Framework/Core/SVT/Services/Automation.ps1

Set-StrictMode -Version Latest 
class Automation: SVTBase
{       

    Automation([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): 
        Base($subscriptionId, $resourceGroupName, $resourceName) 
    { 
    }

    Automation([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
    }
    hidden [ControlResult] CheckWebhooks([ControlResult] $controlResult)
    {   
        $webhooks = Get-AzureRmAutomationWebhook -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        if(($webhooks|Measure-Object).Count -gt 0)
        {
            $controlResult.AddMessage([VerificationResult]::Verify, "Please verify below webhook(s) created for the runbooks. Remove webhook(s) which are not in use.", $webhooks)
            $controlResult.SetStateData("Webhooks", $webhooks);                      
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No webhook(s) are created for runbook(s) in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckWebhookExpiry([ControlResult] $controlResult)
    {   
        $webhooks = Get-AzureRmAutomationWebhook -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        $longExpiryWebhooks = @()
        if(($webhooks|Measure-Object).Count -gt 0)
        {
            $webhooks | Where-Object{$_.IsEnabled -eq $true} | ForEach-Object{
                if(($_.ExpiryTime - $_.CreationTime).Days -gt $this.ControlSettings.Automation.WebhookValidityInDays)
                {
                    $longExpiryWebhooks += $_
                }
            }
            if($longExpiryWebhooks)
            {
                $controlResult.AddMessage([VerificationResult]::Failed, "Webhook URL must have shorter validity period (<=$($this.ControlSettings.Automation.WebhookValidityInDays) days) to prevent malicious access. Below webhook(s) URL have validity period >$($this.ControlSettings.Automation.WebhookValidityInDays) days.", $longExpiryWebhooks)
                $controlResult.SetStateData("Webhook(s) with >$($this.ControlSettings.Automation.WebhookValidityInDays) days validity", $longExpiryWebhooks);                      
            }
            else
            {
                $controlResult.VerificationResult =[VerificationResult]::Passed
            }
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No webhooks are created for runbooks in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckVariables([ControlResult] $controlResult)
    {   
        $variables = Get-AzureRmAutomationVariable -AutomationAccountName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        if(($variables|Measure-Object).Count -gt 0)
        {
            $encryptedVars = @()
            $unencryptedVars = @()

            $variables | ForEach-Object{
                if($_.Encrypted)
                {
                    $encryptedVars += $_
                }
                else
                {
                    $unencryptedVars += $_
                }
            }
            if($encryptedVars)
            {
                $controlResult.AddMessage("$($encryptedVars.Count) variable(s) are encrypted in this Automation account.")
            }
            if($unencryptedVars)
            {
                $controlResult.AddMessage([VerificationResult]::Verify, "Below variable(s) are not encrypted, use encrypted variable if it contains sensitive data.", $unencryptedVars)
                $controlResult.SetStateData("Unencrypted variable(s)", $unencryptedVars);                      
            }
            else
            {
                $controlResult.VerificationResult =[VerificationResult]::Passed
            }
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "No variables are present in this Automation account.")
        }
        return $controlResult;
    }
    hidden [ControlResult] CheckOMSSetup([ControlResult] $controlResult)
    {   
        $resource = Get-AzureRmResource -ResourceName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction Stop
        $resourceId = $resource.ResourceId
        $diaSettings = Get-AzureRmDiagnosticSetting -ResourceId $resourceId -ErrorAction Stop
        if((Get-Member -InputObject $diaSettings -Name WorkspaceId -MemberType Properties) -and $diaSettings.WorkspaceId -ne $null)
        {
            $controlResult.AddMessage([VerificationResult]::Passed, "Log Analytics(OMS) is configured with this Automation account. OMS Workspace Id is given below.", $diaSettings.WorkspaceId)
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed, "Log Analytics(OMS) is not configured with this Automation account")
        }
        return $controlResult;
    }
    
}