/Tools/WebApp Settings.ps1 index 2647aeb..400f4b0 100644 --- a/Powershell/Tools/WebApp Settings.ps1 +++ b/Powershell/Tools/WebApp Settings.ps1 @@ -1,41 +1,21 @@ #Connect-AzAccount -class ResourceCheck { - [string] $ResourceId = "" - [string] $Kind = "" - [string] $Location = "" - [string] $ResourceName = "" - [string] $ResourceGroup = "" - [string] $ResourceType = "" - [string] $State = "" - [string] $SubscriptionId = "" - [string] $SubscriptionName = "" - [string] $Tag_Team = "" - [string] $Tag_Product = "" - [string] $Tag_Environment = "" - [string] $Tag_Data = "" - [string] $Tag_CreatedOnDate = "" - [string] $Prop_HttpsOnly = "" - [string] $Prop_PhpVersion = "" - [string] $Prop_NetFrameworkVersion = "" - [string] $Prop_WindowsFxVersion = "" - [string] $Prop_RemoteDebuggingEnabled = "" - [string] $Prop_MinTlsVersion = "" - [string] $Prop_FtpsState = "" -} +# Set alias for az exe +Set-Alias -Name az -Value "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" Write-Host "======================================================================================================================================================================" -Write-Host "Creating webapp resource overview." +Write-Host "Updating webapp resource settings." Write-Host "======================================================================================================================================================================" -$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" +$subscriptions = Get-AzSubscription | Where-Object State -eq "Enabled" | Where Name -NotLike "Visual Studio*" | Where Name -NotLike "*test*" foreach ($subscription in $subscriptions) { Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" Set-AzContext -SubscriptionId $subscription.Id + az account set --subscription $subscription.Id Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" @@ -57,6 +37,10 @@ foreach ($subscription in $subscriptions) Write-Host "Disable PHP $($webApp.Name)" $x = Set-AzWebApp -Name $webApp.Name -ResourceGroupName $group.ResourceGroupName -PhpVersion "off" } + if ($webApp.SiteConfig.Http20Enabled -ne "TRUE") { + Write-Host "Enable HTTP/2 $($webApp.Name)" + az webapp config set -g $group.ResourceGroupName -n $webApp.Name --http20-enabled true | out-null + } $allSlots = Get-AzWebAppSlot -Name $webApp.Name -ResourceGroupName $webApp.ResourceGroup @@ -73,6 +57,10 @@ foreach ($subscription in $subscriptions) Write-Host "Disable PHP $($webApp.Name) - $($slotName)" $y = Set-AzWebAppSlot -Name $webApp.Name -Slot $slotName -ResourceGroupName $group.ResourceGroupName -PhpVersion "off" } + if ($slot.SiteConfig.Http20Enabled -ne "TRUE") { + Write-Host "Enable HTTP/2 $($webApp.Name)" + az webapp config set -g $group.ResourceGroupName -n $webApp.Name --slot $slotName --http20-enabled true | out-null + } } } }