SubscriptionSecurity/RBAC.ps1

Set-StrictMode -Version Latest
function Set-AzSKSubscriptionRBAC 
{
    
    <#
    .SYNOPSIS
    This command sets up centrally-required RBAC for a given Subscription
 
    .DESCRIPTION
    This command sets up centrally-required RBAC for a given Subscription
     
    .LINK
    https://aka.ms/azsdkossdocs
    #>

    Param(

        [string]
        [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")]
        [ValidateNotNullOrEmpty()]
        $SubscriptionId,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")]
        $Tags,
        
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to apply RBAC forcefully regardless of latest RBAC already present on subscription.")]
        $Force,

        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")]
        $DoNotOpenOutputFolder
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }

    Process
    {
     try 
        {
            # Adding all mandatory tags
            $modifiedTags = [string]::Join(",", [ConfigurationManager]::GetAzSdkConfigData().SubscriptionMandatoryTags);
            if(-not [string]::IsNullOrWhiteSpace($Tags))
            {
                $modifiedTags = $modifiedTags + "," +$Tags;
            }

            $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $modifiedTags);
            if ($rbac) 
            {
                return $rbac.InvokeFunction($rbac.SetRBACAccounts);
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }          
    }

    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}

function Remove-AzSKSubscriptionRBAC 
{
    
    <#
 
    .SYNOPSIS
    This command clears RBAC set up using the Set-AzSKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription.
 
    .DESCRIPTION
    This command clears RBAC set up using the Set-AzSKSubscriptionRBAC command. It always removes any deprecated accounts on the subscription. Any required central accounts can be removed only if 'mandatory' tag is specified.
     
    .LINK
    https://aka.ms/azsdkossdocs
    #>

    [CmdletBinding(SupportsShouldProcess = $true)] 
    Param(

        [string]
        [Parameter(Mandatory = $true, HelpMessage = "Subscription id for which the security evaluation has to be performed.")]
        [ValidateNotNullOrEmpty()]
        $SubscriptionId,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage = "Provide tag names for processing specific policies. Comma separated values are supported.")]
        $Tags,
        
        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")]
        $DoNotOpenOutputFolder
    )

    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }

    Process
    {
     try 
        {

            $rbac = [RBAC]::new($SubscriptionId, $PSCmdlet.MyInvocation, $Tags);
            if ($rbac) 
            {
                $rbac.Force = $true
                return $rbac.InvokeFunction($rbac.RemoveRBACAccounts);
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }          
    }

    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}