AzureSubscriptionInKeyVault.ps1
### Scans both ASM and ARM storage accounts and pushes all relevant keys to KeyVault function Get-EnvironmentForResourceName { param( [parameter(Mandatory=$true, Position=0)] [string] $EnvironmentRegex, [parameter(Mandatory=$true, ValueFromPipeline=$true, Position=1)] [string] $Input ) $Input -match $EnvironmentRegex | Out-Null $Matches[1] -match '\W*(\w*)' | Out-Null return $Matches[1] } function Register-AzureStorage { param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$true)] [ValidateSet('Primary','Secondary')] [string] $KeyType, [parameter(Mandatory=$false)] [Microsoft.Azure.Commands.Resources.Models.PSResourceGroup] $ResourceGroup, [parameter(Mandatory=$false)] [string] $EnvironmentFilter, [parameter(Mandatory=$false)] [string] $EnvironmentRegex, [switch] $ARMOnly ) if($ARMOnly -eq $false) { Get-AzureStorageAccount | Get-AzureStorageKey | foreach { if(($EnvironmentFilter -ne $null) -and (($_.StorageAccountName | Get-EnvironmentForResourceName $EnvironmentRegex) -ne $EnvironmentFilter)) { continue } $keyName = $_.StorageAccountName -replace $EnvironmentRegex, '' $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $_.$KeyType -AsPlainText �Force) } } switch($KeyType) { "Primary" {$keyIndex = 0} "Secondary" {$keyIndex = 1} default {$keyIndex = 0} } if($ResourceGroup -eq $null) { $storageAccounts = Get-AzureRmStorageAccount } else { $storageAccounts = Get-AzureRmStorageAccount -ResourceGroupName $ResourceGroup.ResourceGroupName } $storageAccounts | select StorageAccountName, @{Name="Key";Expression={(Get-AzureRmStorageAccountKey -ResourceGroupName $_.ResourceGroupName -Name $_.StorageAccountName)[$keyIndex].Value}} | foreach { if(($EnvironmentFilter -ne $null) -and (($_.StorageAccountName | Get-EnvironmentForResourceName $EnvironmentRegex) -ne $EnvironmentFilter)) { continue } $keyName = $_.StorageAccountName -replace $EnvironmentRegex, '' $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $_.Key -AsPlainText �Force) } } function Register-AzureServiceBus { param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$false)] [string] $EnvironmentFilter, [parameter(Mandatory=$false)] [string] $SbAccessRuleName, [parameter(Mandatory=$false)] [string] $EnvironmentRegex ) Get-AzureSBNamespace | foreach { Get-AzureSBAuthorizationRule -Namespace $_.Name } | where { $_.Name -eq 'RootManageSharedAccessKey' } | foreach { if(($EnvironmentFilter -ne $null) -and (($_.Namespace | Get-EnvironmentForResourceName $EnvironmentRegex) -ne $EnvironmentFilter)) { continue } $keyName = $_.Namespace -replace $EnvironmentRegex, '' $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $_.ConnectionString -AsPlainText �Force) } } function Register-AzureSqlDatabase { param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$true)] [string] $SqlPassword, [parameter(Mandatory=$false)] [Microsoft.Azure.Commands.Resources.Models.PSResourceGroup] $ResourceGroup, [parameter(Mandatory=$false)] [string] $EnvironmentFilter, [parameter(Mandatory=$false)] [string] $EnvironmentRegex, [switch] $SetSqlPassword ) if($ResourceGroup -eq $null) { $rgs = Get-AzureRmResourceGroup } else { $rgs = Get-AzureRmResourceGroup -Name $ResourceGroup.ResourceGroupName } $rgs | Get-AzureRmSqlServer | Get-AzureRmSqlDatabase | where { $_.DatabaseName -ne 'master' } | foreach { if(($EnvironmentFilter -ne $null) -and (($_.DatabaseName | Get-EnvironmentForResourceName $EnvironmentRegex) -ne $EnvironmentFilter)) { continue } $server = $_ | Get-AzureRmSqlServer # Set the SqlPassword on the server if($SetSqlPassword) { $server | Set-AzureRmSqlServer -SqlAdministratorPassword (ConvertTo-SecureString -String $SqlPassword -AsPlainText �Force) } $connectionString = "Server=tcp:$($server.ServerName).database.windows.net; Database=$($_.DatabaseName); User ID=$($server.SqlAdministratorLogin)@$($server.ServerName); Password=$SqlPassword; Trusted_Connection=False; Encrypt=True; MultipleActiveResultSets=True;" $keyName = $_.DatabaseName -replace $EnvironmentRegex, '' $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $connectionString -AsPlainText �Force) } } ########################################################### # Register-AzureSubscriptionInKeyVault ########################################################### function Register-AzureSubscriptionInKeyVault { param( [parameter(Mandatory=$true, Position=0)] [string] $KeyVaultName, [parameter(Mandatory=$true, Position=1)] [ValidateSet('Primary','Secondary')] [string] $KeyType, [parameter(Mandatory=$true, Position=2)] [string] $SqlPassword, [parameter(ValueFromPipeline=$true, Mandatory=$false)] [Microsoft.Azure.Commands.Resources.Models.PSResourceGroup] $ResourceGroup, [parameter(Mandatory=$false)] [string] $EnvironmentFilter, [parameter(Mandatory=$false)] [string] $StgEnvRegex = '(.{3})$', [parameter(Mandatory=$false)] [string] $SbEnvRegex = '(-[^-]*)$', [parameter(Mandatory=$false)] [string] $SqlEnvRegex = '(-[^-]*)$', [parameter(Mandatory=$false)] [string] $SbAccessRuleName = 'RootManageSharedAccessKey', [switch] $SetSqlPassword, [switch] $ARMOnly ) Register-AzureStorage -KeyVaultName $KeyVaultName -KeyType $KeyType -ResourceGroup $ResourceGroup -EnvironmentRegex $StgEnvRegex -ARMOnly:$ARMOnly Register-AzureSqlDatabase -KeyVaultName $KeyVaultName -SqlPassword $SqlPassword -ResourceGroup $ResourceGroup -EnvironmentRegex $SqlEnvRegex -SetSqlPassword:$SetSqlPassword if($ARMOnly -eq $false) { Register-AzureServiceBus -KeyVaultName $KeyVaultName -ResourceGroup $ResourceGroup -SbAccessRuleName $SbAccessRuleName -EnvironmentRegex $SbEnvRegex } } |