Skip to content

Commit 67ac6db

Browse files
v-dvedakv-dvedak
authored
Merge pull request Azure#12897 from Azure/v-sabiraj-awsscriptchanges
Aws script changes
2 parents 92e8d87 + 16f9e85 commit 67ac6db

File tree

3 files changed

+327
-281
lines changed

3 files changed

+327
-281
lines changed

DataConnectors/AWS-S3/Utils/AwsPoliciesUpdate.ps1

Lines changed: 79 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
1-
function Update-SQSPolicy
2-
{
1+
function Update-SQSPolicy {
32
<#
43
.SYNOPSIS
54
Update the SQS policy
@@ -12,34 +11,47 @@ function Update-SQSPolicy
1211
Write-Log -Message "Executing: aws sqs get-queue-attributes --queue-url $sqsUrl --attribute-names Policy" -LogFileName $LogFileName -Severity Verbose
1312
$currentSqsPolicy = aws sqs get-queue-attributes --queue-url $sqsUrl --attribute-names Policy
1413

15-
if ($null -ne $currentSqsPolicy)
16-
{
14+
if ($null -ne $currentSqsPolicy) {
1715
Write-Log -Message $currentSqsPolicy -LogFileName $LogFileName -Severity Verbose
1816
$sqsRequiredPoliciesObject = $sqsRequiredPolicies | ConvertFrom-Json
1917
$currentSqsPolicyObject = $currentSqsPolicy | ConvertFrom-Json
2018
$currentSqsPolicies = ($currentSqsPolicyObject.Attributes.Policy) | ConvertFrom-Json
2119

22-
$sqsRequiredPoliciesThatNotExistInCurrentPolicy = $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress} )}
23-
if ($null -ne $sqsRequiredPoliciesThatNotExistInCurrentPolicy)
24-
{
20+
if ($PSVersionTable.PSVersion.Major -lt 7) {
21+
$sqsRequiredPoliciesThatNotExistInCurrentPolicy = $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5 } ) }
22+
}
23+
else {
24+
$sqsRequiredPoliciesThatNotExistInCurrentPolicy = $sqsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentSqsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress } ) }
25+
}
26+
if ($null -ne $sqsRequiredPoliciesThatNotExistInCurrentPolicy) {
2527
$currentSqsPolicies.Statement += $sqsRequiredPoliciesThatNotExistInCurrentPolicy
26-
27-
$UpdatedPolicyValue = ($currentSqsPolicies | ConvertTo-Json -Depth 99 -Compress)
28-
$UpdatedSqsPolicy = (@{'Policy' = $UpdatedPolicyValue} | ConvertTo-Json -Depth 99 -Compress)
28+
29+
if ($PSVersionTable.PSVersion.Major -lt 7) {
30+
$UpdatedPolicyValue = ($currentSqsPolicies | ConvertTo-Json -Depth 16 -Compress).Replace('"', '\\\"')
31+
$UpdatedSqsPolicy = ("{'Policy':'${UpdatedPolicyValue}'}").Replace("'", '\"')
32+
}
33+
else {
34+
$UpdatedPolicyValue = ($currentSqsPolicies | ConvertTo-Json -Depth 99 -Compress)
35+
$UpdatedSqsPolicy = (@{'Policy' = $UpdatedPolicyValue } | ConvertTo-Json -Depth 99 -Compress)
36+
}
2937
aws sqs set-queue-attributes --queue-url $sqsUrl --attributes $UpdatedSqsPolicy | Out-Null
3038
}
3139
}
32-
else
33-
{
40+
else {
3441
Write-Log -Message "No results returned from: aws sqs get-queue-attributes --queue-url $sqsUrl --attribute-names Policy " -LogFileName $LogFileName -Severity Verbose
35-
$newSqsPolicyValue = ($sqsRequiredPolicies | ConvertFrom-Json | ConvertTo-Json -Depth 99 -Compress)
36-
$newSqsPolicyObject = (@{ Policy = $newSqsPolicyValue } | ConvertTo-Json -Depth 99 -Compress)
42+
if ($PSVersionTable.PSVersion.Major -lt 7) {
43+
$newSqsPolicyValue = ($sqsRequiredPolicies | ConvertFrom-Json | ConvertTo-Json -Depth 16 -Compress).Replace('"', '\\\"')
44+
$newSqsPolicyObject = ("{'Policy':'${newSqsPolicyValue}'}").Replace("'", '\"')
45+
}
46+
else {
47+
$newSqsPolicyValue = ($sqsRequiredPolicies | ConvertFrom-Json | ConvertTo-Json -Depth 99 -Compress)
48+
$newSqsPolicyObject = (@{ Policy = $newSqsPolicyValue } | ConvertTo-Json -Depth 99 -Compress)
49+
}
3750
aws sqs set-queue-attributes --queue-url $sqsUrl --attributes $newSqsPolicyObject | Out-Null
3851
}
3952
}
4053

