initial migration from ScriptCenter to git

slapointe · Jun 19, 2020 · e24034b · e24034b
1 parent 7d32297
commit e24034b
Show file tree

Hide file tree

Showing 18 changed files with 785 additions and 0 deletions.
diff --git a/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1
@@ -0,0 +1,35 @@
+param(
+    [Parameter(Mandatory=$true)]
+    [string[]]
+    $SubscriptionName,
+    [switch]
+    $IncludePossibleOutputIpAddresses
+)
+$ErrorActionPreference = 'Stop'
+
+$webApps = @()
+$SubscriptionName | % {
+    Write-Host ('Switching to subscription {0}' -f $_)
+    $subContext = Set-AzureRmContext -SubscriptionName  $_
+    $webApps += Get-AzureRmWebApp
+
+}
+
+$ipMatch = @(
+    $webApps | % {
+        $webAppName = $_.Name
+        $ipAddresses = @($_.OutboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Outbound' } })
+        if($IncludePossibleOutputIpAddresses) {
+            $ipAddresses += $_.PossibleOutboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Possible' } }
+        }
+        $ipAddresses |  % {
+            @{
+                SiteName = $webAppName
+                IpAddress = $_.IpAddress
+                Type = $_.Type
+            }
+        }
+    }
+)
+
+$ipMatch | Sort-Object {[System.Version]$_.IpAddress} | Group-Object {$_.IpAddress}, {$_.Type} | Select-Object Count, @{Name='IpAddress'; Expression={($_.Name -split ',')[0]}}, @{Name='Type'; Expression={($_.Name -split ',')[1]}}, @{Name='Sites'; Expression={,@($_.Group | % { $_.SiteName }) } }
diff --git a/app-service/list-outbound-ips-legacy/README.md b/app-service/list-outbound-ips-legacy/README.md
@@ -0,0 +1,37 @@
+# List App Service web apps outbound IP addresses (legacy)
+
+You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me)
+
+## Requirements
+Tested with AzureRM.Profile Version 3.2.x & AzureRM.Websites 3.2.x
+
+Tested with AzureRM.Profile Version 5.8.x & AzureRM.Websites 5.2.x
+
+## Usage
+```powershell
+Login-AzureRmAccount 
+ 
+.\Get-AppServiceWebAppsOutboundIpAddresses.ps1 -SubscriptionName 'mysub1','mysub2' -IncludePossibleOutputIpAddresses
+```
+
+You will end up with an output in the like of:
+
+```powershell
+Switching to subscription mysub1 
+Switching to subscription mysub2 
+ 
+Count   IpAddress       Type        Sites 
+-----   ----            -----       ---- 
+    2   13.85.17.60     Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    1   13.85.17.60     Possible  {sub3-bi-dev-as-webapp} 
+    2   13.85.20.144    Outbound  {sub1-bi-prod-as-webapp, sub1-bi-dev-as-webapp} 
+    1   13.85.20.144    Possible  {sub3-bi-dev-as-webapp} 
+    2   13.85.22.206    Outbound  {sub2-bi-prod-as-webapp, sub1-bi-dev-as-webapp} 
+    2   13.85.23.148    Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    2   13.85.23.243    Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    1   23.96.184.12    Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.184.209   Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.186.252   Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.187.50    Outbound  {sub1-dev-functions-mmckydd} 
+    5   23.96.244.71    Outbound  {sub1-stg-webapp-web-n7wfdda, sub1-stg-functions-n7wfdda, sub1-stg-webapp-admin-n7wfdda, sub1-dev-ops-functions-stl4tn5...}
+```
diff --git a/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1
@@ -0,0 +1,51 @@
+#requires -modules Az.ResourceGraph
+param(
+    [string[]]
+    $SubscriptionName,
+    [switch]
+    $IncludePossibleOutputIpAddresses
+)
+$ErrorActionPreference = 'Stop'
+
+if($SubscriptionName)
+{
+    $subscriptions = Get-AzSubscription
+    $matchedSubscriptions = $subscriptions | ? { $SubscriptionName -Contains $_.Name } | Select Id, Name
+
+    if($matchedSubscriptions.Count -ne $SubscriptionName.Count) {
+        $notMatchedSubs = ($SubscriptionName | ? { $subscriptions.Name -NotContains $_ }) -join ', '
