SubscriptionSecurity/RBAC.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Set-StrictMode -Version Latest
function Set-AzSKSubscriptionRBAC 
{
    
    <#
    .SYNOPSIS
    This command sets up centrally-required RBAC for a given Subscription
 
    .DESCRIPTION
    This command sets up centrally-required RBAC for a given Subscription
     
    .PARAMETER SubscriptionId
        Subscription id for which the security evaluation has to be performed.
    .PARAMETER Tags
            Provide tag names for processing specific policies. Comma separated values are supported.
    .PARAMETER Force
            Switch to apply RBAC forcefully regardless of latest RBAC already present on subscription.
    .PARAMETER DoNotOpenOutputFolder
            Switch to specify whether to open output folder containing all security evaluation report or not.
 
    .LINK
    https://aka.ms/azskossdocs
    #>

    Param(

        [string]
        [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")]
        [ValidateNotNullOrEmpty()]
        [Alias("sid", "HostSubscriptionId", "hsid","s")]
        $SubscriptionId,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")]
        $Tags,
        
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to apply RBAC forcefully regardless of latest RBAC already present on subscription.")]
        [Alias("f")]
        $Force,

        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")]
        [Alias("dnof")]
        $DoNotOpenOutputFolder
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }

    Process
    {
        try 
        {
            # Adding all mandatory tags
            $modifiedTags = [string]::Join(",", [ConfigurationManager]::GetAzSKConfigData().SubscriptionMandatoryTags);
            if(-not [string]::IsNullOrWhiteSpace($Tags))
            {
                $modifiedTags = $modifiedTags + "," +$Tags;
            }

            $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $modifiedTags);
            if ($rbac) 
            {
                return $rbac.InvokeFunction($rbac.SetRBACAccounts);
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }          
    }

    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}

function Remove-AzSKSubscriptionRBAC 
{
    
    <#
 
    .SYNOPSIS
    This command clears RBAC set up using the Set-AzSKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription.
 
    .DESCRIPTION
    This command clears RBAC set up using the Set-AzSKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription. Any required central accounts can be removed only if 'mandatory' tag is specified.
     
    .PARAMETER SubscriptionId
        Subscription ID of the Azure subscription in which organization policy store will be created.
    .PARAMETER Tags
            Provide tag names for processing specific policies. Comma separated values are supported.
    .PARAMETER DoNotOpenOutputFolder
            Switch to specify whether to open output folder containing all security evaluation report or not.
    .PARAMETER Force
            Switch to apply subscription security configurations forcefully regardless of latest updates already present on subscription.
 
    .LINK
    https://aka.ms/azskossdocs
    #>

    Param(

        [string]
        [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")]
        [ValidateNotNullOrEmpty()]
        [Alias("sid", "HostSubscriptionId", "hsid","s")]
        $SubscriptionId,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")]
        $Tags,

        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to apply subscription security configurations forcefully regardless of latest updates already present on subscription.")]
        [Alias("f")]
        $Force,
        
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")]
        [Alias("dnof")]
        $DoNotOpenOutputFolder
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }

    Process
    {
        try 
        {

            $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $Tags);
            if ($rbac) 
            {
                $rbac.Force = $true
                return $rbac.InvokeFunction($rbac.RemoveRBACAccounts);
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }          
    }

    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}