Framework/Core/SVT/Services/Automation.ps1

Set-StrictMode -Version Latest 
class Automation: AzSVTBase
{       

    Automation([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
    }
    hidden [ControlResult] CheckWebhooks([ControlResult] $controlResult)
    {   
        $webhooks = Get-AzAutomationWebhook -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        if(($webhooks|Measure-Object).Count -gt 0)
        {
            $webhookdata = $webhooks | Select-Object ResourceGroupName, AutomationAccountName, Name, Description, IsEnabled, Parameters, RunbookName, WebhookURI, HybridWorker
            $controlResult.AddMessage([VerificationResult]::Verify, "Please verify below webhook(s) created for the runbooks. Remove webhook(s) which are not in use.", $webhookdata)
            $controlResult.SetStateData("Webhooks", $webhookdata);                      
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No webhook(s) are created for runbook(s) in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckWebhookExpiry([ControlResult] $controlResult)
    {   
        $webhooks = Get-AzAutomationWebhook -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        $longExpiryWebhooks = @()
        if(($webhooks|Measure-Object).Count -gt 0)
        {
            $webhooks | ForEach-Object{
                if(($_.IsEnabled -eq $true) -and (($_.ExpiryTime - $_.CreationTime).Days -gt $this.ControlSettings.Automation.WebhookValidityInDays))
                {
                    $expiryTime = ($_.ExpiryTime - $_.CreationTime).days;
                    $webhookdata = $_ | Select-Object ResourceGroupName, AutomationAccountName, Name, Description, IsEnabled, Parameters, RunbookName, WebhookURI, HybridWorker
                    $webhookdata | Add-Member ExpiryTime -NotePropertyValue $expiryTime
                    $longExpiryWebhooks += $webhookdata
                }
            }
            if($longExpiryWebhooks)
            {
                $controlResult.AddMessage([VerificationResult]::Failed, "Webhook URL must have shorter validity period (<=$($this.ControlSettings.Automation.WebhookValidityInDays) days) to prevent malicious access. Below webhook(s) URL have validity period >$($this.ControlSettings.Automation.WebhookValidityInDays) days.", $longExpiryWebhooks)
                $controlResult.SetStateData("Webhook(s) with >$($this.ControlSettings.Automation.WebhookValidityInDays) days validity", $longExpiryWebhooks);                      
            }
            else
            {
                $controlResult.VerificationResult =[VerificationResult]::Passed
            }
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No webhooks are created for runbooks in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckVariables([ControlResult] $controlResult)
    {   
        $variables = Get-AzAutomationVariable -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        if(($variables|Measure-Object).Count -gt 0 )
        {
            if($this.ResourceContext.ResourceGroupName -eq [ConfigurationManager]::GetAzSKConfigData().AzSKRGName -and [Helpers]::CheckMember($this.ControlSettings,"Automation.variablesToSkip"))
            {
                $variablestoskip = $this.ControlSettings.Automation.variablesToSkip
                $temp = $variables | Where {$variablestoskip -notcontains $_.Name}
                $variables = $temp
            }
            $encryptedVars = @()
            $unencryptedVars = @()

            $variables | ForEach-Object{
                if($_.Encrypted)
                {
                    $encryptedVars += $_
                }
                else
                {
                    $unencryptedVars += $_
                }
            }
            if($encryptedVars)
            {
                $controlResult.AddMessage("$($encryptedVars.Count) variable(s) are encrypted in this Automation account.")
            }
            if($unencryptedVars)
            {
                $controlResult.AddMessage([VerificationResult]::Verify, "Below variable(s) are not encrypted, use encrypted variable if it contains sensitive data.", $unencryptedVars)
                $controlResult.SetStateData("Unencrypted variable(s)", $unencryptedVars);                      
            }
            else
            {
                $controlResult.VerificationResult =[VerificationResult]::Passed
            }
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No variables are present in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckLAWSSetup([ControlResult] $controlResult)
    {   
        $resource = Get-AzResource -Name $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ResourceType "Microsoft.Automation/automationAccounts" -ErrorAction Stop
        $resourceId = $resource.ResourceId
        $diaSettings = $null
        try 
        {
            $diaSettings = Get-AzDiagnosticSetting -ResourceId $resourceId -ErrorAction Stop -WarningAction SilentlyContinue
        }
        catch
        {
            if([Helpers]::CheckMember($_.Exception, "Response") -and ($_.Exception).Response.StatusCode -eq [System.Net.HttpStatusCode]::NotFound)
            {
                $controlResult.AddMessage([VerificationResult]::Failed, "Log Analytics workspace is not configured with this Automation account.")
                return $controlResult
            }
            else
            {
                $this.PublishException($_);
            }
        }
        if($null -ne $diaSettings -and (Get-Member -InputObject $diaSettings -Name WorkspaceId -MemberType Properties) -and $null -ne $diaSettings.WorkspaceId)
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "Log Analytics workspace is configured with this Automation account. Log Analytics Workspace Id is given below.", $diaSettings.WorkspaceId)
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed, "Log Analytics workspace is not configured with this Automation account.")
        }
        return $controlResult;
    }    
}