diff --git a/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 index 477ecf7..6dc46ba 100644 --- a/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 +++ b/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 @@ -10,9 +10,8 @@ $ErrorActionPreference = 'Stop' $webApps = @() $SubscriptionName | % { Write-Host ('Switching to subscription {0}' -f $_) - $subContext = Set-AzureRmContext -SubscriptionName $_ - $webApps += Get-AzureRmWebApp - + $subContext = Set-AzContext -SubscriptionName $_ + $webApps += Get-AzWebApp } $ipMatch = @( diff --git a/app-service/list-outbound-ips-legacy/README.md b/app-service/list-outbound-ips-legacy/README.md index 45664da..0522917 100644 --- a/app-service/list-outbound-ips-legacy/README.md +++ b/app-service/list-outbound-ips-legacy/README.md @@ -3,13 +3,11 @@ You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me) ## Requirements -Tested with AzureRM.Profile Version 3.2.x & AzureRM.Websites 3.2.x - -Tested with AzureRM.Profile Version 5.8.x & AzureRM.Websites 5.2.x +Tested with Az.Accounts Version 2.2.x & Az.Websites 2.5.X ## Usage ```powershell -Login-AzureRmAccount +Connect-AzAccount .\Get-AppServiceWebAppsOutboundIpAddresses.ps1 -SubscriptionName 'mysub1','mysub2' -IncludePossibleOutputIpAddresses ``` diff --git a/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 index 59c58de..6ff2353 100644 --- a/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 +++ b/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 @@ -29,10 +29,17 @@ $queryParams = @{ if($matchedSubscriptions) { $queryParams.Subscription = $matchedSubscriptions.Id } -$webApps = Search-AzGraph @queryParams + +$webApps = @() +do { + $webApps += Search-AzGraph @queryParams + if($webApps.SkipToken) { + $queryParams.SkipToken = $webApps.SkipToken + } +} while ($webApps.SkipToken) $ipMatch = @( - $webApps | % { + $webApps.Data | % { $webAppName = $_.name $ipAddresses = @($_.outboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Outbound' } }) if($IncludePossibleOutputIpAddresses) { diff --git a/app-service/list-outbound-ips/README.md b/app-service/list-outbound-ips/README.md index cdde135..682ea2c 100644 --- a/app-service/list-outbound-ips/README.md +++ b/app-service/list-outbound-ips/README.md @@ -3,7 +3,7 @@ You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me) ## Requirements -Tested with Az.ResourceGraph Version 0.7.x +Tested with Az.ResourceGraph Version 0.10.x ## Usage ```powershell diff --git a/application-gateway/README.md b/application-gateway/README.md index 2fb6489..3a6fc55 100644 --- a/application-gateway/README.md +++ b/application-gateway/README.md @@ -5,7 +5,7 @@ Did you ever had developers or engineers coming to your desk in panic realizing ## Requirements Tested with Azure PowerShell Az v1.x.x -Tested with Azure PowerShell Az.ResourceGraph module v0.7.6 +Tested with Azure PowerShell Az.ResourceGraph module v0.10.0 ## The problematic Did you ever had developers or engineers coming to your desk in panic realizing their Azure Application Gateway' certificates expired without them knowing it in advance. Causing them downtime in their release pipeline, dev or worst, their production environment! diff --git a/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 b/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 index 0f6d978..726a888 100644 --- a/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 +++ b/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 @@ -6,39 +6,46 @@ param( $pageSize = 100 $iteration = 0 $searchParams = @{ - Query = 'where type =~ "Microsoft.Network/applicationGateways" | project id, subscriptionId, subscriptionDisplayName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id' - First = $pageSize - Include = 'displayNames' + Query = 'Resources | where type =~ "Microsoft.Network/applicationGateways" | join kind=leftouter (ResourceContainers | where type=="microsoft.resources/subscriptions" | project subscriptionName=name, subscriptionId) on subscriptionId | project id, subscriptionId, subscriptionName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id' + First = $pageSize } -$results = do { +$results = @() +do { $iteration += 1 Write-Verbose "Iteration #$iteration" - $pageResults = Search-AzGraph @searchParams - $searchParams.Skip += $pageResults.Count - $pageResults - Write-Verbose $pageResults.Count -} while ($pageResults.Count -eq $pageSize) + $results += Search-AzGraph @searchParams + if ($results.SkipToken) { + $searchParams.SkipToken = $results.SkipToken + } +} while ($results.SkipToken) -$90daysfromNow = (Get-Date).AddDays($ExpiresInDays) -$results | % { +$expirationDate = (Get-Date).AddDays($ExpiresInDays) +$results.Data | ForEach-Object { $record = $_ - $record.sslCertificates | % { + $record.sslCertificates | ForEach-Object { $sslCertRecord = $_ - $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($_.properties.publicCertData.Substring(60,$_.properties.publicCertData.Length-60))) - if ($cert.NotAfter -le $90daysfromNow) { - @{ - SubscriptionId = $record.subscriptionId - SubscriptionName = $record.subscriptionDisplayName - ResourceGroup = $record.resourceGroup - Name = $record.Name - Cert = $cert - CertificateName = $sslCertRecord.name - NotAfter = $cert.NotAfter - Thumbprint = $cert.Thumbprint - ImpactedListeners = ,@($sslCertRecord.properties.httpListeners | ForEach-Object { ($_.id -split'/')[-1] } ) - } + if (-not $_.properties.publicCertData) { + $msg = 'Certificate {0} is linked to Key Vault secret: {1}. Certificate scanning is not supported in this scenario. You can leverage Azure Policy to do so.' -f $_.name, $_.properties.keyVaultSecretId + Write-Warning $msg -Verbose + } + else { + $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($_.properties.publicCertData.Substring(60, $_.properties.publicCertData.Length - 60))) + if ($cert.NotAfter -le $expirationDate) { + @{ + SubscriptionId = $record.subscriptionId + SubscriptionName = $record.subscriptionDisplayName + ResourceGroup = $record.resourceGroup + Name = $record.Name + Cert = $cert + CertificateName = $sslCertRecord.name + NotAfter = $cert.NotAfter + Thumbprint = $cert.Thumbprint + ImpactedListeners = , @($sslCertRecord.properties.httpListeners | ForEach-Object { ($_.id -split '/')[-1] } ) + } + + } } } } \ No newline at end of file