New-CIPPAzRestRequest

rvdwegen · rvdwegen · commit 5a825921e7ea · 2025-12-15T12:59:31.000+01:00
diff --git a/Modules/CIPPCore/Public/GraphHelper/New-CIPPAzRestRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-CIPPAzRestRequest.ps1
@@ -0,0 +1,210 @@
+function New-CIPPAzRestRequest {
+    <#
+    .SYNOPSIS
+        Create and send a REST request to Azure APIs using Managed Identity authentication
+    .DESCRIPTION
+        Wraps Invoke-RestMethod with automatic Azure Managed Identity token authentication.
+        Automatically adds the Authorization header using Get-CIPPAzIdentityToken.
+        Supports all Invoke-RestMethod parameters.
+    .PARAMETER Uri
+        The URI of the Azure REST API endpoint
+    .PARAMETER Method
+        The HTTP method (GET, POST, PUT, PATCH, DELETE, etc.). Defaults to GET.
+    .PARAMETER ResourceUrl
+        The Azure resource URL to get a token for. Defaults to 'https://management.azure.com/' for Azure Resource Manager.
+        Use 'https://vault.azure.net' for Key Vault, 'https://api.loganalytics.io' for Log Analytics, etc.
+    .PARAMETER Body
+        The request body (can be string, hashtable, or PSCustomObject)
+    .PARAMETER Headers
+        Additional headers to include in the request. Authorization header is automatically added.
+    .PARAMETER ContentType
+        The content type of the request body. Defaults to 'application/json' if Body is provided and ContentType is not specified.
+    .PARAMETER SkipHttpErrorCheck
+        Skip checking HTTP error status codes
+    .PARAMETER ResponseHeadersVariable
+        Variable name to store response headers
+    .PARAMETER StatusCodeVariable
+        Variable name to store HTTP status code
+    .PARAMETER MaximumRetryCount
+        Maximum number of retry attempts
+    .PARAMETER RetryIntervalSec
+        Interval between retries in seconds
+    .PARAMETER TimeoutSec
+        Request timeout in seconds
+    .PARAMETER UseBasicParsing
+        Use basic parsing (for older PowerShell versions)
+    .PARAMETER WebSession
+        Web session object for maintaining cookies/state
+    .EXAMPLE
+        New-CIPPAzRestRequest -Uri 'https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{name}?api-version=2020-06-01'
+        Gets Azure Resource Manager resource using managed identity
+    .EXAMPLE
+        New-CIPPAzRestRequest -Uri 'https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{name}/config/authsettingsV2/list?api-version=2020-06-01' -Method POST
+        POST request to Azure Resource Manager API
+    .EXAMPLE
+        New-CIPPAzRestRequest -Uri 'https://{vault}.vault.azure.net/secrets/{secret}?api-version=7.4' -ResourceUrl 'https://vault.azure.net'
+        Gets a Key Vault secret using managed identity
+    .EXAMPLE
+        New-CIPPAzRestRequest -Uri 'https://management.azure.com/...' -Method PUT -Body @{ property = 'value' } -ContentType 'application/json'
+        PUT request with JSON body
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, Position = 0)]
+        [Alias('Url')]
+        [uri]$Uri,
+
+        [Parameter(Mandatory = $false)]
+        [ValidateSet('GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE')]
+        [string]$Method = 'GET',
+
+        [Parameter(Mandatory = $false)]
+        [string]$ResourceUrl = 'https://management.azure.com/',
+
+        [Parameter(Mandatory = $false)]
+        [object]$Body,
+
+        [Parameter(Mandatory = $false)]
+        [hashtable]$Headers = @{},
+
+        [Parameter(Mandatory = $false)]
+        [string]$ContentType,
+
+        [Parameter(Mandatory = $false)]
+        [switch]$SkipHttpErrorCheck,
+
+        [Parameter(Mandatory = $false)]
+        [string]$ResponseHeadersVariable,
+
+        [Parameter(Mandatory = $false)]
+        [string]$StatusCodeVariable,
+
+        [Parameter(Mandatory = $false)]