41-
function Update-S3Policy
42-
{
54+
function Update-S3Policy {
4355
<#
4456
.SYNOPSIS
4557
Updates S3 policy to allow Sentinel access to read data.
@@ -53,46 +65,56 @@ function Update-S3Policy
5365

5466
param
5567
(
56-
[Parameter(Mandatory=$true)][string]$RequiredPolicy,
57-
[Parameter(Mandatory=$false)][string]$CustomMessage
68+
[Parameter(Mandatory = $true)][string]$RequiredPolicy,
69+
[Parameter(Mandatory = $false)][string]$CustomMessage
5870
)
5971
Write-Log -Message "Updating the S3 policy to allow Sentinel to read the data." -LogFileName $LogFileName -LinePadding 2
6072
Write-Log -Message "Changes: S3 Get and List permissions to '${roleName}' rule" -LogFileName $LogFileName
6173

62-
if ($CustomMessage -ne $null)
63-
{
74+
if ($CustomMessage -ne $null) {
6475
Write-Output $CustomMessage
6576
}
6677

6778
Write-Log -Message "Executing: aws s3api get-bucket-policy --bucket $bucketName 2>&1" -LogFileName $LogFileName -Severity Verbose
6879
$currentBucketPolicy = aws s3api get-bucket-policy --bucket $bucketName 2>&1
6980
$isBucketPolicyExist = $lastexitcode -eq 0
70-
if ($isBucketPolicyExist)
71-
{
81+
if ($isBucketPolicyExist) {
7282
$s3RequiredPolicyObject = $s3RequiredPolicy | ConvertFrom-Json
7383
$currentBucketPolicyObject = $currentBucketPolicy | ConvertFrom-Json
7484
$currentBucketPolicies = ($currentBucketPolicyObject.Policy) | ConvertFrom-Json
7585

76-
$s3RequiredPolicyThatNotExistInCurrentPolicy = $s3RequiredPolicyObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress} )}
77-
if ($null -ne $s3RequiredPolicyThatNotExistInCurrentPolicy)
78-
{
86+
if ($PSVersionTable.PSVersion.Major -lt 7) {
87+
$s3RequiredPolicyThatNotExistInCurrentPolicy = $s3RequiredPolicyObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5 } ) }
88+
}
89+
else {
90+
$s3RequiredPolicyThatNotExistInCurrentPolicy = $s3RequiredPolicyObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentBucketPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress } ) }
91+
}
92+
if ($null -ne $s3RequiredPolicyThatNotExistInCurrentPolicy) {
7993
$currentBucketPolicies.Statement += $s3RequiredPolicyThatNotExistInCurrentPolicy
80-
$UpdatedS3Policy = (@{Statement = $currentBucketPolicies.Statement} | ConvertTo-Json -Depth 99 -Compress)
94+
if ($PSVersionTable.PSVersion.Major -lt 7) {
95+
$UpdatedS3Policy = (@{Statement = $currentBucketPolicies.Statement } | ConvertTo-Json -Depth 16).Replace('"', '\"')
96+
}
97+
else {
98+
$UpdatedS3Policy = (@{Statement = $currentBucketPolicies.Statement } | ConvertTo-Json -Depth 99 -Compress)
99+
}
81100
Write-Log -Message "Executing: aws s3api put-bucket-policy --bucket $bucketName --policy $UpdatedS3Policy | Out-Null" -LogFileName $LogFileName -Severity Verbose
82101
aws s3api put-bucket-policy --bucket $bucketName --policy $UpdatedS3Policy | Out-Null
83102
}
84103
}
85-
else
86-
{
104+
else {
87105
$s3RequiredPolicyObject = $s3RequiredPolicy | ConvertFrom-Json
88-
$newS3Policy = ($s3RequiredPolicyObject | ConvertTo-Json -Depth 99 -Compress)
106+
if ($PSVersionTable.PSVersion.Major -lt 7) {
107+
$newS3Policy = ($s3RequiredPolicyObject | ConvertTo-Json -Depth 16).Replace('"', '\"')
108+
}
109+
else {
110+
$newS3Policy = ($s3RequiredPolicyObject | ConvertTo-Json -Depth 99 -Compress)
111+
}
89112
Write-Log -Message "Executing: aws s3api put-bucket-policy --bucket $bucketName --policy $newS3Policy | Out-Null" -LogFileName $LogFileName -Severity Verbose
90113
aws s3api put-bucket-policy --bucket $bucketName --policy $newS3Policy | Out-Null
91114
}
92115
}
93116