+        Write-Warning "The following subscriptions where not available/found in your Azure context and will be ignored: $notMatchedSubs"
+    }
+}
+
+$queryParams = @{
+    Query = "where type =~ 'Microsoft.Web/sites'
+        | project subscriptionId,
+            resourceGroup,
+            name,
+            outboundIpAddresses = properties.outboundIpAddresses,
+            possibleOutboundIpAddresses = properties.possibleOutboundIpAddresses"
+}
+if($matchedSubscriptions) {
+    $queryParams.Subscription = $matchedSubscriptions.Id
+}
+$webApps = Search-AzGraph @queryParams
+
+$ipMatch = @(
+    $webApps | % {
+        $webAppName = $_.name
+        $ipAddresses = @($_.outboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Outbound' } })
+        if($IncludePossibleOutputIpAddresses) {
+            $ipAddresses += $_.possibleOutboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Possible' } }
+        }
+        $ipAddresses |  % {
+            @{
+                SiteName = $webAppName
+                IpAddress = $_.IpAddress
+                Type = $_.Type
+            }
+        }
+    }
+)
+
+$ipMatch | Sort-Object {[System.Version]$_.IpAddress} | Group-Object {$_.IpAddress}, {$_.Type} | Select-Object Count, @{Name='IpAddress'; Expression={($_.Name -split ',')[0]}}, @{Name='Type'; Expression={($_.Name -split ',')[1]}}, @{Name='Sites'; Expression={,@($_.Group | % { $_.SiteName }) } }
diff --git a/app-service/list-outbound-ips/README.md b/app-service/list-outbound-ips/README.md
@@ -0,0 +1,36 @@
+# List App Service web apps outbound IP addresses
+
+You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me)
+
+## Requirements
+Tested with Az.ResourceGraph Version 0.7.x
+
+## Usage
+```powershell
+Connect-AzAccount 
+ 
+# for all subscriptions 
+.\Get-AzureWebAppsOutboundIpAddresses.ps1 
+ 
+# for only a subset of your subscriptions 
+.\Get-AzureWebAppsOutboundIpAddresses.ps1 -SubscriptionName 'mysub1','mysub2' -IncludePossibleOutputIpAddresses
+```
+
+You will end up with an output in the like of:
+
+```powershell
+Count   IpAddress       Type        Sites 
+-----   ----            -----       ---- 
+    2   13.85.17.60     Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    1   13.85.17.60     Possible  {sub3-bi-dev-as-webapp} 
+    2   13.85.20.144    Outbound  {sub1-bi-prod-as-webapp, sub1-bi-dev-as-webapp} 
+    1   13.85.20.144    Possible  {sub3-bi-dev-as-webapp} 
+    2   13.85.22.206    Outbound  {sub2-bi-prod-as-webapp, sub1-bi-dev-as-webapp} 
+    2   13.85.23.148    Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    2   13.85.23.243    Outbound  {sub1-bi-dev-as-webapp, sub2-bi-prod-as-webapp} 
+    1   23.96.184.12    Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.184.209   Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.186.252   Outbound  {sub1-dev-functions-mmckydd} 
+    1   23.96.187.50    Outbound  {sub1-dev-functions-mmckydd} 
+    5   23.96.244.71    Outbound  {sub1-stg-webapp-web-n7wfdda, sub1-stg-functions-n7wfdda, sub1-stg-webapp-admin-n7wfdda, sub1-dev-ops-functions-stl4tn5...}
+```
diff --git a/application-gateway/README.md b/application-gateway/README.md
@@ -0,0 +1,49 @@
+# List all expiring soon certificates in Azure Application Gateway
+
+Did you ever had developers or engineers coming to your desk in panic realizing their Azure Application Gateway' certificates expired without them knowing it in advance. Causing them downtime in their release pipeline, dev or worst, their production environment!
+
+## Requirements
+Tested with Azure PowerShell Az v1.x.x
+
+Tested with Azure PowerShell Az.ResourceGraph module v0.7.6
+
+## The problematic
+Did you ever had developers or engineers coming to your desk in panic realizing their Azure Application Gateway' certificates expired without them knowing it in advance. Causing them downtime in their release pipeline, dev or worst, their production environment!
