This Runbook will Check if any of the Secrets, Keys and Certificates within Key Vault and Webhook within Runbook is nearing expiry or is expiring today
Param(
[string]$SubscriptionID='XXXX',
[int]$DaysNearExpiration=5000,
[string]$VaultName = 'XXX',
[string]$AutomationAccountResourceGroup = 'XXX'
)
write-verbose "Connecting to Azure"
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception.Message
throw $_.Exception
}
}
Select-AzureRmSubscription -SubscriptionId $SubscriptionID
$ExpiredSecrets = @()
$NearExpirationSecrets = @()
$ExpiredSecretsToday = @()
#gather all key vaults from subscription
if ($VaultName) {
$KeyVaults = Get-AzureRmKeyVault -VaultName $VaultName
}
else {
$KeyVaults = Get-AzureRmKeyVault
}
#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)
# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
# gather all secrets in each key vault
$SecretsArray = Get-AzureKeyVaultSecret -VaultName $KeyVault.VaultName
foreach ($secret in $SecretsArray) {
# check if expiration date is set
if ($secret.Expires) {
$secretExpiration = Get-date $secret.Expires -Format yyyyMMdd
# check if expiration date set on secret is before notify expiration date
if ($ExpirationDate -gt $secretExpiration) {
# check if secret did not expire yet but will expire soon
if ($CurrentDate -lt $secretExpiration) {
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $secret.Name;
Category = 'SecretNearExpiration';
KeyVaultName = $KeyVault.VaultName;
ExpirationDate = $secret.Expires;
}
}
elseif ($CurrentDate -eq $secretExpiration)
{
$ExpiredSecretsToday += New-Object PSObject -Property @{
Name = $secret.Name;
Category = 'SecretExpiringToday';
KeyVaultName = $KeyVault.VaultName;
ExpirationDate = $secret.Expires;
}
}
# secret is already expired
else {
$ExpiredSecrets += New-Object PSObject -Property @{
Name = $secret.Name;
Category = 'SecretNearExpiration';
KeyVaultName = $KeyVault.VaultName;
ExpirationDate = $secret.Expires;
}
}
}
}
}
$certArray = Get-AzureKeyVaultCertificate $KeyVault.VaultName
foreach ($cert in $certArray) {
# check if expiration date is set
if ($cert.Expires) {
$certExpiration = Get-date $cert.Expires -Format yyyyMMdd
# check if expiration date set on secret is before notify expiration date
if ($ExpirationDate -gt $certExpiration) {
# check if secret did not expire yet but will expire soon
if ($CurrentDate -lt $certExpiration) {
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $cert.Name;
Category = 'CertNearExpiration';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $cert.Expires;
}
}
elseif ($CurrentDate -eq $certExpiration)
{
$ExpiredSecretsToday += New-Object PSObject -Property @{
Name = $cert.Name;
Category = 'CertExpiringToday';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $cert.Expires;
}
}
# secret is already expired
else {
$ExpiredSecrets += New-Object PSObject -Property @{
Name = $cert.Name;
Category = 'CertNearExpiration';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $cert.Expires;
}
}
}
}
}
$keysArray = Get-AzureKeyVaultKey $KeyVault.VaultName
foreach ($key in $keysArray) {
# check if expiration date is set
if ($key.Expires) {
$keyExpiration = Get-date $key.Expires -Format yyyyMMdd
# check if expiration date set on secret is before notify expiration date
if ($ExpirationDate -gt $keyExpiration) {
# check if secret did not expire yet but will expire soon
if ($CurrentDate -lt $keyExpiration) {
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $key.Name;
Category = 'KeyNearExpiration';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $key.Expires;
}
}
elseif ($CurrentDate -eq $keyExpiration)
{
$ExpiredSecretsToday += New-Object PSObject -Property @{
Name = $key.Name;
Category = 'KeyExpiringToday';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $key.Expires;
}
}
# secret is already expired
else {
$ExpiredSecrets += New-Object PSObject -Property @{
Name = $key.Name;
Category = 'KeyNearExpiration';
ServiceName = $KeyVault.VaultName;
ExpirationDate = $key.Expires;
}
}
}
}
}
}
Get-AzureRmResourceGroup -Name $AutomationAccountResourceGroup | `
Get-AzureRmAutomationAccount | `
Get-AzureRmAutomationWebhook | `
ForEach($_ )`
{
if ($_.ExpiryTime) {
$cstzone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Central Standard Time")
$csttime = [System.TimeZoneInfo]::ConvertTimeFromUtc($_.ExpiryTime.UtcDateTime, $cstzone)
$webhkExpiration = Get-date $csttime -Format yyyyMMdd
# check if expiration date set on secret is before notify expiration date
if ($ExpirationDate -gt $webhkExpiration) {
# check if secret did not expire yet but will expire soon
if ($CurrentDate -lt $webhkExpiration) {
$NearExpirationSecrets += New-Object PSObject -Property @{
Name = $_.Name;
Category = 'WebHookNearExpiration';
ServiceName = ($_.AutomationAccountName)+"\"+($_.RunbookName);
ExpirationDate = $_.ExpiryTime;
}
}
elseif ($CurrentDate -eq $webhkExpiration)
{
$ExpiredSecretsToday += New-Object PSObject -Property @{
Name = $_.Name;
Category = 'WebHookExpiringToday';
ServiceName = ($_.AutomationAccountName)+"\"+($_.RunbookName);
ExpirationDate = $_.ExpiryTime;
}
}
# secret is already expired
else {
$ExpiredSecrets += New-Object PSObject -Property @{
Name = $_.Name;
Category = 'WebHookNearExpiration';
ServiceName = ($_.AutomationAccountName)+"\"+($_.RunbookName);
ExpirationDate = $_.ExpiryTime;
}
}
}
}
}
if ($ExpiredSecretsToday.Count -gt 0 -or $NearExpirationSecrets.Count -gt 0)
{
$data=($ExpiredSecretsToday)
$message_array01="SecretExpiringToday:" + "[TotalCount: $($ExpiredSecretsToday.Count)]"
foreach ($dt in $data)
{
$message_array01 += "[Name:"+$dt.Name+" ExpDate:"+$dt.ExpirationDate+"]"
}
$data=($NearExpirationSecrets)
$message_array02="SecretNearExpiration:"+ "[Total Count: $($ExpiredSecretsToday.Count)]"
foreach ($dt in $data)
{
$message_array02 += "[Name:"+$dt.Name+" ExpDate:"+$dt.ExpirationDate+"]"
}
Write-Output $message_array01 + "`r`n" + $message_array02
throw $message_array01 + "`r`n" + $message_array02
}