mirror of
https://dev.azure.com/effectory/Survey%20Software/_git/Cloud%20Engineering
synced 2026-02-27 18:52:18 +01:00
107 lines
5.5 KiB
PowerShell
107 lines
5.5 KiB
PowerShell
#Connect-AzAccount
|
|
|
|
class ResourceCheck {
|
|
[string] $ManagementGroupId = ""
|
|
[string] $ManagementGroupName = ""
|
|
[string] $SubscriptionId = ""
|
|
[string] $SubscriptionName = ""
|
|
[string] $ResourceGroup = ""
|
|
[string] $ResourceId = ""
|
|
[string] $Location = ""
|
|
[string] $ResourceName = ""
|
|
[string] $AccessPolicy_ObjectId = ""
|
|
[string] $AccessPolicy_DisplayName = ""
|
|
[string] $AccessPolicy_ApplicationId = ""
|
|
[string] $AccessPolicy_ApplicationDisplayName = ""
|
|
[string] $AccessPolicy_Keys = ""
|
|
[string] $AccessPolicy_Secrets = ""
|
|
[string] $AccessPolicy_Certificates = ""
|
|
[string] $AccessPolicy_Storage = ""
|
|
[string] $Tag_Team = ""
|
|
[string] $Tag_Product = ""
|
|
[string] $Tag_Environment = ""
|
|
[string] $Tag_Data = ""
|
|
[string] $Tag_Deployment = ""
|
|
[string] $Tag_CreatedOnDate = ""
|
|
}
|
|
|
|
|
|
Write-Host "======================================================================================================================================================================"
|
|
Write-Host "Creating key vault access policy resource overview."
|
|
Write-Host "======================================================================================================================================================================"
|
|
|
|
[string] $date = Get-Date -Format "yyyy-MM-dd HHmm"
|
|
$fileName = ".\$date azure_key_vault_access_policies.csv"
|
|
|
|
$managementGroups = Get-AzManagementGroup
|
|
|
|
foreach ($managementGroup in $managementGroups)
|
|
{
|
|
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
|
|
Write-Host "Management group [$($managementGroup.Name)]"
|
|
|
|
$subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active"
|
|
|
|
foreach ($subscription in $subscriptions)
|
|
{
|
|
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
|
|
$scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length)
|
|
$subscriptionId = $scope.Replace("/subscriptions/", "")
|
|
Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]"
|
|
Set-AzContext -SubscriptionId $subscriptionId | Out-Null
|
|
Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------"
|
|
|
|
$allResourceGroups = Get-AzResourceGroup
|
|
[ResourceCheck[]]$Result = @()
|
|
|
|
foreach ($group in $allResourceGroups) {
|
|
|
|
$allVaults = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName
|
|
|
|
foreach ($vault in $allVaults) {
|
|
|
|
$vaultWithAllProps = Get-AzKeyVault -ResourceGroupName $group.ResourceGroupName -Name $vault.VaultName
|
|
|
|
if ($vaultWithAllProps.EnableRbacAuthorization -ne "TRUE") {
|
|
|
|
Write-Host $vaultWithAllProps.ResourceId
|
|
|
|
foreach($accessPolicy in $vaultWithAllProps.AccessPolicies) {
|
|
|
|
[ResourceCheck] $resourceCheck = [ResourceCheck]::new()
|
|
$resourceCheck.ManagementGroupId = $managementGroup.Id
|
|
$resourceCheck.ManagementGroupName = $managementGroup.DisplayName
|
|
$resourceCheck.SubscriptionId = $subscription.Id
|
|
$resourceCheck.SubscriptionName = $subscription.Name
|
|
$resourceCheck.ResourceGroup = $vaultWithAllProps.ResourceGroupName
|
|
$resourceCheck.ResourceId = $vaultWithAllProps.ResourceId
|
|
$resourceCheck.Location = $vaultWithAllProps.Location
|
|
$resourceCheck.ResourceName = $vaultWithAllProps.VaultName
|
|
$resourceCheck.AccessPolicy_ObjectId = $accessPolicy.ObjectId
|
|
$resourceCheck.AccessPolicy_DisplayName = $accessPolicy.DisplayName
|
|
$resourceCheck.AccessPolicy_ApplicationId = $accessPolicy.ApplicationId
|
|
$resourceCheck.AccessPolicy_ApplicationDisplayName = $accessPolicy.ApplicationIdDisplayName
|
|
$resourceCheck.AccessPolicy_Keys = $accessPolicy.PermissionsToKeysStr
|
|
$resourceCheck.AccessPolicy_Secrets = $accessPolicy.PermissionsToSecretsStr
|
|
$resourceCheck.AccessPolicy_Certificates = $accessPolicy.PermissionsToCertificatesStr
|
|
$resourceCheck.AccessPolicy_Storage = $accessPolicy.PermissionsToStorageStr
|
|
$resourceCheck.Tag_Team = $vaultWithAllProps.Tags.team
|
|
$resourceCheck.Tag_Product = $vaultWithAllProps.Tags.product
|
|
$resourceCheck.Tag_Environment = $vaultWithAllProps.Tags.environment
|
|
$resourceCheck.Tag_Data = $vaultWithAllProps.Tags.data
|
|
$resourceCheck.Tag_CreatedOnDate = $vaultWithAllProps.Tags.CreatedOnDate
|
|
$resourceCheck.Tag_Deployment = $vaultWithAllProps.Tags.drp_deployment
|
|
|
|
$Result += $resourceCheck
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
$Result | Export-Csv -Path $fileName -Append -NoTypeInformation
|
|
}
|
|
}
|
|
Write-Host "======================================================================================================================================================================"
|
|
Write-Host "Done."
|
|
|