+
+## What is proposed
+Be proactive instead of reactive with this little script. Using this, you can get the list the certificates in your Azure Application Gateway that are soon due to expire. You have full control over the desired time period to be considered as expiring soon.
+
+It is build so that you can take the output and do whatever you want with it after, whenever it's convert it to JSON, CSV, XML.
+
+## Overview
+This is an overview of the usage you can do of the script Get-AzureAppGatewayExpiringCertificates
+
+```powershell
+Connect-AzAccount  
+  
+# Will list certificates if they expires 120 days from today   
+$audit = .\Get-AzureAppGatewayExpiringCertificates.ps1 -ExpiresInDay 180 -Verbose 
+ 
+$audit 
+ 
+VERBOSE: Iteration #1                                                                                                                                                               
+VERBOSE: Sent top=100 skip=0 skipToken=                                                                                                                                             
+VERBOSE: Received results: 17 
+VERBOSE: 17 
+ 
+Name                           Value 
+----                           ----- 
+SubscriptionId                 00000000-0000-0000-0000-000000000000 
+Thumbprint                     4956BCC058BCA4BCB1349357AB474CCDBB37C28AB 
+ResourceGroup                  poc-prod-common 
+SubscriptionName               my-company-subscription 
+NotAfter                       3/4/2019 4:51:03 PM 
+Cert                           [Subject]... 
+Name                           poc-prod-common-ag 
+CertificateName                Wildcard_domain_com 
+ImpactedListeners              {Internal-Https-Demo API-Https-Demo Portal-Https-Demo … } 
+ 
+ 
+# or if you want the information in JSON you can do:  
+$audit | ConvertTo-Json 
+```
diff --git a/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 b/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1
@@ -0,0 +1,44 @@
+[CmdletBinding()]
+param(
+    $ExpiresInDays = 90
+)
+
+$pageSize = 100
+$iteration = 0
+$searchParams = @{
+    Query = 'where type =~ "Microsoft.Network/applicationGateways" | project id, subscriptionId, subscriptionDisplayName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id'
+    First = $pageSize
+    Include = 'displayNames'
+}
+
+$results = do {
+    $iteration += 1
+    Write-Verbose "Iteration #$iteration"
+    $pageResults = Search-AzGraph @searchParams
+    $searchParams.Skip += $pageResults.Count
+    $pageResults
+    Write-Verbose $pageResults.Count
+} while ($pageResults.Count -eq $pageSize)
+
+$90daysfromNow = (Get-Date).AddDays($ExpiresInDays)
+$results | % {
+    $record = $_
+
+    $record.sslCertificates | % {
+        $sslCertRecord = $_
+        $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($_.properties.publicCertData.Substring(60,$_.properties.publicCertData.Length-60)))
+        if ($cert.NotAfter -le $90daysfromNow) {
+            @{
+                SubscriptionId = $record.subscriptionId
+                SubscriptionName = $record.subscriptionDisplayName
+                ResourceGroup = $record.resourceGroup
+                Name = $record.Name
+                Cert = $cert
+                CertificateName = $sslCertRecord.name
+                NotAfter = $cert.NotAfter
+                Thumbprint = $cert.Thumbprint
+                ImpactedListeners = ,@($sslCertRecord.properties.httpListeners | ForEach-Object { ($_.id -split'/')[-1] } )
+            }
+        }
+    }
+}
diff --git a/azure-ad/expiring-app-credentials/Get-AzADAppExpiringCredentials.ps1 b/azure-ad/expiring-app-credentials/Get-AzADAppExpiringCredentials.ps1
@@ -0,0 +1,33 @@
+[CmdletBinding()]
+param(
+    [Parameter(HelpMessage = 'Will output credentials if withing this number of days, use 0 to report only expired and valid as of today')]
+    $ExpiresInDays = 90
+)
+
+Write-Host 'Gathering necessary information...'
