vm_jit_request_access.sh

#!/bin/bash

# Inspired by this API example: https://docs.microsoft.com/en-us/rest/api/securitycenter/jitnetworkaccesspolicies/initiate#examples

SCRIPT_NAME=$(basename "$0")
echo "$SCRIPT_NAME: Requests JIT (ssh) access to vm via the Security Center API."

if [[ "$#" -lt 1 ]]; then
  echo "Error! Usage: $SCRIPT_NAME <vm name> (<justification>) (<iso860 time duration>)"
  echo "Example iso860 time durations: PT5M (5 mins - default), PT1H (1 hr)"
  exit 1
fi

AZURE_CLI=$(command -v az)
if [[ -z $AZURE_CLI ]]; then
  echo "Error! Failed to find Azure CLI. Please install."
  exit 1
fi

jit_vm_name=$1
jit_justification=${2:-testing jit via vm_jit_request_access.sh}
jit_access_duration=${3:-PT5M} # default to 5 minutes - ISO 8601 time interval https://en.wikipedia.org/wiki/ISO_8601#Durations

jit_vm_id=$(az vm list --query "[?name=='$jit_vm_name'].id" --output tsv)
if [[ -z $jit_vm_id ]]; then
  echo "Error: Failed to find $jit_vm_name!"
  exit 1
fi

jit_vm_rg=$(az vm list --query "[?name=='$jit_vm_name'].resourceGroup" --output tsv | tr '[:upper:]' '[:lower:]') # lower case, there appears to be a bug in az vm data that uppercases some resource group references
jit_my_ip=$(curl -s ifconfig.me)
jit_id=$(az security jit-policy list --query "[?resourceGroup=='$jit_vm_rg'].id" --output tsv)
jit_management_uri="https://management.azure.com$jit_id/initiate?api-version=2015-06-01-preview"
jit_payload=$(cat <<  EOF
{
    "virtualMachines": [
      {
        "id": "$jit_vm_id",
        "ports": [
          {
            "number": 22,
            "duration": "$jit_access_duration",
            "allowedSourceAddressPrefix": "$jit_my_ip"
          }
        ]
      }
    ],
    "justification": "$jit_justification"
  }  
EOF
)

az rest --method post --uri "$jit_management_uri" --body "$jit_payload"
exit $?