Modules/Scripts/Networking/AzureFirewall.ps1

<#
.Synopsis
Inventory for Azure Firewall

.DESCRIPTION
This script consolidates information for all microsoft.network/azurefirewalls and resource provider in $Resources variable.
Excel Sheet Name: AzureFirewall

.Link
https://github.com/microsoft/ARI/Modules/Networking/AzureFirewall.ps1

.COMPONENT
This powershell Module is part of Azure Resource Inventory (ARI)

.NOTES
Version: 3.5.0
First Release Date: 19th November, 2020
Authors: Claudio Merola

#>


<######## Default Parameters. Don't modify this ########>

param($SCPath, $Sub, $Intag, $Resources, $Task , $File, $SmaResources, $TableStyle, $Unsupported)

If ($Task -eq 'Processing') {

    <######### Insert the resource extraction here ########>
    $AzureFirewall = $Resources | Where-Object { $_.TYPE -eq 'microsoft.network/azurefirewalls' }
    $AzureFWPolicies = $Resources | Where-Object { $_.TYPE -eq 'microsoft.network/firewallpolicies' }
    $AzureFWPoliciesRules = $Resources | Where-Object { $_.TYPE -eq 'microsoft.network/firewallpolicies/rulecollectiongroups' }
    $AzureIPGroups = $Resources | Where-Object { $_.TYPE -eq 'microsoft.network/ipgroups' }

    if($AzureFirewall)
        {
            $tmp = @()

            foreach ($1 in $AzureFirewall) 
                { 
                    $sub1 = $SUB | Where-Object { $_.Id -eq $1.subscriptionId }
                    $data = $1.PROPERTIES
                    if ($1.zones) { $Zones = $1.zones } Else { $Zones = "Not Configured" }
                    $Threat = if($data.threatintelmode -eq 'deny'){'Alert and deny'}elseif($data.threatintelmode -eq 'alert'){'Alert only'}else{'Off'}
                    $Tags = if(![string]::IsNullOrEmpty($1.tags.psobject.properties)){$1.tags.psobject.properties}else{'0'}
                    
                    $VNETs = @()
                    $PIPs = @()
                    $PrivIPs = @()
                    Foreach($2 in $data.ipConfigurations)
                        {
                            $PIPs += $2.name
                            $VNETs += $2.properties.subnet.id.split('/')[8]
                            $PrivIPs += $2.properties.privateIPAddress
                        }
                    
                    $Policy = $AzureFWPolicies | Where-Object {$_.id -eq $data.firewallpolicy.id}
                    $Policy = if(![string]::IsNullOrEmpty($Policy)){$Policy}else{'0'}
                    $Rules = $AzureFWPoliciesRules | Where-Object {$_.id -eq $Policy.properties.rulecollectiongroups.id}
                    $Rules = if(![string]::IsNullOrEmpty($Rules)){$Rules}else{'0'}
                    $FinalPIP = if ($PIPs.count -gt 1) { $PIPs | ForEach-Object { $_ + ' ,' } }else { $PIPs }
                    $FinalPIP = [string]$FinalPIP
                    $FinalPIP = if ($FinalPIP -like '* ,*') { $FinalPIP -replace ".$" }else { $FinalPIP }
                    $FinalVNET = if ($VNETs.count -gt 1) { $VNETs | ForEach-Object { $_ + ' ,' } }else { $VNETs }
                    $FinalVNET = [string]$FinalVNET
                    $FinalVNET = if ($FinalVNET -like '* ,*') { $FinalVNET -replace ".$" }else { $FinalVNET }
                    $FinalPrivIP = if ($PrivIPs.count -gt 1) { $PrivIPs | ForEach-Object { $_ + ' ,' } }else { $PrivIPs }
                    $FinalPrivIP = [string]$FinalPrivIP
                    $FinalPrivIP = if ($FinalPrivIP -like '* ,*') { $FinalPrivIP -replace ".$" }else { $FinalPrivIP }
                    $FinalDNSServers = if ($Policy.properties.dnssettings.servers.count -gt 1) { $Policy.properties.dnssettings.servers | ForEach-Object { $_ + ' ,' } }else { $Policy.properties.dnssettings.servers }
                    $FinalDNSServers = [string]$FinalDNSServers
                    $FinalDNSServers = if ($FinalDNSServers -like '* ,*') { $FinalDNSServers -replace ".$" }else { $FinalDNSServers }

