jesseloudon
/ AzureRoleAssignmentFind.ps1
Created
May 20, 2020 06:17
Find Azure RBAC role assignments of 'Unknown' type
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $OBJTYPE = "Unknown" | |
| Get-AzRoleAssignment | Where Object {$_.ObjectType.Equals($OBJTYPE)} |
jesseloudon
/ AuditRoleAssignmentType.tf
Created
June 7, 2020 11:22
Custom Azure Policy to Audit Role Assignment Type as Terraform file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_policy_definition" "auditRoleAssignmentType_user" { | |
| name = "auditRoleAssignmentType_user" | |
| policy_type = "Custom" | |
| mode = "All" | |
| display_name = "Audit user role assignments" | |
| description = "This policy checks for any Role Assignments of Type [User] - useful to catch individual IAM assignments to resources/RGs which are out of compliance with the RBAC standards e.g. using Groups for RBAC." | |
| metadata = <<METADATA | |
| { | |
| "category": "${var.policy_definition_category}", |
jesseloudon
/ TerraformAzurePolicyDefinition-PoC.tf
Created
June 8, 2020 01:40
Terraform to Azure proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "azurerm" { | |
| features {} | |
| } | |
| variable "policy_definition_category" { | |
| type = string | |
| description = "The category to use for all Policy Definitions" | |
| default = "Custom" | |
| } |
jesseloudon
/ PolicyDefinitionCreationExamples
Last active
June 8, 2020 07:47
Create a single policy definition named 'Audit Storage Accounts Open to Public Networks'
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #PowerShell | |
| New-AzPolicyDefinition | |
| -Name 'AuditStorageAccounts' | |
| -DisplayName 'Audit Storage Accounts Open to Public Networks' | |
| -Policy 'AuditStorageAccounts.json' | |
| #ARMClient | |
| armclient PUT "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/AuditStorageAccounts?api-version=2019-09-01" @<path to policy definition JSON file> | |
| #AzCLI |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Terraform fmt -recursive | |
| Terraform validate | |
| Terraform init | |
| Terraform plan | |
| Terraform apply | |
| Terraform destroy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| az login | |
| az account list | |
| az account set --subscription="XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" |
jesseloudon
/ AzureTags-KeyValueMigration.ps1
Last active
June 15, 2020 11:40
Migrate Azure Tag Key and Value
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "mandatory_tag_keys" { | |
| type = list | |
| description = "List of mandatory tag keys used by policies 'addTagToRG','inheritTagFromRG','bulkAddTagsToRG','bulkInheritTagsFromRG'" | |
| default = [ | |
| "Application", | |
| "CostCentre", | |
| "Environment", | |
| "ManagedBy", | |
| "OwnedBy", | |
| "SupportBy" |
jesseloudon
/ AzurePolicyResource1.tf
Created
June 26, 2020 07:43
Reference your variable list using count = length(var.variableName)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_policy_definition" "addTagToRG" { | |
| count = length(var.mandatory_tag_keys) |
jesseloudon
/ AzurePolicyResource2.tf
Created
June 26, 2020 07:44
Reference your variable list values using ${var.variableName[count.index]}.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name = "addTagToRG_${var.mandatory_tag_keys[count.index]}" | |
| policy_type = "Custom" | |
| mode = "All" | |
| display_name = "Add tag ${var.mandatory_tag_keys[count.index]} to resource group" | |
| description = "Adds the mandatory tag key ${var.mandatory_tag_keys[count.index]} when any resource group missing this tag is created or updated. \nExisting resource groups can be remediated by triggering a remediation task.\nIf the tag exists with a different value it will not be changed." | |
| metadata = <<METADATA | |
| { | |
| "category": "${var.policy_definition_category}", | |
| "version" : "1.0.0" | |
| } |