forked from JamesDLD/AzureRm-PowerShell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAudit-AzPolicies.ps1
210 lines (191 loc) · 10.6 KB
/
Audit-AzPolicies.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
<#
.SYNOPSIS
Audit Azure policies and extract the result in csv files
.DESCRIPTION
REQUIRED : Internet access & Already connected to an Azure tenant
REQUIRED : PowerShell modules, see variables
.PARAMETER LogFile
Optional
Log file path
.PARAMETER PolicySuffixesToFilterOn
Mandatory
Array containing the policies names you want to filter on
.NOTES
AUTHOR: James Dumont le Douarec
.LINK
https://github.com/JamesDLD/AzureRm-PowerShell
https://docs.microsoft.com/en-us/azure/azure-policy/policy-compliance
.EXAMPLE
$PolicySuffixesToFilterOn = @("*enforce-udr-under-vnet*","*enforce-nsg-under-vnet*")
.\Audit-AzPolicies.ps1 -PolicySuffixesToFilterOn $PolicySuffixesToFilterOn
#>
param(
[Parameter(Mandatory=$true,HelpMessage='Azure policies suffixes to filter on')]
[Array]
$PolicySuffixesToFilterOn,
[Parameter(Mandatory=$false,HelpMessage='Log file path')]
[String]
$LogFile
)
################################################################################
# Function
################################################################################
#region function
Function PolicyStateSummary_array{
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $AzureSubscriptionName,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $PolicySuffix,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $NonCompliantResources,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $NonCompliantPolicies
)
Process {
$private:tableObj=New-Object PSObject
$tableObj | Add-Member -Name AzureSubscriptionName -MemberType NoteProperty -Value $AzureSubscriptionName
$tableObj | Add-Member -Name PolicySuffix -MemberType NoteProperty -Value $PolicySuffix
$tableObj | Add-Member -Name NonCompliantResources -MemberType NoteProperty -Value $NonCompliantResources
$tableObj | Add-Member -Name NonCompliantPolicies -MemberType NoteProperty -Value $NonCompliantPolicies
return $tableObj
}
}
Function PolicyState_array{
[CmdletBinding()]
Param (
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $AzureSubscriptionName,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $PolicySuffix,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $ResourceGroup,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][Bool] $IsCompliant,
[Parameter(Mandatory=$true,ValueFromPipeline=$true)][String] $Resource
)
Process {
$private:tableObj=New-Object PSObject
$tableObj | Add-Member -Name AzureSubscriptionName -MemberType NoteProperty -Value $AzureSubscriptionName
$tableObj | Add-Member -Name PolicySuffix -MemberType NoteProperty -Value $PolicySuffix
$tableObj | Add-Member -Name ResourceGroup -MemberType NoteProperty -Value $ResourceGroup
$tableObj | Add-Member -Name IsCompliant -MemberType NoteProperty -Value $IsCompliant
$tableObj | Add-Member -Name Resource -MemberType NoteProperty -Value $Resource
return $tableObj
}
}
Function Generate_Log_Action([string]$Action, [ScriptBlock]$Command, [string]$LogFile){
$Output = "Info : $Action ... "
Write-Host $Output -ForegroundColor Cyan
((Get-Date -UFormat "[%d-%m-%Y %H:%M:%S] : ") + "Info" + " : " + $Action) | Out-File -FilePath $LogFile -Append -Force
Try{
$Result = Invoke-Command -ScriptBlock $Command
}
Catch {
$ErrorMessage = $_.Exception.Message
$Output = "On action $Action : $ErrorMessage"
((Get-Date -UFormat "[%d-%m-%Y %H:%M:%S] : ") + "Error" + " : " + $Output) | Out-File -FilePath $LogFile -Append -Force
Write-Error $Output
$Result = "Error"
}
Return $Result
}
#endregion
################################################################################
# Variable
################################################################################
Set-StrictMode -Version 2
$ErrorActionPreference = "Stop"
$AzureRmSubscriptions = Get-AzSubscription
$PolicyStateSummary_array = @()
$PolicyState_array = @()
$workfolder = Split-Path $script:MyInvocation.MyCommand.Path
$date = Get-Date -UFormat "%d-%m-%Y"
#Module Name, Minimum Version
$PowerShellModules = @(
("Az.Accounts","1.3.0"),
("Az.PolicyInsights","1.0.0")
)
#If not provided, creating the log file
if($LogFile -eq "")
{
$LogPath = $workfolder + "\logs"
if(!(Test-Path $LogPath)){mkdir $LogPath}
$logFile = $LogPath + "\$date-" + $MyInvocation.MyCommand.Name + ".log"
}
ForEach ($PowerShellModule in $PowerShellModules)
{
$Action = "Importing the Module $($PowerShellModule[0]) with MinimumVersion $($PowerShellModule[1])"
$Command = {Import-Module $PowerShellModule[0] -MinimumVersion $($PowerShellModule[1]) -ErrorAction Stop}
$Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($Result -eq "Error"){Exit 1}
}
#endregion
################################################################################
