Merge pull request #1 from slapointe/feature/refresh-q2-2021

slapointe · web-flow · commit 9f521aad783c · 2021-06-14T19:16:35.000-04:00
Refreshed versions of scripts as of 2021-06-14
diff --git a/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips-legacy/Get-AppServiceWebAppsOutboundIpAddresses.ps1
@@ -10,9 +10,8 @@ $ErrorActionPreference = 'Stop'
 $webApps = @()
 $SubscriptionName | % {
     Write-Host ('Switching to subscription {0}' -f $_)
-    $subContext = Set-AzureRmContext -SubscriptionName  $_
-    $webApps += Get-AzureRmWebApp
-
+    $subContext = Set-AzContext -SubscriptionName  $_
+    $webApps += Get-AzWebApp
 }
 
 $ipMatch = @(
diff --git a/app-service/list-outbound-ips-legacy/README.md b/app-service/list-outbound-ips-legacy/README.md
@@ -3,13 +3,11 @@
 You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me)
 
 ## Requirements
-Tested with AzureRM.Profile Version 3.2.x & AzureRM.Websites 3.2.x
-
-Tested with AzureRM.Profile Version 5.8.x & AzureRM.Websites 5.2.x
+Tested with Az.Accounts Version 2.2.x & Az.Websites 2.5.X
 
 ## Usage
 ```powershell
-Login-AzureRmAccount 
+Connect-AzAccount 
  
 .\Get-AppServiceWebAppsOutboundIpAddresses.ps1 -SubscriptionName 'mysub1','mysub2' -IncludePossibleOutputIpAddresses
 ```
diff --git a/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1 b/app-service/list-outbound-ips/Get-AzureWebAppsOutboundIpAddresses.ps1
@@ -29,10 +29,17 @@ $queryParams = @{
 if($matchedSubscriptions) {
     $queryParams.Subscription = $matchedSubscriptions.Id
 }
-$webApps = Search-AzGraph @queryParams
+
+$webApps = @()
+do {
+    $webApps += Search-AzGraph @queryParams
+    if($webApps.SkipToken) {
+        $queryParams.SkipToken = $webApps.SkipToken
+    }    
+} while ($webApps.SkipToken)
 
 $ipMatch = @(
-    $webApps | % {
+    $webApps.Data | % {
         $webAppName = $_.name
         $ipAddresses = @($_.outboundIpAddresses -split ',' | % { @{ IpAddress = $_; Type='Outbound' } })
         if($IncludePossibleOutputIpAddresses) {
diff --git a/app-service/list-outbound-ips/README.md b/app-service/list-outbound-ips/README.md
@@ -3,7 +3,7 @@
 You'll find in this function an easy way to extract the outbound IP addresses information used by all your App Services in your subscriptions by using the Azure Resource Graph, it is very fast compared to the old version scanning all subscription one at a time (50x faster for me)
 
 ## Requirements
-Tested with Az.ResourceGraph Version 0.7.x
+Tested with Az.ResourceGraph Version 0.10.x
 
 ## Usage
 ```powershell
diff --git a/application-gateway/README.md b/application-gateway/README.md
@@ -5,7 +5,7 @@ Did you ever had developers or engineers coming to your desk in panic realizing
 ## Requirements
 Tested with Azure PowerShell Az v1.x.x
 
-Tested with Azure PowerShell Az.ResourceGraph module v0.7.6
+Tested with Azure PowerShell Az.ResourceGraph module v0.10.0
 
 ## The problematic
 Did you ever had developers or engineers coming to your desk in panic realizing their Azure Application Gateway' certificates expired without them knowing it in advance. Causing them downtime in their release pipeline, dev or worst, their production environment!
diff --git a/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1 b/application-gateway/expiring-certificates/Get-AzureAppGatewayExpiringCertificates.ps1
@@ -6,39 +6,46 @@ param(
 $pageSize = 100
 $iteration = 0
 $searchParams = @{
-    Query = 'where type =~ "Microsoft.Network/applicationGateways" | project id, subscriptionId, subscriptionDisplayName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id'
-    First = $pageSize
-    Include = 'displayNames'
+    Query = 'Resources | where type =~ "Microsoft.Network/applicationGateways" | join kind=leftouter (ResourceContainers | where type=="microsoft.resources/subscriptions" | project subscriptionName=name, subscriptionId) on subscriptionId | project id, subscriptionId, subscriptionName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id'
+    First = $pageSize    
 }
 
-$results = do {
+$results = @()
+do {
     $iteration += 1
     Write-Verbose "Iteration #$iteration"
-    $pageResults = Search-AzGraph @searchParams
-    $searchParams.Skip += $pageResults.Count
-    $pageResults
-    Write-Verbose $pageResults.Count
-} while ($pageResults.Count -eq $pageSize)
+    $results += Search-AzGraph @searchParams
+    if ($results.SkipToken) {
+        $searchParams.SkipToken = $results.SkipToken
+    }
+} while ($results.SkipToken)
 
-$90daysfromNow = (Get-Date).AddDays($ExpiresInDays)
-$results | % {
+$expirationDate = (Get-Date).AddDays($ExpiresInDays)
+$results.Data | ForEach-Object {
     $record = $_
 
-    $record.sslCertificates | % {
+    $record.sslCertificates | ForEach-Object {
         $sslCertRecord = $_
-        $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($_.properties.publicCertData.Substring(60,$_.properties.publicCertData.Length-60)))
-        if ($cert.NotAfter -le $90daysfromNow) {
-            @{
-                SubscriptionId = $record.subscriptionId
-                SubscriptionName = $record.subscriptionDisplayName
-                ResourceGroup = $record.resourceGroup
-                Name = $record.Name
-                Cert = $cert
-                CertificateName = $sslCertRecord.name
-                NotAfter = $cert.NotAfter
-                Thumbprint = $cert.Thumbprint
-                ImpactedListeners = ,@($sslCertRecord.properties.httpListeners | ForEach-Object { ($_.id -split'/')[-1] } )
-            }
+        if (-not $_.properties.publicCertData) {
+            $msg = 'Certificate {0} is linked to Key Vault secret: {1}. Certificate scanning is not supported in this scenario. You can leverage Azure Policy to do so.' -f $_.name, $_.properties.keyVaultSecretId
+            Write-Warning $msg -Verbose
+        }
+        else {
+            $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($_.properties.publicCertData.Substring(60, $_.properties.publicCertData.Length - 60)))
+            if ($cert.NotAfter -le $expirationDate) {
+                @{
+                    SubscriptionId    = $record.subscriptionId
+                    SubscriptionName  = $record.subscriptionDisplayName
+                    ResourceGroup     = $record.resourceGroup
+                    Name              = $record.Name
+                    Cert              = $cert
+                    CertificateName   = $sslCertRecord.name
+                    NotAfter          = $cert.NotAfter
+                    Thumbprint        = $cert.Thumbprint
+                    ImpactedListeners = , @($sslCertRecord.properties.httpListeners | ForEach-Object { ($_.id -split '/')[-1] } )
+                }
+ 
+            }       
         }
     }
 }