                    foreach ($CoreRule in $Rules)
                        {
                            $CoreCollections = $CoreRule.properties.rulecollections
                            $CoreCollections = if(![string]::IsNullOrEmpty($CoreCollections)){$CoreCollections}else{'0'}
                            foreach ($RuleCollection in $CoreCollections)
                                {
                                    $RuleCoreCollections = $RuleCollection.rules
                                    $RuleCoreCollections = if(![string]::IsNullOrEmpty($RuleCoreCollections)){$RuleCoreCollections}else{'0'}
                                    foreach ($Rule in $RuleCoreCollections)
                                        {
                                            $FinalProtocol = if ($Rule.ipprotocols.count -gt 1) { $Rule.ipprotocols | ForEach-Object { $_ + ' ,' } }else { $Rule.ipprotocols}
                                            $FinalProtocol = [string]$FinalProtocol
                                            $FinalProtocol = if ($FinalProtocol -like '* ,*') { $FinalProtocol -replace ".$" }else { $FinalProtocol }

                                            $FinalPort = if ($Rule.destinationports.count -gt 1) { $Rule.destinationports | ForEach-Object { $_ + ' ,' } }else { $Rule.destinationports}
                                            $FinalPort = [string]$FinalPort
                                            $FinalPort = if ($FinalPort -like '* ,*') { $FinalPort -replace ".$" }else { $FinalPort }

                                            if(![string]::IsNullOrEmpty($Rule.sourceipgroups))
                                                {
                                                    $SourceIpGroup = ($AzureIPGroups | Where-Object {$_.id -eq $Rule.sourceipgroups}).properties.ipaddresses
                                                    $SourceIP = if ($SourceIpGroup.count -gt 1) { $SourceIpGroup | ForEach-Object { $_ + ' ,' } }else { $SourceIpGroup }
                                                    $SourceIP = [string]$SourceIP
                                                    $SourceIP = if ($SourceIP -like '* ,*') { $SourceIP -replace ".$" }else { $SourceIP }
                                                    $SourceType = 'IP Group'
                                                }
                                            else
                                                {
                                                    $SourceIP = [string]$Rule.sourceaddresses
                                                    $SourceType = 'IP Address'
                                                }

                                            if(![string]::IsNullOrEmpty($Rule.destinationipgroups))
                                                {
                                                    $DestinationIpGroup = ($AzureIPGroups | Where-Object {$_.id -eq $Rule.destinationipgroups}).properties.ipaddresses
                                                    $DestinationIP = if ($DestinationIpGroup.count -gt 1) { $DestinationIpGroup | ForEach-Object { $_ + ' ,' } }else { $DestinationIpGroup }
                                                    $DestinationIP = [string]$DestinationIP
                                                    $DestinationIP = if ($DestinationIP -like '* ,*') { $DestinationIP -replace ".$" }else { $DestinationIP }
                                                    $DestionationType = 'IP Group'
                                                }
                                            elseif(![string]::IsNullOrEmpty($Rule.destinationfqdns))
                                                {
                                                    $DestinationIP = [string]$Rule.destinationfqdns
                                                    $DestionationType = 'FQDN'
                                                }
                                            else
                                                {
                                                    $DestinationIP = [string]$Rule.destinationaddresses
                                                    $DestionationType = 'IP Address'
                                                }

