Skip to content

Instantly share code, notes, and snippets.

@dustinbutterworth
Last active March 25, 2022 18:47
Show Gist options
  • Save dustinbutterworth/cd36deaeb6c39331dc59fff4c567b543 to your computer and use it in GitHub Desktop.
Save dustinbutterworth/cd36deaeb6c39331dc59fff4c567b543 to your computer and use it in GitHub Desktop.
Cloudflare Access Report - All Zones, All Applications
#!/usr/bin/env pwsh
# WIP - not finished
# TODO: error catching and whatnot
$cloudflareUrl = "https://api.cloudflare.com/client/v4"
# Retrieve Zones
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "Bearer changeme")
$zoneRetrievePage = 1
$zoneRetrievePerPage = 20
$allZones = [System.Collections.ArrayList]@()
do {
$zoneRetrieveUri = "$cloudflareUrl/zones?status=active&page=$zoneRetrievePage&per_page=$zoneRetrievePerPage&order=status&direction=desc"
$zoneRetrieveResponse = Invoke-RestMethod "$zoneRetrieveUri" -Method 'GET' -Headers $headers
$zone = $zoneRetrieveResponse.result
$zone.foreach({ $allZones.add($_) }) | out-null
$zoneRetrievePage++
} until ($zoneRetrieveResponse.result_info.count -eq 0)
# Get Applications from each Zone
$allPolicies = @()
foreach ($zone in $allZones) {
$zoneId = $zone.id
$zoneName = $zone.name
$applicationRetrieveResponse = Invoke-RestMethod "https://api.cloudflare.com/client/v4/zones/$zoneId/access/apps?" -Method 'GET' -Headers $headers
$applications = $applicationRetrieveResponse.result
foreach ($application in $applications) {
$applicationId = $application.id
$applicationName = $application.name
$applicationDomain = $application.domain
$applicationPolicyResponse = Invoke-RestMethod "https://api.cloudflare.com/client/v4/zones/$zoneId/access/apps/$applicationId/policies" -Method 'GET' -Headers $headers
$policies = $applicationPolicyResponse.result
foreach ($policy in $policies) {
if ($policy.include.ip -ne $Null) {
$includeIp = ($policy.include.ip.ip | Join-String -DoubleQuote -Separator ',')
}
else {
$includeIp = "N/A"
}
if ($policy.include.everyone -ne $Null) {
$includeEveryone = "TRUE"
}
else {
$includeEveryone = "FALSE"
}
if ($policy.include.azureAD.id -ne $Null) {
$AAD_ID = ($policy.include.azureAD | foreach-object { $($_ | select -expandproperty id) }) | Join-String -DoubleQuote -Separator ','
}
else {
$AAD_ID = "N/A"
}
if ($policy.include.service_token.token_id -ne $Null) {
$serviceToken = ($policy.include.service_token | foreach-object { $($_ | select -expandproperty token_id) }) | Join-String -DoubleQuote -Separator ','
}
else {
$serviceToken = "N/A"
}
if ($policy.include.azureAD.identity_provider_id -ne $Null) {
$AAD_identity_provider_id = ($policy.include.azureAD | foreach-object { $($_ | select -expandproperty identity_provider_id) }) | Join-String -DoubleQuote -Separator ','
}
else {
$AAD_identity_provider_id = "N/A"
}
if ($policy.include.azureAD.connection_id -ne $Null) {
$AAD_connection_id = ($policy.include.azureAD | foreach-object { $($_ | select -expandproperty connection_id) }) | Join-String -DoubleQuote -Separator ','
}
else {
$AAD_connection_id = "N/A"
}
if ($policy.include.azureAD.name -eq $Null) {
$AAD_name = "N/A"
}
elseif ($policy.include.azureAd.name -eq "") {
$AAD_name = "N/A"
}
elseif ($policy.include.azureAd.name.length -lt 1) {
$AAD_name = "N/A"
}
else {
$AAD_name = ($policy.include.azureAD | foreach-object { $($_ | select -expandproperty name) }) | Join-String -DoubleQuote -Separator ','
}
if ($policy.require.length -gt 0) {
$require = $policy.require
}
else {
$require = "N/A"
}
if ($policy.require.length -gt 0) {
$require = $policy.require
}
else {
$require = "N/A"
}
$allPolicies += [pscustomobject]@{
zoneId = $zoneId
zoneName = $zoneName
applicationId = $applicationId
applicationName = $applicationName
applicationDomain = $applicationDomain
created_at = $policy.created_at
decision = $policy.decision
exclude = $exclude
policyId = $policy.id
policyName = $policy.name
precedence = $policy.precedence
require = $require
includeIp = $includeIp
includeAdId = $AAD_ID
includeAdIdProvider = $AAD_identity_provider_id
includeAdName = $AAD_name
includeAdConnection = $AAD_connection_id
includeServiceToken = $serviceToken
includeEveryone = $includeEveryone
uid = $policy.uid
updated_at = $policy.updated_at
}
}
}
}
$File = "AccessPolicies.csv"
$allPolicies | Export-Csv -path ($File) -NoTypeInformation -Encoding ASCII
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment