Public/IaaS/vpngw/New-CmAzIaasVpnGw.ps1
|
function New-CmAzIaasVpnGw { <# .Synopsis Set Virtual private network Gateway in Azure Vnet .Description Completes the following: * This script creates Vpn Gateways in provided Vnets. * Optionally configures P2s and S2s. * Secrets and certificates are securely retrieved from Keyvault .Parameter SettingsFile File path for the settings file to be converted into a settings object. .Parameter SettingsObject Object containing the configuration values required to run this cmdlet. .Component IaaS .Example New-CmAzIaasVpnGw -SettingsFile "VpnGw.yml" .Example New-CmAzIaasVpnGw -SettingsObject $settings #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "Medium")] param( [parameter(Mandatory = $true, ParameterSetName = "Settings File Path")] [String]$SettingsFile, [parameter(Mandatory = $true, ParameterSetName = "Settings Object")] [Object]$SettingsObject ) $ErrorActionPreference = "Stop" try { if ($PSCmdlet.ShouldProcess((Get-CmAzSubscriptionName), "Set Virtual private network Gateway in Azure Vnet")) { if ($SettingsFile -and !$SettingsObject) { $SettingsObject = Get-CmAzSettingsFile -Path $SettingsFile } elseif (!$SettingsFile -and !$SettingsObject) { Write-Error "No valid input settings." -Category InvalidArgument -CategoryTargetName "SettingsObject" } $env:location = $SettingsObject.Location $SettingsObject.ResourceGroupName = (Get-CmAzService -Service $SettingsObject.ResourceGroupTag -isResourceGroup -ThrowIfUnavailable).ResourceGroupName $SettingsObject.SubscriptionID = (Get-AzSubscription).id $SettingsObject.VpnGw | ForEach-Object -Parallel { $_.VirtualNetworkName = (Get-CmAzService -Service $_.VnetTag -ThrowIfUnavailable).name $vnetObject = Get-AzVirtualNetwork -Name $_.VirtualNetworkName # Check if "GatewaySubnet Exists" Write-Verbose "Checking if 'GatewaySubnet' exists in Vnet." $gatewaySubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnetObject -ErrorAction SilentlyContinue if (!$gatewaySubnet) { Write-Verbose "GatewaySubnet not found." if (!$_.GatewaySubnetPrefix) { Write-Error "GatewaySubnet doesnt exist, please provide GatewaySubnetPrefix to create one." -TargetObject $_.GatewaySubnetPrefix } Write-Verbose "$($_.GatewaySubnetPrefix) will be used to create GatewaySubnet in Vnet" } else { Write-Verbose "GatewaySubnet Found!" $_.GatewaySubnetPrefix = "" } $_.GatewayPublicIpName = Get-CmAzResourceName ` -Resource "PublicIPAddress" ` -Architecture "IaaS" ` -Region $env:location ` -Name $_.GatewayName $_.GatewayName = Get-CmAzResourceName ` -Resource "VirtualNetworkGateway" ` -Architecture "IaaS" ` -Region $env:location ` -Name $_.GatewayName if (!$_.P2s.VpnAddressPool -or !$_.P2s.KeyVaultTag -or !$_.P2s.RootCertificateName) { Write-Verbose "P2s configuration not found." $_.P2s.VpnAddressPool = "" $_.P2s.ClientRootCertData = "" $_.P2s.RootCertificateName = "" } else { $keyVaultService = Get-CmAzService -Service $_.P2s.KeyVaultTag -ThrowIfUnavailable # This approach is because Vpn Gw expects Raw certificate data $keyVaultCertificateObject = Get-AzKeyVaultCertificate -VaultName $keyVaultService.name -Name $_.P2s.RootCertificateName $_.P2s.ClientRootCertData = [Convert]::ToBase64String($keyVaultCertificateObject.Certificate.GetRawCertData()) if (!$_.P2s.ClientRootCertData) { Write-Verbose "Certificate Not Found! P2s will not be configured." $_.P2s.VpnAddressPool = "" $_.P2s.RootCertificateName = "" $_.P2s.ClientRootCertData = "" } else { Write-Verbose "Certificate $($_.P2s.RootCertificateName) found, p2s will be configured." } } if (!$_.S2s.ClientSitePublicIP -or !$_.S2s.CidrBlocks -or !$_.S2s.KeyVaultTag ) { Write-Verbose "S2s configuration not found." $_.S2s.CidrBlocks = @() $_.S2s.ClientSitePublicIP = "" $_.S2s.SharedKey = "" } else { # This apporach is because Key vault reference cannot be used directly in Arm template because of conflict with copy # SharedKeyObject is created to resolve with CLIXML type of object created when you run Az commands. $_.S2s.SharedKey = [System.Collections.ArrayList]@() $_.S2s.SharedKeyObject = (Get-AzKeyVaultSecret -Name $_.S2s.KeyVaultSecret -VaultName (Get-CmAzService -Service $_.S2s.KeyVaultTag -ThrowIfUnavailable).name).SecretValueText $_.S2s.SharedKey.add($_.S2s.SharedKeyObject.ToString()) > $null if (!$_.S2s.SharedKey) { Write-Verbose "Secret could not be retrieved! S2s configuration will be skipped." $_.S2s.CidrBlocks = @() $_.S2s.ClientSitePublicIP = "" $_.S2s.SharedKey = "" } else { Write-Verbose "Secret '$($_.S2s.KeyVaultSecret)' was found, s2s will be configured." $_.S2s.localGatewayName = Get-CmAzResourceName ` -Resource "LocalNetworkGateway" ` -Architecture "IaaS" ` -Region $env:location ` -Name $_.GatewayName } } } New-AzResourceGroupDeployment ` -ResourceGroupName $SettingsObject.ResourceGroupName ` -TemplateFile "$PSScriptRoot\New-CmAzIaasVpnGw.json" ` -VpnGwObject $SettingsObject ` -Location $env:location ` -Verbose Write-Verbose "Finished!" } } catch { $PSCmdlet.ThrowTerminatingError($PSItem) } } |