+$applications = Get-AzADApplication
+$servicePrincipals = Get-AzADServicePrincipal
+
+$appWithCredentials = @()
+$appWithCredentials += $applications | Sort-Object -Property DisplayName | % {
+    $application = $_
+    $sp = $servicePrincipals | ? ApplicationId -eq $application.ApplicationId
+    Write-Verbose ('Fetching information for application {0}' -f $application.DisplayName)
+    $application | Get-AzADAppCredential -ErrorAction SilentlyContinue | Select-Object -Property @{Name='DisplayName'; Expression={$application.DisplayName}}, @{Name='ObjectId'; Expression={$application.Id}}, @{Name='ApplicationId'; Expression={$application.ApplicationId}}, @{Name='KeyId'; Expression={$_.KeyId}}, @{Name='Type'; Expression={$_.Type}},@{Name='StartDate'; Expression={$_.StartDate -as [datetime]}},@{Name='EndDate'; Expression={$_.EndDate -as [datetime]}}
+  }
+
+Write-Host 'Validating expiration data...'
+$today = (Get-Date).ToUniversalTime()
+$limitDate = $today.AddDays($ExpiresInDays)
+$appWithCredentials | Sort-Object EndDate | % {
+        if($_.EndDate -lt $today) {
+            $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Expired'
+        } elseif ($_.EndDate -le $limitDate) {
+            $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'ExpiringSoon'
+        } else {
+            $_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Valid'
+        }
+}
+
+$appWithCredentials
+Write-Host 'Done.'
diff --git a/azure-ad/expiring-app-credentials/README.md b/azure-ad/expiring-app-credentials/README.md
@@ -0,0 +1,62 @@
+# Audit expiring soon Azure AD application credentials (keys/certificates)
+
+Too often you'll have developers or engineers coming to your desk in panic realizing their Azure AD application credential expired without them knowing it in advance. Be proactive instead of reactive and periodically audit soon to be expired Azure AD application credentials.
+
+## Requirements
+Tested with Azure PowerShell Az v1.x.x
+
+## The problematic
+Too often you'll have developers or engineers coming to your desk in panic realizing their Azure AD application credential expired without them knowing it in advance and it causes them downtime in their release pipeline, dev or worst, their production environment!
+
+## What is proposed
+Be proactive instead of reactive with this little script. Using this, you can get the list of your application in Azure AD that credentials are soon due to expire. You have full control over the desired time period for the credentials to be considered as expiring soon.
+
+## Overview
+This is an overview of the usage you can do of the script Get-AzADAppExpiringCredentials
+```powershell
+Connect-AzAccount 
+ 
+# Will mark entries as ExpiringSoon if they ends 120 days from today  
+$audit = & .\Get-AzADAppExpiringCredentials.ps1 -ExpiresInDays 120 -Verbose 
+ 
+Gathering necessary information... 
+VERBOSE: Fetching information for application ADAuditPlus Reporting 
+VERBOSE: Fetching information for application app registration 
+... 
+Validating expiration data... 
+Done. 
+ 
+$audit | Group-Object -Property Status 
+ 
+Count Name                      Group 
+----- ----                      ----- 
+   54 Expired                   {@{DisplayName=AutomationAccount_E+6heptOMzz8vX9ooTYFZq8DJYKweTDdIFrQmOo3BXs=; Objec... 
+   11 ExpiringSoon              {@{DisplayName=AutomationAccountQwerty_e1yHxjl45+GwXIxG/mwqMnARwn5i6C5zSMAAIxZyzw... 
+  173 Valid                     {@{DisplayName=ADAuditPlus Reporting; ObjectId=; ApplicationId=9db46068-49a0-45ae-b2... 
+ 
+# or if you want the information in JSON you can do: 
+$audit | ConvertTo-Json 
+ 
+[ 
+  { 
+    "DisplayName": "AutomationAccountQwerty_e1yHxjl45", 
+    "ObjectId": null, 
+    "ApplicationId": { 
+      "value": "e918c692-7aff-46f0-a3f6-488ded8f879a", 
+      "Guid": "e918c692-7aff-46f0-a3f6-488ded8f879a" 
+    }, 
+    "KeyId": "baaf958b-bc2a-43ea-ab1f-0255662cd2bb", 
+    "Type": "Password", 
+    "StartDate": { 
+      "value": "2016-05-11T14:55:30", 
+      "DateTime": "Wednesday, May 11, 2016 2:55:30 PM" 
+    }, 
+    "EndDate": { 
+      "value": "2018-05-11T14:55:30", 
+      "DateTime": "Thursday, May 11, 2018 2:55:30 PM" 
+    }, 
+    "Status": "ExpiringSoon" 
+  }, 
+    ... 
+] 
+```