+        [int]$MaximumRetryCount,
+
+        [Parameter(Mandatory = $false)]
+        [int]$RetryIntervalSec,
+
+        [Parameter(Mandatory = $false)]
+        [int]$TimeoutSec,
+
+        [Parameter(Mandatory = $false)]
+        [switch]$UseBasicParsing,
+
+        [Parameter(Mandatory = $false)]
+        [Microsoft.PowerShell.Commands.WebRequestSession]$WebSession
+    )
+
+    # Get Azure Managed Identity token
+    try {
+        $Token = Get-CIPPAzIdentityToken -ResourceUrl $ResourceUrl
+    } catch {
+        $errorMessage = "Failed to get Azure Managed Identity token: $($_.Exception.Message)"
+        Write-Error -Message $errorMessage -ErrorAction $ErrorActionPreference
+        return
+    }
+
+    # Build headers - add Authorization, merge with user-provided headers
+    $RequestHeaders = @{
+        'Authorization' = "Bearer $Token"
+    }
+
+    # Merge user-provided headers (user headers take precedence)
+    foreach ($key in $Headers.Keys) {
+        $RequestHeaders[$key] = $Headers[$key]
+    }
+
+    # Handle Content-Type
+    if ($Body -and -not $ContentType) {
+        $ContentType = 'application/json'
+    }
+
+    # Convert Body to JSON if it's an object and ContentType is JSON
+    $RequestBody = $Body
+    if ($Body -and $ContentType -eq 'application/json' -and $Body -isnot [string]) {
+        try {
+            $RequestBody = $Body | ConvertTo-Json -Depth 10 -Compress
+        } catch {
+            Write-Warning "Failed to convert Body to JSON: $($_.Exception.Message). Sending as-is."
+            $RequestBody = $Body
+        }
+    }
+
+    # Build Invoke-RestMethod parameters
+    $RestMethodParams = @{
+        Uri                = $Uri
+        Method             = $Method
+        Headers            = $RequestHeaders
+        ErrorAction        = $ErrorActionPreference
+    }
+
+    if ($Body) {
+        $RestMethodParams['Body'] = $RequestBody
+    }
+
+    if ($ContentType) {
+        $RestMethodParams['ContentType'] = $ContentType
+    }
+
+    if ($SkipHttpErrorCheck) {
+        $RestMethodParams['SkipHttpErrorCheck'] = $true
+    }
+
+    if ($ResponseHeadersVariable) {
+        $RestMethodParams['ResponseHeadersVariable'] = $ResponseHeadersVariable
+    }
+
+    if ($StatusCodeVariable) {
+        $RestMethodParams['StatusCodeVariable'] = $StatusCodeVariable
+    }
+
+    if ($MaximumRetryCount) {
+        $RestMethodParams['MaximumRetryCount'] = $MaximumRetryCount
+    }
+
+    if ($RetryIntervalSec) {
+        $RestMethodParams['RetryIntervalSec'] = $RetryIntervalSec
+    }
+
+    if ($TimeoutSec) {
+        $RestMethodParams['TimeoutSec'] = $TimeoutSec
+    }
+
+    if ($UseBasicParsing) {
+        $RestMethodParams['UseBasicParsing'] = $true
+    }
+
+    if ($WebSession) {
+        $RestMethodParams['WebSession'] = $WebSession
+    }
+
+    # Invoke the REST method
+    try {
+        $Response = Invoke-RestMethod @RestMethodParams
+
+        # For compatibility with Invoke-AzRestMethod behavior, return object with Content property if response is a string
+        # Otherwise return the parsed object directly
+        if ($Response -is [string]) {
+            return [PSCustomObject]@{
+                Content = $Response
+            }
+        }
+
+        return $Response
+    } catch {
+        $errorMessage = "Azure REST API call failed: $($_.Exception.Message)"
+        if ($_.Exception.Response) {
+            try {
+                $reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
+                $responseBody = $reader.ReadToEnd()
+                $reader.Close()
+                $errorMessage += "`nResponse: $responseBody"
+            } catch {
+                # Ignore errors reading response stream
+            }
+        }
+
+        Write-Error -Message $errorMessage -ErrorAction $ErrorActionPreference
+        return
+    }
+}
