Tuesday, May 5, 2020

This Runbook will Check if any of the Secrets, Keys and Certificates within Key Vault and Webhook within Runbook is nearing expiry or is expiring today
       

           Param(
        [string]$SubscriptionID='XXXX',
        [int]$DaysNearExpiration=5000,
        [string]$VaultName = 'XXX',
        [string]$AutomationAccountResourceGroup = 'XXX'
)
 
 
write-verbose "Connecting to Azure"
$connectionName = "AzureRunAsConnection"

try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception.Message
        throw $_.Exception
    }
}

Select-AzureRmSubscription -SubscriptionId $SubscriptionID

$ExpiredSecrets = @()
$NearExpirationSecrets = @()
$ExpiredSecretsToday = @()

#gather all key vaults from subscription
if ($VaultName) {
    $KeyVaults = Get-AzureRmKeyVault -VaultName $VaultName
}
else {
    $KeyVaults = Get-AzureRmKeyVault 
}
#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)
 
# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
    # gather all secrets in each key vault
    $SecretsArray = Get-AzureKeyVaultSecret -VaultName $KeyVault.VaultName
    foreach ($secret in $SecretsArray) {
        # check if expiration date is set
        if ($secret.Expires) {
            $secretExpiration = Get-date $secret.Expires -Format yyyyMMdd
            
            # check if expiration date set on secret is before notify expiration date
            if ($ExpirationDate -gt $secretExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $secretExpiration) {
                    $NearExpirationSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                    }
                }
                elseif ($CurrentDate -eq $secretExpiration)
                {
                    $ExpiredSecretsToday += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretExpiringToday';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                    }

                }
                # secret is already expired
                else {
                    $ExpiredSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                    }
                }
 
            }
        }
    }
    $certArray = Get-AzureKeyVaultCertificate $KeyVault.VaultName
    foreach ($cert in $certArray) {
        # check if expiration date is set
        if ($cert.Expires) {
            $certExpiration = Get-date $cert.Expires -Format yyyyMMdd
            
            # check if expiration date set on secret is before notify expiration date
            if ($ExpirationDate -gt $certExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $certExpiration) {
                    $NearExpirationSecrets += New-Object PSObject -Property @{
                        Name           = $cert.Name;
                        Category       = 'CertNearExpiration';
                        ServiceName   = $KeyVault.VaultName;
                        ExpirationDate = $cert.Expires;
                    }
                }
                elseif ($CurrentDate -eq $certExpiration)
                {
                    $ExpiredSecretsToday += New-Object PSObject -Property @{
                        Name           = $cert.Name;
                        Category       = 'CertExpiringToday';
                        ServiceName   = $KeyVault.VaultName;
                        ExpirationDate = $cert.Expires;
                    }

                }
                # secret is already expired
                else {
                    $ExpiredSecrets += New-Object PSObject -Property @{
                        Name           = $cert.Name;
                        Category       = 'CertNearExpiration';
                        ServiceName   = $KeyVault.VaultName;
                        ExpirationDate = $cert.Expires;
                    }
                }
 
            }
        }
    }
    
    $keysArray = Get-AzureKeyVaultKey $KeyVault.VaultName
    foreach ($key in $keysArray) {
        # check if expiration date is set
        if ($key.Expires) {
            $keyExpiration = Get-date $key.Expires -Format yyyyMMdd
            
            # check if expiration date set on secret is before notify expiration date
            if ($ExpirationDate -gt $keyExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $keyExpiration) {
                    $NearExpirationSecrets += New-Object PSObject -Property @{
                        Name           = $key.Name;
                        Category       = 'KeyNearExpiration';
                        ServiceName    = $KeyVault.VaultName;
                        ExpirationDate = $key.Expires;
                    }
                }
                elseif ($CurrentDate -eq $keyExpiration)
                {
                    $ExpiredSecretsToday += New-Object PSObject -Property @{
                        Name           = $key.Name;
                        Category       = 'KeyExpiringToday';
                        ServiceName    = $KeyVault.VaultName;
                        ExpirationDate = $key.Expires;
                    }

                }
                # secret is already expired
                else {
                    $ExpiredSecrets += New-Object PSObject -Property @{
                        Name           = $key.Name;
                        Category       = 'KeyNearExpiration';
                        ServiceName    = $KeyVault.VaultName;
                        ExpirationDate = $key.Expires;
                    }
                }
 
            }
        }
    }    
}
Get-AzureRmResourceGroup  -Name $AutomationAccountResourceGroup | `
Get-AzureRmAutomationAccount | `
Get-AzureRmAutomationWebhook | `
ForEach($_ )`
{  
    if ($_.ExpiryTime) {
        $cstzone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Central Standard Time")
        $csttime = [System.TimeZoneInfo]::ConvertTimeFromUtc($_.ExpiryTime.UtcDateTime, $cstzone)
      
        $webhkExpiration = Get-date $csttime  -Format yyyyMMdd 
        
        # check if expiration date set on secret is before notify expiration date
        if ($ExpirationDate -gt $webhkExpiration) {
            # check if secret did not expire yet but will expire soon
            if ($CurrentDate -lt $webhkExpiration) {
                $NearExpirationSecrets += New-Object PSObject -Property @{
                    Name           = $_.Name;
                    Category       = 'WebHookNearExpiration';
                    ServiceName    = ($_.AutomationAccountName)+"\"+($_.RunbookName);
                    ExpirationDate = $_.ExpiryTime;
                }
            }
            elseif ($CurrentDate -eq $webhkExpiration)
            {
                $ExpiredSecretsToday += New-Object PSObject -Property @{
                    Name           = $_.Name;
                    Category       = 'WebHookExpiringToday';
                    ServiceName    = ($_.AutomationAccountName)+"\"+($_.RunbookName);
                    ExpirationDate = $_.ExpiryTime;
                }

            }
            # secret is already expired
            else {
                $ExpiredSecrets += New-Object PSObject -Property @{
                    Name           = $_.Name;
                    Category       = 'WebHookNearExpiration';
                    ServiceName    = ($_.AutomationAccountName)+"\"+($_.RunbookName);
                    ExpirationDate = $_.ExpiryTime;
                }
            }

        }
    }
}

if ($ExpiredSecretsToday.Count -gt 0 -or $NearExpirationSecrets.Count -gt 0)
{
   $data=($ExpiredSecretsToday)
    $message_array01="SecretExpiringToday:" + "[TotalCount: $($ExpiredSecretsToday.Count)]"
    foreach ($dt in $data)
    {
        $message_array01 += "[Name:"+$dt.Name+" ExpDate:"+$dt.ExpirationDate+"]"
    }
    $data=($NearExpirationSecrets)
    $message_array02="SecretNearExpiration:"+ "[Total Count: $($ExpiredSecretsToday.Count)]" 
    foreach ($dt in $data)
    {
        $message_array02 += "[Name:"+$dt.Name+" ExpDate:"+$dt.ExpirationDate+"]"
    }
    Write-Output $message_array01 + "`r`n" + $message_array02
    throw $message_array01 + "`r`n" + $message_array02
     
}

       
 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

LinkWithin

Related Posts with Thumbnails