EventRunbook.ps1

# Store inbound Webhook JSON as variable in raw format
param
(
    [object] $WebhookData
)

# Import AzureRunAsConnection credentials as variable and connect to Azure using them
$servicePrincipalConnection = Get-AutomationConnection -Name 'AzureRunAsConnection'
Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

#Subscription ID for resource evaluation - update this with your own subscription ID. 
$SubscriptionID = "ffffffff-6666-4444-bbbb-999999999999"
Select-AzureRmSubscription -SubscriptionId $SubscriptionID

# Convert and store variables from inbound Webhook JSON
$InputJSON = $WebhookData.RequestBody | ConvertFrom-Json
$resourceUri = $InputJSON.data.resourceUri
$status = $InputJSON.data.status
$subject = $InputJSON.subject

# Used for the key value of all applied tags
$MasterTagName = "compliance"

#Tagging Function
function Set-AzureRMTag {
    [cmdletbinding()]
    param
    (
        [object] $AzureRMResource,
        $TagAction,
        $TagKey,
        $TagValue
    )
    $AllTags = $AzureRMResource.Tags
    if ($TagAction -eq "Add") {
        if ($AllTags.Keys -contains $TagKey) {
            if ($AzureResource.Tags.$MasterTagName -match $TagValue) {
                Write-Output "Appropriate tag already exists, no action taken"
            }
            if ($AzureResource.Tags.$MasterTagName -notmatch $TagValue) {
                Write-Output "Populating Tag Value"
                $ExistingTags = $AllTags.$Tagkey
                if (![string]::IsNullOrWhiteSpace($ExistingTags)) {
                    $NewTags = $ExistingTags + ", " + $TagValue
                    $AllTags.$TagKey = $NewTags
                    Set-AzureRmResource -ResourceId $AzureRMResource.ResourceId -Tag $AllTags -Verbose -Force
                }
                else {
                    $AllTags.$TagKey = $TagValue
                    Set-AzureRmResource -ResourceId $AzureRMResource.ResourceId -Tag $AllTags -Verbose -Force
                }
                        
            }
                
        }
        if ($AllTags.Keys -notcontains $TagKey) {   
            Write-Output "Creating New Tag $TagKey : $TagValue"
            if ($AllKeys -eq $null) {
                $AllTags = @{$TagKey = $TagValue}
            }
            if ($AllKeys -ne $null) {
                $AllTags.Add($TagKey, $TagValue)
            }
            Set-AzureRmResource -ResourceId $AzureRMResource.ResourceId -Tag $AllTags -Verbose -Force
        }
    }
    if (($TagAction -eq "Remove") -and ($AllTags.$TagKey -match $TagValue)) {
        Write-Output "Removing Value $TagValue from $TagKey"
        $ExistingTags = $AllTags.$Tagkey
        $NewTags = $ExistingTags.Replace($TagValue, "")
        $NewTags = $NewTags.Replace(" ,", "")
        $NewTags = $NewTags.Trim(",", " ")
        $AllTags.$TagKey = $NewTags
        Set-AzureRmResource -ResourceId $AzureRMResource.ResourceId -Tag $AllTags -Verbose -Force
    }
}

# Process CT-VM001 Rule
if (($subject -match "Microsoft.Compute/virtualMachines") -and ($status -eq "Succeeded")) {
    $ComplianceTag = "VM001"
    $AzureResource = Get-AzureRmResource -ResourceId $resourceUri
    if ($AzureResource.Properties.networkProfile.networkInterfaces.Count -gt 1) {
        Set-AzureRMTag -AzureRMResource $AzureResource -TagAction "Add" -TagKey $MasterTagName -TagValue $ComplianceTag
    }
    if (($AzureResource.Properties.networkProfile.networkInterfaces.Count -le 1) -and ($AzureResource.Tags.$MasterTagName -match $ComplianceTag)) {
        Set-AzureRMTag -AzureRMResource $AzureResource -TagAction "Remove" -TagKey $MasterTagName -TagValue $ComplianceTag
    }
}