AzureServicesInKeyVault.ps1
|
function Register-AzureServiceBusInKeyVault { <# .SYNOPSIS Adds Azure service bus connection strings as secrets to keyvault. .DESCRIPTION Scans service bus namespaces for authorization rules and sets the keyvault secret to the connection string. .PARAMETER KeyVaultName Specifies the key vault to set the secrets in. .PARAMETER Environment Specifies the environment to limit the service bus namespace on. .PARAMETER Regex Specifies the regex to limit the service bus namespace on. .EXAMPLE Register-AzureServiceBus -KeyVaultName "test-vault" -Environment "uat" -Regex "(esw)" This command sets secrets in the test-vault for all environments ending in uat and containing esw in their namespace. .NOTES Currently CmdletBinding doesn't have any internal support built-in. #> [cmdletbinding()] param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$false)] [string] $Environment, [parameter(Mandatory=$false)] [string] $Regex ) $rules = Get-AzureSBNamespace | % { Get-AzureSBAuthorizationRule -Namespace $_.Name } | ? { $_.Name -eq 'RootManageSharedAccessKey' } $rules | % { if(($Environment -eq $null) -or ($_.Namespace -match "-$Environment`$")) { if(($Regex -eq $null) -or ($_.Namespace -match "$Regex")) { $keyName = $_.Namespace.Remove($_.Namespace.LastIndexOf('-')) Write-Output "Pushing $($keyName) to $($KeyVaultName)" $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $_.ConnectionString -AsPlainText �Force) } } } } function Register-AzureSqlDatabaseInKeyVault { <# .SYNOPSIS Adds Azure sql database connection strings as secrets to keyvault. .DESCRIPTION Scans sql database instances based on the search criteria and sets the key vault secrets to the connection strings. .PARAMETER KeyVaultName Specifies the key vault to set the secrets in. .PARAMETER ResourceGroup Specifies the resource group the azure sql server is in. .PARAMETER Environment Specifies the environment to limit the sql database name on. .PARAMETER Regex Specifies the regex to limit the sql database name on. .PARAMETER SqlSaPassword SQL Administrator password to use. .PARAMETER ConfigurationKeyVaultName Key vault name to get existing sql username and password secrets from. .EXAMPLE Register-AzureSqlDatabase -KeyVaultName "test-vault" -ResourceGroup "test-rg" -Environment "uat" -Regex "(esw)" -SqlSaPassword "#sapasword1234" -ConfigurationKeyVaultName "sqlkvtest" This command sets secrets in the test-vault for all environments ending in uat and containing esw in their name. .NOTES Currently CmdletBinding doesn't have any internal support built-in. #> [cmdletbinding()] param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$false)] [string] $ResourceGroup, [parameter(Mandatory=$false)] [string] $Environment, [parameter(Mandatory=$false)] [string] $Regex, [parameter(Mandatory=$true, ParameterSetName='SaUser')] [string] $SqlSaPassword, [parameter(Mandatory=$true, ParameterSetName='KeyVaultUser')] [string] $ConfigurationKeyVaultName ) if(!$ResourceGroup) { $dbs = Get-AzureRmSqlServer | Get-AzureRmSqlDatabase | ? { $_.DatabaseName -ne 'master' } } else { $dbs = Get-AzureRmResourceGroup -Name $ResourceGroup | Get-AzureRmSqlServer | Get-AzureRmSqlDatabase | ? { $_.DatabaseName -ne 'master' } } $dbs | % { if(($Environment -eq $null) -or ($_.DatabaseName -match "-$Environment`$")) { if(($Regex -eq $null) -or ($_.DatabaseName -match "$Regex")) { $server = $_ | Get-AzureRmSqlServer if($SqlSaPassword -ne $null) { $sqlUser = $server.SqlAdministratorLogin $sqlPwd = $SqlSaPassword } else { $userKey = "$($_.DatabaseName.Replace('-', ''))user" $pwdKey = "$userKey-pwd" $sqlUser = (Get-AzureKeyVaultSecret -VaultName $ConfigurationKeyVaultName -Name $userKey).SecretValueText $sqlPwd = (Get-AzureKeyVaultSecret -VaultName $ConfigurationKeyVaultName -Name $pwdKey).SecretValueText } $connectionString = "Server=tcp:$($server.ServerName).database.windows.net; Database=$($_.DatabaseName); User ID=$sqlUser@$($server.ServerName); Password=$sqlPwd; Trusted_Connection=False; Encrypt=True; MultipleActiveResultSets=True;" Write-Output "Pushing SQLConnectionString to $($KeyVaultName)" $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name 'SQLConnectionString' -SecretValue (ConvertTo-SecureString -String $connectionString -AsPlainText �Force) } } } } function Register-AzureCosmosDBInKeyVault { <# .SYNOPSIS Adds Azure cosmos db primary keys as secrets to keyvault. .DESCRIPTION Scans cosmos db account instances based on the search criteria and sets the key vault secrets to the primary keys. .PARAMETER KeyVaultName Specifies the key vault to set the secrets in. .PARAMETER ResourceGroup Specifies the resource group the cosmos db account is in. .PARAMETER Environment Specifies the environment to limit the cosmos db account name on. .PARAMETER Regex Specifies the regex to limit the cosmos db account name on. .EXAMPLE Register-AzureCosmosDB -KeyVaultName "test-vault" -ResourceGroup "test-rg" -Environment "uat" -Regex "(esw)" This command sets secrets in the test-vault for all environments ending in uat and containing esw in their name. .NOTES Currently CmdletBinding doesn't have any internal support built-in. #> [cmdletbinding()] param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$true)] [string] $ResourceGroup, [parameter(Mandatory=$false)] [string] $Environment, [parameter(Mandatory=$false)] [string] $Regex ) $rsType = "Microsoft.DocumentDb/databaseAccounts" $cosmosAccounts = Get-AzureRmResource -ResourceType $rsType -ResourceGroupName $ResourceGroup $cosmosAccounts | % { if(($Environment -eq $null) -or ($_.Name -match "-$Environment`$")) { if(($Regex -eq $null) -or ($_.Name -match "$Regex")) { $keyName = $_.Name.Remove($_.Name.LastIndexOf('-')) $keys = Invoke-AzureRmResourceAction -Action listKeys -ResourceType $rsType -ResourceGroupName $ResourceGroup -ResourceName $_.Name -Force Write-Output "Pushing $($keyName) to $($KeyVaultName)" $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $keys.primaryMasterKey -AsPlainText �Force) } } } } function Register-AzureRedisCacheInKeyVault { <# .SYNOPSIS Adds Azure redis cache primary keys as secrets to keyvault. .DESCRIPTION Scans redis cache instances based on the search criteria and sets the key vault secrets to the primary keys. .PARAMETER KeyVaultName Specifies the key vault to set the secrets in. .PARAMETER ResourceGroup Specifies the resource group the redis cache is in. .PARAMETER Environment Specifies the environment to limit the redis cache name on. .PARAMETER Regex Specifies the regex to limit the redis cache name on. .EXAMPLE Register-AzureRedisCache -KeyVaultName "test-vault" -ResourceGroup "test-rg" -Environment "uat" -Regex "(esw)" This command sets secrets in the test-vault for all environments ending in uat and containing esw in their name. .NOTES Currently CmdletBinding doesn't have any internal support built-in. #> [cmdletbinding()] param( [parameter(Mandatory=$true)] [string] $KeyVaultName, [parameter(Mandatory=$false)] [string] $ResourceGroup, [parameter(Mandatory=$false)] [string] $Environment, [parameter(Mandatory=$false)] [string] $Regex ) if(!$ResourceGroup) { $caches = Get-AzureRmRedisCache } else { $caches = Get-AzureRmRedisCache -ResourceGroupName $ResourceGroup } $caches | % { if(($Environment -eq $null) -or ($_.Name -match "-$Environment`$")) { if(($Regex -eq $null) -or ($_.Name -match "$Regex")) { $keyName = $_.Name.Remove($_.Name.LastIndexOf('-')) $primaryKey = (Get-AzureRmRedisCacheKey -ResourceGroupName $_.ResourceGroupName -Name $_.Name).PrimaryKey Write-Output "Pushing $($keyName) to $($KeyVaultName)" $null = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $keyName -SecretValue (ConvertTo-SecureString -String $primaryKey -AsPlainText �Force) } } } } |