94-
function Update-KmsPolicy
95-
{
117+
function Update-KmsPolicy {
96118
<#
97119
.SYNOPSIS
98120
Updates Kms policy to allow Sentinel access to read data.
@@ -105,38 +127,50 @@ function Update-KmsPolicy
105127
#>
106128
param
107129
(
108-
[Parameter(Mandatory=$true)][string]$RequiredPolicy,
109-
[Parameter(Mandatory=$false)][string]$CustomMessage
130+
[Parameter(Mandatory = $true)][string]$RequiredPolicy,
131+
[Parameter(Mandatory = $false)][string]$CustomMessage
110132
)
111133
Write-Log -Message "Updating KMS policy to allow Sentinel read the data." -LogFileName $LogFileName -LinePadding 1
112134
Write-Log -Message "Changes Role: Kms Encrypt, Decrypt, ReEncrypt*, GenerateDataKey* and DescribeKey permissions to '${roleName}' rule" -LogFileName $LogFileName -Indent 2
113135

114-
if ($CustomMessage -ne $null)
115-
{
136+
if ($CustomMessage -ne $null) {
116137
Write-Log -Message $CustomMessage -LogFileName $LogFileName -LinePadding 1
117138
}
118139

119140
Write-Log -Message "Executing: aws kms get-key-policy --policy-name default --key-id $kmsKeyId" -LogFileName $LogFileName -Severity Verbose
120141
$currentKmsPolicy = aws kms get-key-policy --policy-name default --key-id $kmsKeyId
121-
if ($null -ne $currentKmsPolicy)
122-
{
142+
if ($null -ne $currentKmsPolicy) {
123143
$kmsRequiredPoliciesObject = $RequiredPolicy | ConvertFrom-Json
124144
$currentKmsPolicyObject = $currentKmsPolicy | ConvertFrom-Json
125145
$currentKmsPolicies = ($currentKmsPolicyObject.Policy) | ConvertFrom-Json
126146

127-
$kmsRequiredPoliciesThatNotExistInCurrentPolicy = $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress} )}
128-
if ($null -ne $kmsRequiredPoliciesThatNotExistInCurrentPolicy)
129-
{
147+
if ($PSVersionTable.PSVersion.Major -lt 7) {
148+
$kmsRequiredPoliciesThatNotExistInCurrentPolicy = $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 5) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 5 } ) }
149+
}
150+
else {
151+
$kmsRequiredPoliciesThatNotExistInCurrentPolicy = $kmsRequiredPoliciesObject.Statement | Where-Object { ($_ | ConvertTo-Json -Depth 99 -Compress) -notin ($currentKmsPolicies.Statement | ForEach-Object { $_ | ConvertTo-Json -Depth 99 -Compress } ) }
152+
}
153+
if ($null -ne $kmsRequiredPoliciesThatNotExistInCurrentPolicy) {
130154
$currentKmsPolicies.Statement += $kmsRequiredPoliciesThatNotExistInCurrentPolicy
131-
132-
$UpdatedKmsPolicyObject = ($currentKmsPolicies | ConvertTo-Json -Depth 99 -Compress)
155+
156+
if ($PSVersionTable.PSVersion.Major -lt 7) {
157+
$UpdatedKmsPolicyObject = ($currentKmsPolicies | ConvertTo-Json -Depth 16).Replace('"', '\"')
158+
}
159+
else {
160+
$UpdatedKmsPolicyObject = ($currentKmsPolicies | ConvertTo-Json -Depth 99 -Compress)
161+
}
162+
133163
Write-Log -Message "Executing: aws kms put-key-policy --policy-name default --key-id $kmsKeyId --policy $UpdatedKmsPolicyObject | Out-Null" -LogFileName $LogFileName -Severity Verbose
134164
aws kms put-key-policy --policy-name default --key-id $kmsKeyId --policy $UpdatedKmsPolicyObject | Out-Null
135165
}
136166
}
137-
else
138-
{
139-
$newKmsPolicyObject = ($RequiredPolicy | ConvertFrom-Json | ConvertTo-Json -Depth 99 -Compress)
167+
else {
168+
if ($PSVersionTable.PSVersion.Major -lt 7) {
169+
$newKmsPolicyObject = ($RequiredPolicy | ConvertFrom-Json | ConvertTo-Json -Depth 16).Replace('"', '\"')
170+
}
171+
else {
172+
$newKmsPolicyObject = ($RequiredPolicy | ConvertFrom-Json | ConvertTo-Json -Depth 99 -Compress)
173+
}
140174
Write-Log -Message "Executing: aws kms put-key-policy --policy-name default --key-id $kmsKeyId --policy $newKmsPolicyObject | Out-Null" -LogFileName $LogFileName -Severity Verbose
141175
aws kms put-key-policy --policy-name default --key-id $kmsKeyId --policy $newKmsPolicyObject | Out-Null
142176
}

0 commit comments

Comments
 (0)