                                            foreach ($Tag in $Tags) {
                                                    $obj = @{
                                                        'ID'                                = $1.id;
                                                        'Subscription'                      = $sub1.Name;
                                                        'Resource Group'                    = $1.RESOURCEGROUP;
                                                        'Name'                              = $1.NAME;
                                                        'Location'                          = $1.LOCATION;
                                                        'SKU'                               = $data.sku.tier;
                                                        'Threat Intel Mode'                 = $Threat;
                                                        'Zone'                              = [string]$Zones;
                                                        'Public IP Name'                    = $FinalPIP;
                                                        'Firewall VNET'                     = $FinalVNET;
                                                        'Firewall Private IP'               = $FinalPrivIP;
                                                        'Policy Name'                       = $Policy.name;
                                                        'DNS Proxy'                         = $Policy.properties.dnssettings.enableproxy;
                                                        'DNS Servers'                       = $FinalDNSServers;
                                                        'Rule Collection Group'             = $CoreRule.name;
                                                        'Rule Collection Group Priority'    = $CoreRule.properties.priority;
                                                        'Rule Collection'                   = $RuleCollection.name;
                                                        'Rule Action'                       = $RuleCollection.action.type;
                                                        'Rule Priority'                     = $RuleCollection.priority;
                                                        'Rule Type'                         = $Rule.ruletype;
                                                        'Rule Name'                         = $Rule.name;
                                                        'Source Type'                       = $SourceType;
                                                        'Source'                            = $SourceIP;
                                                        'Protocol'                          = $FinalProtocol;
                                                        'Destination Port'                  = $FinalPort;
                                                        'Destination Type'                  = $DestionationType;
                                                        'Destination'                       = $DestinationIP;
                                                        'Resource U'                        = $ResUCount;
                                                        'Tag Name'                          = [string]$Tag.Name;
                                                        'Tag Value'                         = [string]$Tag.Value
                                                    }
                                                    $tmp += $obj
                                                    if ($ResUCount -eq 1) { $ResUCount = 0 } 
                                                }
                                        }
                                }
                        }
                }
            $tmp
        }
}
<######## Resource Excel Reporting Begins Here ########>

Else {
    <######## $SmaResources.(RESOURCE FILE NAME) ##########>

    if ($SmaResources.AzureFirewall) {

        $TableName = ('AzFirewallTable_'+($SmaResources.AzureFirewall.id | Select-Object -Unique).count)
        $condtxt = @()

        $Style = New-ExcelStyle -HorizontalAlignment Center -AutoSize -NumberFormat 0

        $Exc = New-Object System.Collections.Generic.List[System.Object]
        $Exc.Add('Subscription')
        $Exc.Add('Resource Group')
        $Exc.Add('Name')
        $Exc.Add('Location')
        $Exc.Add('SKU')
        $Exc.Add('Threat Intel Mode')
        $Exc.Add('Zone')
        $Exc.Add('Public IP Name')
        $Exc.Add('Firewall VNET')
        $Exc.Add('Firewall Private IP')
        $Exc.Add('Policy Name')
        $Exc.Add('DNS Proxy')
        $Exc.Add('DNS Servers')
        $Exc.Add('Rule Collection Group')
        $Exc.Add('Rule Collection Group Priority')
        $Exc.Add('Rule Collection')
        $Exc.Add('Rule Action')
        $Exc.Add('Rule Priority')
        $Exc.Add('Rule Type')
        $Exc.Add('Rule Name')
        $Exc.Add('Source Type')
        $Exc.Add('Source')
        $Exc.Add('Protocol')
        $Exc.Add('Destination Port')
        $Exc.Add('Destination Type')
        $Exc.Add('Destination')
        if($InTag)
            {
                $Exc.Add('Tag Name')
                $Exc.Add('Tag Value') 
            }

        $ExcelVar = $SmaResources.AzureFirewall 

        $ExcelVar | 
        ForEach-Object { [PSCustomObject]$_ } | Select-Object -Unique $Exc | 
        Export-Excel -Path $File -WorksheetName 'Azure Firewall' -AutoSize -MaxAutoSizeRows 100 -TableName $TableName -TableStyle $tableStyle -ConditionalText $condtxt -Style $Style

    }
}