#Connect-AzAccount

class ResourceCheck {
    [string] $ManagementGroupId = ""
    [string] $ManagementGroupName = ""
    [string] $SubscriptionId = ""
    [string] $SubscriptionName = ""
    [string] $ResourceGroup = ""
    [string] $ResourceId = ""
    [string] $Location = ""
    [string] $ResourceName = ""
    [string] $AccessPolicy_ObjectId = ""
    [string] $AccessPolicy_DisplayName = ""
    [string] $AccessPolicy_ApplicationId = ""
    [string] $AccessPolicy_ApplicationDisplayName = ""
    [string] $AccessPolicy_Keys = ""
    [string] $AccessPolicy_Secrets = ""
    [string] $AccessPolicy_Certificates = ""
    [string] $AccessPolicy_Storage = ""
    [string] $Tag_Team = ""
    [string] $Tag_Product = ""
    [string] $Tag_Environment = ""
    [string] $Tag_Data = ""
    [string] $Tag_Deployment = ""
    [string] $Tag_CreatedOnDate = ""
}


Write-Host "======================================================================================================================================================================"
Write-Host "Creating key vault access policy resource overview."
Write-Host "======================================================================================================================================================================"

[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
$fileName =  ".\$date azure_key_vault_access_policies.csv" 

$managementGroups = Get-AzManagementGroup

foreach ($managementGroup in $managementGroups) 
{
    Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
    Write-Host "Management group [$($managementGroup.Name)]"

    $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"

    foreach ($subscription in $subscriptions) 
    {
        Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
        $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
        $subscriptionId = $scope.Replace("/subscriptions/", "")
        Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
        Set-AzContext -SubscriptionId $subscriptionId | Out-Null
        Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"

        $allResourceGroups = Get-AzResourceGroup
        [ResourceCheck[]]$Result = @()

        foreach ($group in $allResourceGroups) {

            $allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName
            
            foreach ($vault in $allVaults) {

                $vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName

                if ($vaultWithAllProps.EnableRbacAuthorization -ne "TRUE") {

                    Write-Host $vaultWithAllProps.ResourceId

                    foreach($accessPolicy in $vaultWithAllProps.AccessPolicies) {

                    [ResourceCheck] $resourceCheck = [ResourceCheck]::new()
                    $resourceCheck.ManagementGroupId = $managementGroup.Id
                    $resourceCheck.ManagementGroupName = $managementGroup.DisplayName
                    $resourceCheck.SubscriptionId = $subscription.Id
                    $resourceCheck.SubscriptionName = $subscription.Name
                    $resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName
                    $resourceCheck.ResourceId = $vaultWithAllProps.ResourceId
                    $resourceCheck.Location = $vaultWithAllProps.Location
                    $resourceCheck.ResourceName = $vaultWithAllProps.VaultName
                    $resourceCheck.AccessPolicy_ObjectId = $accessPolicy.ObjectId
                    $resourceCheck.AccessPolicy_DisplayName = $accessPolicy.DisplayName
                    $resourceCheck.AccessPolicy_ApplicationId = $accessPolicy.ApplicationId
                    $resourceCheck.AccessPolicy_ApplicationDisplayName = $accessPolicy.ApplicationIdDisplayName
                    $resourceCheck.AccessPolicy_Keys = $accessPolicy.PermissionsToKeysStr
                    $resourceCheck.AccessPolicy_Secrets = $accessPolicy.PermissionsToSecretsStr
                    $resourceCheck.AccessPolicy_Certificates = $accessPolicy.PermissionsToCertificatesStr
                    $resourceCheck.AccessPolicy_Storage = $accessPolicy.PermissionsToStorageStr
                    $resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team
                    $resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product
                    $resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment
                    $resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data
                    $resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate
                    $resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment

                    $Result += $resourceCheck
                    }
                }
            }
        }

        $Result | Export-Csv -Path $fileName -Append -NoTypeInformation
    }
}
Write-Host "======================================================================================================================================================================"
Write-Host "Done."