AzPolicyEvaluation.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
function Start-AzPolicyEvaluation {
    [CmdletBinding()]
    Param($ResourceGroup, [switch]$Wait)

    try {
        if ($env:MSI_ENDPOINT) {
            $response = Invoke-WebRequest -Uri "$env:MSI_ENDPOINT/?resource=https://management.azure.com/" -Headers @{"Metadata" = "true" }
            $ctx = Get-AzContext
            $token = [PSCustomObject]@{
                SubscriptionId = $ctx.Subscription
                TenantID       = $env:ACC_TID
                Token          = ($response.content | ConvertFrom-Json | Select-Object -ExpandProperty access_token)
            }
        }
        else {
            $token = Get-AzToken
        }
        
    }
    catch {
        throw "You must be logged in to Azure - Use Connect-AzAccount to connect."
    }

    if ($null -eq $ResourceGroup) {
        $uri = "https://management.azure.com/subscriptions/$($token.SubscriptionId)/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"
    }
    else {
        $uri = "https://management.azure.com/subscriptions/$($token.SubscriptionId)/resourceGroups/$ResourceGroup/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview"
    }

    $method = "POST"

    try {
        Write-Verbose -Message "Sending Web Request"
        $response = Invoke-WebRequest -Method $method `
            -Uri $uri `
            -Headers @{ "Authorization" = "Bearer " + $token.Token } -UseBasicParsing -ErrorAction Stop
        
        if (!($PSBoundParameters.ContainsKey('Wait'))) {
            $obj = [PSCustomObject]@{
                StatusCode        = $response.StatusCode
                StatusDescription = $response.StatusDescription
            }
            return $obj
        }
    }   
    catch {
        throw $Error[0].Exception.Message
    }

    if ($PSBoundParameters.ContainsKey('Wait')) {
        $startTime = Get-Date
        Write-Verbose "Waiting for policy to finish evaluating"
        $locationURI = "$($response.Headers.Location)"
        do {
            $response = Invoke-WebRequest -Uri $locationURI `
                -Headers @{ "Authorization" = "Bearer " + $token.Token } -UseBasicParsing -ErrorAction Stop
            Write-Verbose "x-ms-ratelimit-remaining-subscription-policy-insights-requests: $($response.Headers.'x-ms-ratelimit-remaining-subscription-policy-insights-requests')"
            Write-Verbose "$($response.StatusCode) - $($response.StatusDescription)"
            Start-Sleep -Seconds 30

        }
        while (($response.StatusCode -eq 202) -and ($response.StatusDescription -eq 'Accepted'))
        $endMinutes = ((Get-Date) - $startTime).Minutes
        $obj = [PSCustomObject]@{
            StatusCode        = $response.StatusCode
            StatusDescription = $response.StatusDescription
            ElapsedTime       = "$endMinutes minutes"
        }
        return $obj
        
    }
}

function Get-AzToken {
    $subDetails = Get-AzContext | Select-Object Tenant, Subscription
    $tokenCache = Get-AzContext | Select-Object -ExpandProperty TokenCache
    $cachedTokens = $tokenCache.ReadItems() `
    | Where-Object { $_.TenantId -eq $subDetails.Tenant } `
    | Sort-Object -Property ExpiresOn -Descending
    $accessToken = $cachedTokens[0].AccessToken
    $obj = [PScustomObject]@{
        SubscriptionID = $subDetails.Subscription
        TenantID       = $subDetails.Tenant
        Token          = $accessToken
    }
    return $obj
}