Created
January 26, 2022 20:13
-
-
Save vukasinterzic/a2b49a9e5084de703bf43e0de68a9d35 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Output "Connecting ..." | |
# Ensures you do not inherit an AzContext in your runbook | |
Disable-AzContextAutosave -Scope Process | |
# Connect to Azure with system-assigned managed identity | |
$AzureContext = (Connect-AzAccount -Identity).context | |
# Set and store context | |
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext | |
#Define variables: | |
Write-Output "Defining variables ..." | |
#Fill in the name of your Key Vault: | |
$KeyVaultName = "KV-Test" | |
#Fill in the name of your Subscription where Key Vault is: | |
$KeyVaultSubscriptionName = "SUB-Test" | |
$SecretsHolder = @() | |
Write-Output "Getting the list of all subscriptions...." | |
$Subscriptions = Get-AzSubscription | Where-Object Name -notlike 'Access to Azure Active Directory' | |
Write-Output "Start Subscription loop..." | |
foreach ($Subscription in $Subscriptions) { | |
$VMs = @() | |
Write-Output "Selecting Subscription $($Subscription.Name)... " | |
Get-AzSubscription -SubscriptionName $Subscription.Name | Set-AZContext | |
$VMs += Get-AzResource -ResourceType "Microsoft.Compute/VirtualMachines" -TagName "VMPasswordReset" -TagValue "Yes" | |
IF (!$VMs) { | |
Write-Output "No VMs with enabled password reset in this subscription." | |
} else { | |
Write-Output "VMs found. Staring the VM loop..." | |
} | |
foreach ($VM in $VMs) { | |
Write-Output "Processing VM $($VM.Name)..." | |
$VMStatus = Get-AzVM -Name $VM.Name -ResourceGroupName $VM.ResourceGroupName -Status | |
if ($(($VMStatus.Statuses | Where-Object Code -like "*PowerState*").DisplayStatus) -eq "VM running") { | |
#Get the VM info | |
$VMInfo = Get-AzVM -Name $VM.Name -ResourceGroupName $VM.ResourceGroupName | |
#Generate a new password | |
$CharArray = "!@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz!@#$%^&*".tochararray() | |
$Password = ConvertTo-SecureString (($CharArray | Get-Random -Count 18) -join '') -AsPlainText -Force | |
#Secret Name will be in the format of "VM Name - Admin User Name" | |
$KeyVaultSecretName = $VMinfo.Name + "-" + $VMInfo.OSProfile.AdminUsername | |
$VMReset = @{ | |
VMName = $VMInfo.Name | |
ResourceGroupName = $VMInfo.ResourceGroupName | |
Location = $VMInfo.Location | |
Credential = New-Object System.Management.Automation.PSCredential ($VMInfo.OSProfile.AdminUsername, $Password) | |
} | |
Write-Output "Resetting password for VM $($VM.Name)..." | |
Set-AzVMAccessExtension @VMReset -typeHandlerVersion "2.0" -Name VMAccessAgent | |
#Add secret to object array | |
$secret = new-object -TypeName psobject | |
$secret | Add-Member -MemberType NoteProperty -Name SecretName -Value $KeyVaultSecretName | |
$secret | Add-Member -MemberType NoteProperty -Name SecretValue -Value $Password | |
$SecretsHolder += $secret | |
} else { | |
Write-Output "VM ($VM.Name) is not running. Skipping..." | |
} | |
} #End of VMs in Subscription loop | |
} # End of Subscriptions loop | |
if ((Get-AzContext).Subscription.Name -ne $KeyVaultSubscriptionName) { | |
Write-Output "Switching to Subscription where the KeyVault is..." | |
Get-AzSubscription -SubscriptionName $KeyVaultSubscriptionName | Set-AZContext | |
} | |
#Save password to KeyVault | |
if ($SecretsHolder) { | |
Write-Output "Saving passwords to KeyVault..." | |
foreach ($s in $SecretsHolder) { | |
Write-Output "Saving secret $($s.SecretName)..." | |
Set-AzKeyVaultSecret -VaultName $KeyVaultName -SecretName $s.SecretName -SecretValue $s.SecretValue | |
} | |
} | |
Write-Output "Runbook completed." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment