1+ <#
2+ . SYNOPSIS
3+ Retrieve Resource Provider Types, create an assignment
4+ for the policy definition 'Allowed resource types' and
5+ pass the resourcetypes as parameter (-listOfResourceTypesAllowed)
6+ . DESCRIPTION
7+ Retrieve Resource Provider Types, create an assignment
8+ for the policy definition 'Allowed resource types' and
9+ pass the resourcetypes as parameter (-listOfResourceTypesAllowed)
10+
11+
12+ Script built with the help from a few resources:
13+ - https://stackoverflow.com/questions/49861955/list-of-all-azure-resource-types-in-azure
14+ - https://docs.microsoft.com/en-us/rest/api/resources/providers/list
15+ - https://docs.microsoft.com/en-us/rest/api/resources/providers/listattenantscope
16+ - https://docs.microsoft.com/en-us/azure/templates/microsoft.devices/iothub-allversions
17+
18+ . PARAMETER SubscriptionId
19+ Specify the subscriptionId to use
20+ . PARAMETER PolicyDefinitionId
21+ Specify the PolicyDefinitionId to use
22+ . PARAMETER PolicyAssignmentScope
23+ Specify on which resource the Policy Assignment need to apply
24+ . PARAMETER AllowedNamespace
25+ Specify the
26+
27+ . EXAMPLE
28+ .\policy-allowed_resource_type.ps1 `
29+ -SubscriptionId '8f3a8176-f66f-420c-8fce-a797ac7cde89' `
30+ -PolicyDefinitionId '/subscriptions/8f3a8176-f66f-420c-8fce-a797ac7cde89/providers/Microsoft.Authorization/policyDefinitions/8c2f213e-decf-4016-a59e-5e7ce9903075' `
31+ -PolicyAssignmentScope '/subscriptions/8f3a8176-f66f-420c-8fce-a797ac7cde89/resourceGroups/LogicApp/' `
32+ -AllowedNamespace 'Microsoft.Compute','Microsoft.Storage','Microsoft.Network'
33+
34+ . EXAMPLE
35+ .\policy-allowed_resource_type.ps1 `
36+ -SubscriptionId '8f3a8176-f66f-420c-8fce-a797ac7cde89' `
37+ -PolicyDefinitionId '/subscriptions/8f3a8176-f66f-420c-8fce-a797ac7cde89/providers/Microsoft.Authorization/policyDefinitions/8c2f213e-decf-4016-a59e-5e7ce9903075' `
38+ -PolicyAssignmentScope '/subscriptions/8f3a8176-f66f-420c-8fce-a797ac7cde89/resourceGroups/LogicApp/'
39+ . NOTES
40+ Version history
41+ 1.0.0 | 2020年05月15日 | Francois-Xavier Cat (github.com/lazywinadmin)
42+ initial version
43+
44+ TODO:
45+ - Still missing a few resource types
46+ - Microsoft.Devices
47+ - IotHubs/certificates
48+ - Microsoft.Network
49+ - virtualNetworks/taggedTrafficConsumers
50+ - Microsoft.OperationalInsight
51+ - workspaces/views
52+ - Microsoft.Web
53+ - a bunch
54+ - hostingenvironments/metricdefinitions
55+ - hostingenvironments/metrics
56+
57+ - Maybe investigate:
58+ - https://management.azure.com/providers/Microsoft.Authorization/providerOperations?api-version=2018年01月01日-preview&$expand=resourceTypes#
59+ #>
60+ 61+ [CmdletBinding ()]
62+ param (
63+ [parameter (Mandatory )]
64+ $SubscriptionId ,
65+ [parameter (Mandatory )]
66+ $PolicyDefinitionId ,
67+ [parameter (Mandatory )]
68+ $PolicyAssignmentScope ,
69+ [String []]$AllowedNamespace
70+ )
71+ try {
72+ 73+ # Select Subscription context
74+ Write-Verbose - Message " Context - Set Context to Subscription id '$SubscriptionId '"
75+ Set-AzContext - Subscription $SubscriptionId
76+ 77+ # Resource Types from Resource Provider (on subscription level)
78+ if ($AllowedNamespace ){
79+ $SubProviders = $AllowedNamespace |
80+ ForEach-Object {
81+ Write-Verbose - Message " ResourceProvider - Namespace '$ ( $_ ) ' - Retrieving ..."
82+ Get-AzResourceProvider - ProviderNamespace $_
83+ }
84+ }else {
85+ # Retrieve Providers
86+ Write-Verbose - Message " ResourceProvider - All namespaces - Retrieving ..."
87+ $SubProviders = Get-AzResourceProvider - ListAvailable
88+ }
89+ 90+ # Resource Types from Policy Aliases (on subscription level)
91+ if ($AllowedNamespace ){
92+ $AllAliases = $AllowedNamespace |
93+ ForEach-Object {
94+ Write-Verbose - Message " PolicyAliases - Namespace '$ ( $_ ) ' - Retrieving ..."
95+ Get-AzPolicyAlias - Namespace $_
96+ }
97+ 98+ }else {
99+ Write-Verbose - Message " PolicyAliases - All namespaces - Retrieving ..."
100+ $AllAliases = Get-AzPolicyAlias - ListAvailable
101+ }
102+ 103+ 104+ # Process output from ResourceProvider and PolicyAliases
105+ Write-Verbose - Message " ResourceProvider/PolicyAliases - Processing output..."
106+ $SubResourceTypes = $SubProviders |
107+ Sort-Object - property ProviderNamespace |
108+ ForEach-Object {
109+ # Capture current namespace
110+ $CurrentNamespace = $_.ProviderNamespace
111+ 112+ # Output Resource type from resource providers
113+ $_.ResourceTypes |
114+ ForEach-Object {" $CurrentNamespace /$ ( $_.ResourceTypeName ) "
115+ 116+ # Output Resource type from policy aliases
117+ $AllAliases |
118+ Where-Object {$_.Namespace -eq $CurrentNamespace }|
119+ ForEach-Object {" $ ( $_.Namespace ) /$ ( $_.ResourceType ) "
120+ }
121+ 122+ 123+ # Retrieve ResourceTypes on Tenant level
124+ Write-Verbose - Message " ResourceProvider (Tenant scope) - Retrieving current access token..."
125+ $currentAzureContext = Get-AzContext
126+ $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider ]::Instance.Profile;
127+ $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile );
128+ $token = $profileClient.AcquireAccessToken ($currentAzureContext.Subscription.TenantId ).AccessToken;
129+ 130+ # Build Invoke-RestMethod header
131+ $authHeader = @ {
132+ ' Content-type' = ' application/json'
133+ ' Authorization' = " Bearer $token "
134+ # 'ExpiresOn'=$accessToken.expires_in
135+ }
136+ 137+ # Providers - Tenant level
138+ # https://docs.microsoft.com/en-us/rest/api/resources/providers/listattenantscope
139+ 140+ if ($AllowedNamespace ){
141+ $TenantResourceTypes = $AllowedNamespace |
142+ ForEach-Object {
143+ $ResourceProvider = $_
144+ Write-Verbose - Message " ResourceProvider (Tenant scope) - Retrieving for Namespace '$ResourceProvider '..."
145+ 146+ $uri = " https://management.azure.com/providers/$ ( $ResourceProvider ) ?api-version=2019年10月01日"
147+ $result = Invoke-RestMethod - Method Get - Uri $uri - Headers $authHeader
148+ $result.resourceTypes.resourceType |
149+ ForEach-Object {" $ResourceProvider /$ ( $_ ) "
150+ }
151+ }else {
152+ Write-Verbose - Message " ResourceProvider (Tenant scope) - Retrieving all Namespaces ..."
153+ $uri = " https://management.azure.com/providers?`$ expand=resourceTypes/aliases&api-version=2019年10月01日"
154+ $result = Invoke-RestMethod - Method Get - Uri $uri - Headers $authHeader
155+ $TenantResourceTypes = $result.value |
156+ ForEach-Object {
157+ $ResourceProvider = $_.namespace
158+ $_.resourceTypes |
159+ ForEach-Object {" $ResourceProvider /$ ( $_.resourceType ) "
160+ }
161+ }
162+ 163+ Write-Verbose - Message " Processing final list..."
164+ $finalList = ($TenantResourceTypes + $SubResourceTypes )|
165+ Select-Object - Unique
166+ 167+ # $finalList=$finalList | %{
168+ # $splitted=$_ -split '\/'
169+ # if($splitted.count -gt 2){
170+ # "$($splitted[0..1] -join '/')/*"
171+ # }
172+ # else{$splitted -join '/'}
173+ # }|select -Unique
174+ 175+ # Retrieve Policy Definition
176+ Write-Verbose - Message " Policy - Retrieving Definition '$PolicyDefinitionId '..."
177+ $def = Get-AzPolicyDefinition - Id $PolicyDefinitionId
178+ 179+ # Create Policy Assignment
180+ Write-Verbose - Message " Policy - Creating assignment ..."
181+ New-AzPolicyAssignment `
182+ - Name ' testing-allowed-resource' `
183+ - Scope $PolicyAssignmentScope `
184+ - listOfResourceTypesAllowed $finalList `
185+ - PolicyDefinition $def `
186+ - OutVariable NewAssign
187+ 188+ # Remove-AzPolicyAssignment -Id $NewAssign
189+ 190+ }catch {
191+ throw $_
192+ }
0 commit comments