KaiWalter/linkVmToKeyvaults.ps1

## linkVmToKeyvaults.ps1
param (
    [switch]
    $skipDeletes,
    [switch]
    $skipCreate
)


# --------------------------------------------------------------------------------

$dnsZone = "privatelink.vaultcore.azure.net"
$groupId = "vault"

# --------------------------------------------------------------------------------
# detect VM metadata
# see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
$vmInfo = Invoke-RestMethod -Headers @{"Metadata" = "true" } -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

$nicId = az vm show --subscription $vmInfo.compute.subscriptionId --resource-group $vmInfo.compute.resourceGroupName --name $vmInfo.compute.name --query networkProfile.networkInterfaces[0].id --output tsv

$subnetId = az network nic show --ids $nicId --query ipConfigurations[0].subnet.id --output tsv

$vnetInfo = $subnetId.split('/')[0..8]
$vnetId = [string]::Join("/", $vnetInfo)

Write-Host "NIC    :" $nicId
Write-Host "VNET   :" $vnetId
Write-Host "SUBNET :" $subnetId

# --------------------------------------------------------------------------------

if (!$skipDeletes) {

    Write-Host "delete existing (VM's) virtual network links"

    az network vnet peering list --vnet-name $vnetInfo[8] -g $vnetInfo[4] --subscription $vnetInfo[2] --output json | ConvertFrom-Json | % {
        az network vnet peering delete --ids $_.Id
    }

    Write-Host "delete existing (VM's) private endpoint links"

    az network private-endpoint list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --output json | ConvertFrom-Json | % {
        az network private-endpoint delete --ids $_.Id
    }

    Write-Host "delete existing (VM's) private DNS links"

    az network private-dns link vnet list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --zone-name $dnsZone -o json | ConvertFrom-Json | % {
        if ($_.virtualNetwork.id -eq $vnetId) {
            Write-Host "deleting link: $($_.id)"
            az network private-dns link vnet delete -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --zone-name $dnsZone --name $_.name --yes
        }
    }
}

if (!$skipCreate) {

    Write-Host "create/check private DNS zone" $dnsZone "for group" $groupId

    if (!$(az network private-dns zone list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --query "[?name == '$dnsZone'].id" -o tsv)) {
        az network private-dns zone create -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId `
            -n $dnsZone
    }

    Write-Host "create private DNS link"

    az network private-dns link vnet create -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId `
        -n $("vnet-" + $groupId + "-dns-link") `
        -z $dnsZone -v $vnetId -e false

    Write-Host "private link all KeyVault instances"

    foreach ($instance in "int", "qa", "stage", "prod") {
        foreach ($location in "eus", "weu", "sea") {
            $keyVaultName = "some-prefix-" + $instance + "-" + $location

            $keyVault = az keyvault show -n $keyVaultName -o json | ConvertFrom-Json

            $linkName = $keyVaultName + "-" + $vmInfo.compute.name + "-link"
            $endpointName = $keyVaultName + "-" + $vmInfo.compute.name + "-pep"
            $groupName = $keyVaultName + "-" + $vmInfo.compute.name + "-zonegroup"

            az network private-endpoint create --connection-name $linkName `
                --name $endpointName `
                -g $vmInfo.compute.resourceGroupName `
                --subscription $vmInfo.compute.subscriptionId `
                --private-connection-resource-id $keyVault.Id `
                --group-id $groupId `
                --subnet $subnetId

            az network private-endpoint dns-zone-group create `
                -g $vmInfo.compute.resourceGroupName `
                --subscription $vmInfo.compute.subscriptionId `
                --endpoint-name $endpointName `
                --name $groupName `
                --private-dns-zone $dnsZone `
                --zone-name $dnsZone
        }
    }

}
	param (
	[switch]
	$skipDeletes,
	[switch]
	$skipCreate
	)


	# --------------------------------------------------------------------------------

	$dnsZone = "privatelink.vaultcore.azure.net"
	$groupId = "vault"

	# --------------------------------------------------------------------------------
	# detect VM metadata
	# see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
	$vmInfo = Invoke-RestMethod -Headers @{"Metadata" = "true" } -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

	$nicId = az vm show --subscription $vmInfo.compute.subscriptionId --resource-group $vmInfo.compute.resourceGroupName --name $vmInfo.compute.name --query networkProfile.networkInterfaces[0].id --output tsv

	$subnetId = az network nic show --ids $nicId --query ipConfigurations[0].subnet.id --output tsv

	$vnetInfo = $subnetId.split('/')[0..8]
	$vnetId = [string]::Join("/", $vnetInfo)

	Write-Host "NIC :" $nicId
	Write-Host "VNET :" $vnetId
	Write-Host "SUBNET :" $subnetId

	# --------------------------------------------------------------------------------

	if (!$skipDeletes) {

	Write-Host "delete existing (VM's) virtual network links"

	az network vnet peering list --vnet-name $vnetInfo[8] -g $vnetInfo[4] --subscription $vnetInfo[2] --output json \| ConvertFrom-Json \| % {
	az network vnet peering delete --ids $_.Id
	}

	Write-Host "delete existing (VM's) private endpoint links"

	az network private-endpoint list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --output json \| ConvertFrom-Json \| % {
	az network private-endpoint delete --ids $_.Id
	}

	Write-Host "delete existing (VM's) private DNS links"

	az network private-dns link vnet list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --zone-name $dnsZone -o json \| ConvertFrom-Json \| % {
	if ($_.virtualNetwork.id -eq $vnetId) {
	Write-Host "deleting link: $($_.id)"
	az network private-dns link vnet delete -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --zone-name $dnsZone --name $_.name --yes
	}
	}
	}

	if (!$skipCreate) {

	Write-Host "create/check private DNS zone" $dnsZone "for group" $groupId

	if (!$(az network private-dns zone list -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId --query "[?name == '$dnsZone'].id" -o tsv)) {
	az network private-dns zone create -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId `
	-n $dnsZone
	}

	Write-Host "create private DNS link"

	az network private-dns link vnet create -g $vmInfo.compute.resourceGroupName --subscription $vmInfo.compute.subscriptionId `
	-n $("vnet-" + $groupId + "-dns-link") `
	-z $dnsZone -v $vnetId -e false

	Write-Host "private link all KeyVault instances"

	foreach ($instance in "int", "qa", "stage", "prod") {
	foreach ($location in "eus", "weu", "sea") {
	$keyVaultName = "some-prefix-" + $instance + "-" + $location

	$keyVault = az keyvault show -n $keyVaultName -o json \| ConvertFrom-Json

	$linkName = $keyVaultName + "-" + $vmInfo.compute.name + "-link"
	$endpointName = $keyVaultName + "-" + $vmInfo.compute.name + "-pep"
	$groupName = $keyVaultName + "-" + $vmInfo.compute.name + "-zonegroup"

	az network private-endpoint create --connection-name $linkName `
	--name $endpointName `
	-g $vmInfo.compute.resourceGroupName `
	--subscription $vmInfo.compute.subscriptionId `
	--private-connection-resource-id $keyVault.Id `
	--group-id $groupId `
	--subnet $subnetId

	az network private-endpoint dns-zone-group create `
	-g $vmInfo.compute.resourceGroupName `
	--subscription $vmInfo.compute.subscriptionId `
	--endpoint-name $endpointName `
	--name $groupName `
	--private-dns-zone $dnsZone `
	--zone-name $dnsZone
	}
	}

	}