SubscriptionSecurity/RBAC.ps1
|
Set-StrictMode -Version Latest function Set-AzSDKSubscriptionRBAC { <# .SYNOPSIS This command sets up centrally-required RBAC for a given Subscription .DESCRIPTION This command sets up centrally-required RBAC for a given Subscription .LINK https://aka.ms/azsdkossdocs #> Param( [string] [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")] $Tags, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to apply RBAC forcefully regardless of latest RBAC already present on subscription.")] $Force, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { # Adding all mandatory tags $modifiedTags = [string]::Join(",", [ConfigurationManager]::GetAzSdkConfigData().SubscriptionMandatoryTags); if(-not [string]::IsNullOrWhiteSpace($Tags)) { $modifiedTags = $modifiedTags + "," +$Tags; } $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $modifiedTags); if ($rbac) { return $rbac.InvokeFunction($rbac.SetRBACAccounts); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } function Remove-AzSDKSubscriptionRBAC { <# .SYNOPSIS This command clears RBAC set up using the Set-AzSDKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription. .DESCRIPTION This command clears RBAC set up using the Set-AzSDKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription. Any required central accounts can be removed only if 'mandatory' tag is specified. .LINK https://aka.ms/azsdkossdocs #> [CmdletBinding(SupportsShouldProcess = $true)] Param( [string] [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")] $Tags, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $Tags); if ($rbac) { $rbac.Force = $true return $rbac.InvokeFunction($rbac.RemoveRBACAccounts); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } |