SVT/SVT.ps1
Set-StrictMode -Version Latest function Get-AzSDKAzureServicesSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceType Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported types. .PARAMETER ResourceTypeName Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported values. .PARAMETER ResourceName Gets a resource with the specified name. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER Tag The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}. .PARAMETER TagName The name of the tag to query for Azure resource. .PARAMETER TagValue The value of the tag to query for Azure resource. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .NOTES This command helps the application team to verify whether their Azure resources are compliant with the security guidance or not .LINK https://aka.ms/azsdkdocs #> [OutputType([String])] Param ( [string] [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported types.")] $ResourceType, [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported values.")] [ResourceTypeName] $ResourceTypeName = [ResourceTypeName]::All, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Gets a resource with the specified name. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceName, [Hashtable] [Parameter(Mandatory = $true, ParameterSetName = "TagHashset", HelpMessage = "The tag filter for Azure resource. The expected format is @{tagName1=`$null} or @{tagName = 'tagValue'; tagName2='value1'}.")] $Tag, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName", HelpMessage = "The name of the tag to query for Azure resource.")] $TagName, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName", HelpMessage = "The value of the tag to query for Azure resource.")] $TagValue, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [AttestControls] [Parameter(Mandatory = $false, HelpMessage = "Enables users to attest controls with proper justification.")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false, HelpMessage = "Enables users to generate PDF file for reports.")] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to run scan under transactional mode. This will run store intermittent scan progress to Storage and resume scan if something breaks inbetween in next run.")] $UsePartialCommits, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify to run scan with baseline controls.")] $UseBaselineControls, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to generate script to fix the control or not.")] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $resolver = [SVTResourceResolver]::new($SubscriptionId, $ResourceGroupNames); $resolver.ResourceName = $ResourceName; $resolver.ResourceType = $ResourceType; $resolver.ResourceTypeName = $ResourceTypeName; $resolver.Tag = $Tag; $resolver.TagName = $TagName; $resolver.TagValue = $TagValue; $secStatus = [ServicesSecurityStatus]::new($SubscriptionId, $PSCmdlet.MyInvocation, $resolver); if ($secStatus) { # Just copy all the tags without validation. Validation will be done internally $secStatus.FilterTags = $FilterTags; $secStatus.ExcludeTags = $ExcludeTags; $secStatus.ControlIds += $ControlIds; $secStatus.AttestControls = $AttestControls; $secStatus.GenerateFixScript = $GenerateFixScript; return $secStatus.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } function Get-AzSDKSubscriptionSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure Subscription meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .NOTES This command helps the application team to verify whether their Azure subscription are compliant with the security guidance or not .LINK https://aka.ms/azsdkdocs #> [OutputType([String])] Param ( [Parameter(Mandatory = $True, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [string] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [ValidateSet("All","AlreadyAttested","NotAttested")] [Parameter(Mandatory = $false, HelpMessage = "Enables users to attest controls with proper justification.")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false, HelpMessage = "Enables users to generate PDF file for reports.")] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify to run scan with baseline controls.")] $UseBaselineControls, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to generate script to fix the control or not.")] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $sscore = [SubscriptionSecurityStatus]::new($SubscriptionId, $PSCmdlet.MyInvocation); if ($sscore) { # Just copy all the tags without validation. Validation will be done internally $sscore.FilterTags = $FilterTags; $sscore.ExcludeTags = $ExcludeTags; $sscore.ControlIds += $ControlIds; $sscore.AttestControls = $AttestControls; $sscore.GenerateFixScript = $GenerateFixScript; return $sscore.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } function Get-AzSDKExpressRouteNetworkSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the ExpressRoute enabled VNet resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups which host ExpressRoute VNets. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceName ExpressRoute VNet resource name. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .NOTES This command helps the application team to verify whether their ExpressRoute enabled VNets are compliant with the security guidance or not .LINK https://aka.ms/azsdkdocs #> [OutputType([String])] Param( [string] [Parameter(Mandatory = $true, HelpMessage = "Provide the subscription id for which the security report has to be generated")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, HelpMessage = "ResourceGroups which host ExpressRoute VNets. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "ExpressRoute VNet resource name. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceName, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [AttestControls] [Parameter(Mandatory = $false, HelpMessage = "Enables users to attest controls with proper justification.")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false, HelpMessage = "Enables users to generate PDF file for reports.")] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to generate script to fix the control or not.")] $GenerateFixScript ) $erResourceGroups = $ResourceGroupNames; if([string]::IsNullOrEmpty($erResourceGroups)) { $erResourceGroups = [ConfigurationManager]::GetAzSdkConfigData().ERvNetResourceGroupNames } Get-AzSDKAzureServicesSecurityStatus -SubscriptionId $SubscriptionId -ResourceGroupNames $erResourceGroups -ResourceName $ResourceName ` -ResourceTypeName ([SVTMapping]::ERvNetTypeName) -ControlIds $ControlIds -FilterTags $FilterTags -ExcludeTags $ExcludeTags -DoNotOpenOutputFolder:$DoNotOpenOutputFolder -AttestControls $AttestControls -GeneratePDF $GeneratePDF -GenerateFixScript:$GenerateFixScript } function Get-AzSDKControlsStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceType Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported types. .PARAMETER ResourceTypeName Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported values. .PARAMETER ResourceName Gets a resource with the specified name. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER Tag The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}. .PARAMETER TagName The name of the tag to query for Azure resource. .PARAMETER TagValue The value of the tag to query for Azure resource. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .NOTES This command helps the application team to verify whether their Azure resources are compliant with the security guidance or not .LINK https://aka.ms/azsdkdocs #> [OutputType([String])] Param ( [string] [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported types.")] $ResourceType, [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSDKSupportedResourceTypes' to get the list of supported values.")] [ResourceTypeName] $ResourceTypeName = [ResourceTypeName]::All, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "Gets a resource with the specified name. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceName, [Hashtable] [Parameter(Mandatory = $true, ParameterSetName = "TagHashset", HelpMessage = "The tag filter for Azure resource. The expected format is @{tagName1=`$null} or @{tagName = 'tagValue'; tagName2='value1'}.")] $Tag, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName", HelpMessage = "The name of the tag to query for Azure resource.")] $TagName, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName", HelpMessage = "The value of the tag to query for Azure resource.")] $TagValue, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [AttestControls] [Parameter(Mandatory = $false, HelpMessage = "Enables users to attest controls with proper justification.")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false, HelpMessage = "Enables users to generate PDF file for reports.")] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to run scan under transactional mode. This will run store intermittent scan progress to Storage and resume scan if something breaks inbetween in next run.")] $UsePartialCommits, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify to run scan with baseline controls.")] $UseBaselineControls, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to generate script to fix the control or not.")] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $resolver = [SVTResourceResolver]::new($SubscriptionId, $ResourceGroupNames); $resolver.ResourceName = $ResourceName; $resolver.ResourceType = $ResourceType; $resolver.ResourceTypeName = $ResourceTypeName; $resolver.Tag = $Tag; $resolver.TagName = $TagName; $resolver.TagValue = $TagValue; $controlReport = [SVTStatusReport]::new($SubscriptionId, $PSCmdlet.MyInvocation, $resolver); if ($controlReport) { # Just copy all the tags without validation. Validation will be done internally $controlReport.FilterTags = $FilterTags; $controlReport.ExcludeTags = $ExcludeTags; $controlReport.ControlIds += $ControlIds; $controlReport.AttestControls = $AttestControls; $controlReport.GenerateFixScript = $GenerateFixScript; return $controlReport.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } |