Framework/Abstracts/AzCommandBase.ps1
|
<#
.Description # Extended base class for all classes being called from PS commands # Provides functionality to fire important events at command call #> using namespace System.Management.Automation Set-StrictMode -Version Latest class AzCommandBase: CommandBase { #Region: Properties [bool] $IsLocalComplianceStoreEnabled = $false #EndRegion #Region: Constructor AzCommandBase([string] $subscriptionId, [InvocationInfo] $invocationContext): Base($subscriptionId, $invocationContext) { [Helpers]::AbstractClass($this, [AzCommandBase]); #Validate if command is getting run with correct Org Policy $IsTagSettingRequired = $this.ValidateOrgPolicyOnSubscription($this.Force) #Validate if policy url token is getting expired $onlinePolicyStoreUrl = [ConfigurationManager]::GetAzSKSettings().OnlinePolicyStoreUrl if([Helpers]::IsSASTokenUpdateRequired($onlinePolicyStoreUrl)) { #Check if CA Setup Runbook URL token is valid and update it with local policy token $CASetupRunbookUrl = [ConfigurationManager]::GetAzSKConfigData().CASetupRunbookURL if(-not [Helpers]::IsSASTokenUpdateRequired($CASetupRunbookUrl)) { [ConfigurationManager]::GetAzSKSettings().OnlinePolicyStoreUrl = [Helpers]::GetUriWithUpdatedSASToken($onlinePolicyStoreUrl,$CASetupRunbookUrl) [AzSKSettings]::Update([ConfigurationManager]::GetAzSKSettings()) } else { [EventBase]::PublishGenericCustomMessage("Org policy settings is getting expired. Please run installer(IWR) command to update with latest policy. ", [MessageType]::Warning); } } #Validate if command has AzSK component write permission $commandMetadata= $this.GetCommandMetadata() if(([Helpers]::CheckMember($commandMetadata,"HasAzSKComponentWritePermission")) -and $commandMetadata.HasAzSKComponentWritePermission -and ($IsTagSettingRequired -or $this.Force)) { #If command is running with Org-neutral Policy or switch Org policy, Set Org Policy tag on subscription $this.SetOrgPolicyTag($this.Force) } $azskConfigComplianceFlag = [ConfigurationManager]::GetAzSKConfigData().StoreComplianceSummaryInUserSubscriptions; $localSettingComplianceFlag = [ConfigurationManager]::GetAzSKSettings().StoreComplianceSummaryInUserSubscriptions; #return if feature is turned off at server config if($azskConfigComplianceFlag -or $localSettingComplianceFlag) { $this.IsLocalComplianceStoreEnabled = $true } #clear azsk storage instance [StorageHelper]::AzSKStorageHelperInstance = $null; } #EndRegion #Function to validate Org policy on subscription based on tag present on "AzSKRG" resource group [bool] ValidateOrgPolicyOnSubscription([bool] $Force) { $AzSKConfigData = [ConfigurationManager]::GetAzSKConfigData() $tagsOnSub = [ResourceGroupHelper]::GetResourceGroupTags($AzSKConfigData.AzSKRGName) $IsTagSettingRequired = $false $commandMetadata= $this.GetCommandMetadata() if(([Helpers]::CheckMember($commandMetadata,"IsOrgPolicyMandatory")) -and $commandMetadata.IsOrgPolicyMandatory) { if($tagsOnSub) { $SubOrgTag= $tagsOnSub.GetEnumerator() | Where-Object {$_.Name -like "AzSKOrgName*"} if(($SubOrgTag | Measure-Object).Count -gt 0) { $OrgName =$SubOrgTag.Name.Split("_")[1] if(-not [string]::IsNullOrWhiteSpace($OrgName) -and $OrgName -ne $AzSKConfigData.PolicyOrgName) { if($AzSKConfigData.PolicyOrgName -eq "org-neutral") { throw [SuppressedException]::new("The current subscription has been configured with DevOps kit policy for the '$OrgName' Org, However the DevOps kit command is running with a different ('$($AzSKConfigData.PolicyOrgName)') Org policy. `nPlease review FAQ at: https://aka.ms/devopskit/orgpolicy/faq and correct this condition depending upon which context(manual,CICD,CA scan) you are seeing this error. If FAQ does not help to resolve the issue, please contact your Org policy Owner ($($SubOrgTag.Value)).",[SuppressedExceptionType]::Generic) } else { if(-not $Force) { $this.PublishCustomMessage("Warning: The current subscription has been configured with DevOps kit policy for the '$OrgName' Org, However the DevOps kit command is running with a different ('$($AzSKConfigData.PolicyOrgName)') Org policy. `nPlease review FAQ at: https://aka.ms/devopskit/orgpolicy/faq and correct this condition depending upon which context(manual,CICD,CA scan) you are seeing this error. If FAQ does not help to resolve the issue, please contact your Org policy Owner ($($SubOrgTag.Value)).",[MessageType]::Warning); $IsTagSettingRequired = $false } } } } elseif($AzSKConfigData.PolicyOrgName -ne "org-neutral"){ $IsTagSettingRequired =$true } } else { $IsTagSettingRequired = $true } } return $IsTagSettingRequired } #Function to set Org policy tag [void] SetOrgPolicyTag([bool] $Force) { try { $AzSKConfigData = [ConfigurationManager]::GetAzSKConfigData() $tagsOnSub = [ResourceGroupHelper]::GetResourceGroupTags($AzSKConfigData.AzSKRGName) if($tagsOnSub) { $SubOrgTag= $tagsOnSub.GetEnumerator() | Where-Object {$_.Name -like "AzSKOrgName*"} if( (($SubOrgTag | Measure-Object).Count -eq 0 -and $AzSKConfigData.PolicyOrgName -ne "org-neutral") -or (($SubOrgTag | Measure-Object).Count -gt 0 -and $AzSKConfigData.PolicyOrgName -ne "org-neutral" -and $AzSKConfigData.PolicyOrgName -ne $SubOrgTag.Value -and $Force)) { if(($SubOrgTag | Measure-Object).Count -gt 0) { $SubOrgTag | ForEach-Object{ [ResourceGroupHelper]::SetResourceGroupTags($AzSKConfigData.AzSKRGName,@{$_.Name=$_.Value}, $true) } } $TagName = [Constants]::OrgPolicyTagPrefix +$AzSKConfigData.PolicyOrgName $SupportMail = $AzSKConfigData.SupportDL if(-not [string]::IsNullOrWhiteSpace($SupportMail) -and [Constants]::SupportDL -eq $SupportMail) { $SupportMail = "Not Available" } [ResourceGroupHelper]::SetResourceGroupTags($AzSKConfigData.AzSKRGName,@{$TagName=$SupportMail}, $false) } } } catch{ # Exception occurred during setting tag. This is kept blank intentionaly to avoid flow break } } } |