# Action
################################################################################
foreach ($AzureRmSubscription in $AzureRmSubscriptions)
{
$Action = "Getting the AzureRm context for the SubscriptionName : $($AzureRmSubscription.Name)"
$Command = {Get-AzSubscription -SubscriptionName $AzureRmSubscription.Name | Set-AzContext -ErrorAction Stop}
$AzureRmContext = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($AzureRmContext -eq "Error"){Exit 1}
$Action = "Selecting the AzureRm SubscriptionName : $($AzureRmSubscription.Name)"
$Command = {Select-AzSubscription -Name $AzureRmSubscription.Name -Context $AzureRmContext -Force -ErrorAction Stop}
$Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($Result -eq "Error"){Exit 1}
foreach($PolicySuffix in $PolicySuffixesToFilterOn)
{
$AzureRmPolicyStateSummary = $AzureRmPolicyStates = @()
$Action = "[$($AzureRmSubscription.Name)] Getting the policy state summary for policies having the suffix : $PolicySuffix"
$Command = {Get-AzPolicyStateSummary -ErrorAction Stop}
$AzureRmPolicyStateSummary = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($AzureRmPolicyStateSummary -eq "Error"){Exit 1}
elseif($AzureRmPolicyStateSummary.PolicyAssignments -ne "" -and $AzureRmPolicyStateSummary.Results -ne "")
{
$AzureRmPolicyStateSummary = $AzureRmPolicyStateSummary | Where-Object { $_.PolicyAssignments.PolicyAssignmentId -like $PolicySuffix }
if($AzureRmPolicyStateSummary)
{
$PolicyStateSummary_array += PolicyStateSummary_array -AzureSubscriptionName $AzureRmSubscription.Name -PolicySuffix $PolicySuffix.Replace("*","") -NonCompliantResources $AzureRmPolicyStateSummary.Results.NonCompliantResources -NonCompliantPolicies $AzureRmPolicyStateSummary.Results.NonCompliantPolicies
}
}
$Action = "[$($AzureRmSubscription.Name)] Getting the policy state for policies having the suffix : $PolicySuffix at subscription $($AzureRmSubscription.Name) level"
$Command = {Get-AzPolicyState -SubscriptionId $AzureRmSubscription.SubscriptionId -ErrorAction Stop}
$AzureRmPolicyStates = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($AzureRmPolicyStates -eq "Error"){Exit 1}
elseif($AzureRmPolicyStates)
{
$AzureRmPolicyStates = $AzureRmPolicyStates | Where-Object { $_.PolicyAssignmentId -like $PolicySuffix }
foreach($AzureRmPolicyState in $AzureRmPolicyStates)
{
$PolicyState_array += PolicyState_array -AzureSubscriptionName $AzureRmSubscription.Name -PolicySuffix $PolicySuffix.Replace("*","") -ResourceGroup $AzureRmPolicyState.ResourceGroup -IsCompliant $AzureRmPolicyState.IsCompliant -Resource "$($AzureRmPolicyState.ResourceId.Split("/")[-2])/$($AzureRmPolicyState.ResourceId.Split("/")[-1])"
}
}
$Action = "[$($AzureRmSubscription.Name)] Getting the resource groups of the subscription $($AzureRmSubscription.Name)"
$Command = {Get-AzResourceGroup -ErrorAction Stop}
$ResourceGroups = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($ResourceGroups -eq "Error"){Exit 1}
elseif($ResourceGroups)
{
foreach ($ResourceGroup in $ResourceGroups)
{
$Action = "[$($AzureRmSubscription.Name)] Getting the policy state for policies having the suffix : $PolicySuffix at resource group $($ResourceGroup.ResourceGroupName) level"
$Command = {Get-AzPolicyState -ResourceGroupName $ResourceGroup.ResourceGroupName -ErrorAction Stop}
$AzureRmPolicyStates = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($AzureRmPolicyStates -eq "Error"){Exit 1}
elseif($AzureRmPolicyStates)
{
$AzureRmPolicyStates = $AzureRmPolicyStates | Where-Object { $_.PolicyAssignmentId -like $PolicySuffix }
foreach($AzureRmPolicyState in $AzureRmPolicyStates)
{
$PolicyState_array += PolicyState_array -AzureSubscriptionName $AzureRmSubscription.Name -PolicySuffix $PolicySuffix.Replace("*","") -ResourceGroup $AzureRmPolicyState.ResourceGroup -IsCompliant $AzureRmPolicyState.IsCompliant -Resource "$($AzureRmPolicyState.ResourceId.Split("/")[-2])/$($AzureRmPolicyState.ResourceId.Split("/")[-1])"
}
}
}
}
}
}
################################################################################
# Output
################################################################################
$Action = "Exporting the Policy State summary result in to the file : $($workfolder + "\logs" + "\$date-PolicyStateSummary.csv")"
$Command = {$PolicyStateSummary_array | export-csv $($workfolder + "\logs" + "\$date-PolicyStateSummary.csv") -notypeinformation -ErrorAction Stop}
$Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($Result -eq "Error"){Exit 1}
$Action = "Exporting the Policy State details result in to the file : $($workfolder + "\logs" + "\$date-PolicyStateDetail.csv")"
$Command = {$PolicyState_array | export-csv $($workfolder + "\logs" + "\$date-PolicyStateDetail.csv") -notypeinformation -ErrorAction Stop}
$Result = Generate_Log_Action -Action $Action -Command $Command -LogFile $logFile
if($Result -eq "Error"){Exit 1}