Skip to content

Commit

Permalink
Merge pull request #221 from JulianHayward/mssgck
Browse files Browse the repository at this point in the history
6.3.7
  • Loading branch information
JulianHayward authored Jan 8, 2024
2 parents eba7689 + 3cec9da commit 4f06cc8
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 50 deletions.
12 changes: 2 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,17 +78,9 @@ The [Azure Governance Visualizer Accelerator](https://github.com/Azure/Azure-Gov

## Release history

__Changes__ (2023-Dec-17 / 6.3.6 Minor)
__Changes__ (2024-Jan-08 / 6.3.7 Minor)

* fix: processing of Service Principal names that contain special characters
* fix: RBAC reporting correct RBAC Role assignment related Policy assignment Policy definition displayName
* update ARM API-version for CostManagement. Using `2023-03-01` instead of `2019-11-01`

__Changes__ (2023-Dec-15 / 6.3.5 Minor)

* Checking if the response of the storage account properties request is a byte array (type 'byte[]') and decode it to a string
* Different handling of BOM (Byte order mark) for XML returns on storage account properties request (since Powershell version 7.4.0)
* use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.85
* fix: Ignore `ARMLocation` in case not Public Cloud (AzureCloud)

[Full release history](history.md)

Expand Down
4 changes: 4 additions & 0 deletions history.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@

### Azure Governance Visualizer version 6

__Changes__ (2024-Jan-08 / 6.3.7 Minor)

* fix: Ignore `ARMLocation` in case not Public Cloud (AzureCloud)

__Changes__ (2023-Dec-17 / 6.3.6 Minor)

* fix: processing of Service Principal names that contain special characters
Expand Down
38 changes: 22 additions & 16 deletions pwsh/AzGovVizParallel.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,7 @@ Param
$Product = 'AzGovViz',

[string]
$ProductVersion = '6.3.6',
$ProductVersion = '6.3.7',

[string]
$GithubRepository = 'aka.ms/AzGovViz',
Expand Down Expand Up @@ -33865,25 +33865,31 @@ Write-Host " Initialize 'AzAPICall' succeeded" -ForegroundColor Green
Write-Host " Setting `$ignoreARMLocation to `$false" -ForegroundColor Yellow
$ignoreARMLocation = $false

if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) {
Write-Host ''
Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid"
if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed
Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow
throw 'ARMLocation validation failed!'
if ($azApiCallConf['htParameters'].azureCloudEnvironment -ne 'AzureCloud') {
Write-Host " Non Public Cloud ($($azApiCallConf['htParameters'].azureCloudEnvironment)) -> Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}

if (-not $ignoreARMLocation) {
if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) {
Write-Host ''
Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid"
if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed
Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow
throw 'ARMLocation validation failed!'
}
else {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green
}
}
else {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green
Write-Host ''
Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')"
Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}
}
else {
Write-Host ''
Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')"
Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}

#EndRegion initAZAPICall

#region required AzAPICall version
Expand Down
52 changes: 29 additions & 23 deletions pwsh/dev/devAzGovVizParallel.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,7 @@ Param
$Product = 'AzGovViz',

[string]
$ProductVersion = '6.3.6',
$ProductVersion = '6.3.7',

[string]
$GithubRepository = 'aka.ms/AzGovViz',
Expand Down Expand Up @@ -12462,7 +12462,7 @@ function processStorageAccountAnalysis {
else {
try {
# ? https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/issues/218#issuecomment-1854516882
if($saProperties.gettype().Name -eq 'Byte[]') {
if ($saProperties.gettype().Name -eq 'Byte[]') {
$byteArray = [byte[]]$saProperties
$saProperties = [System.Text.Encoding]::UTF8.GetString($byteArray)
}
Expand Down Expand Up @@ -12504,7 +12504,7 @@ function processStorageAccountAnalysis {

if ($listContainersSuccess -eq $true) {
# ? https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/issues/218#issuecomment-1854516882
if($listContainers.gettype().Name -eq 'Byte[]') {
if ($listContainers.gettype().Name -eq 'Byte[]') {
$byteArray = [byte[]]$listContainers
$listContainers = [System.Text.Encoding]::UTF8.GetString($byteArray)
}
Expand Down Expand Up @@ -29076,10 +29076,10 @@ function validateLeastPrivilegeForUser {
$uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/providers/Microsoft.Management/managementGroups/$($ManagementGroupId)/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&`$filter=principalId eq '$($azapicallConf['htParameters'].userObjectId)'"
$method = 'GET'
$getRoleAssignmentsForExecutingUserAtManagementGroupId = AzAPICall -AzAPICallConfiguration $azapicallConf -uri $uri
$nonReaderRolesAssigned = ($getRoleAssignmentsForExecutingUserAtManagementGroupId.properties.RoleDefinitionId | Sort-object -Unique).where({$_ -notlike '*acdd72a7-3385-48ef-bd42-f606fba81ae7'})
$nonReaderRolesAssigned = ($getRoleAssignmentsForExecutingUserAtManagementGroupId.properties.RoleDefinitionId | Sort-Object -Unique).where({ $_ -notlike '*acdd72a7-3385-48ef-bd42-f606fba81ae7' })
if ($nonReaderRolesAssigned.Count -gt 0) {
Write-Host "* * * LEAST PRIVILEGE ADVICE" -ForegroundColor DarkRed
Write-Host "The Azure Governance Visualizer script is executed with more permissions than required."
Write-Host '* * * LEAST PRIVILEGE ADVICE' -ForegroundColor DarkRed
Write-Host 'The Azure Governance Visualizer script is executed with more permissions than required.'
Write-Host "The executing identity '$($azapicallConf['checkContext'].Account.Id)' ($($azapicallConf['checkContext'].Account.Type)) Id: '$($azapicallConf['htparameters'].userObjectId)' has the following RBAC Role(s) assigned at Management Group scope '$ManagementGroupId':"
foreach ($nonReaderRoleAssigned in $nonReaderRolesAssigned) {
$currentTask = "Get RBAC Role definition '$nonReaderRoleAssigned'"
Expand All @@ -29090,14 +29090,14 @@ function validateLeastPrivilegeForUser {
if ($getRole.properties.roleName -eq 'owner' -or $getRole.properties.roleName -eq 'contributor') {
Write-Host " - $($getRole.properties.roleName) ($($getRole.properties.type)) !!!"
}
else{
else {
Write-Host " - $($getRole.properties.roleName) ($($getRole.properties.type))"
}
}
Write-Host "The required Azure RBAC role at Management Group scope '$ManagementGroupId' is 'Reader' (acdd72a7-3385-48ef-bd42-f606fba81ae7)."
Write-Host "Recommendation: consider executing the script in context of a Service Principal with least privilege. Review the Azure Governance Visualizer Setup Guide at 'https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/blob/master/setup.md'"
Write-Host ' * * * * * * * * * * * * * * * * * * * * * *' -ForegroundColor DarkRed
pause
Pause
}
else {
Write-Host "Azure Governance Visualizer Least Privilege check (Azure Resource side) for executing identity '$($azapicallConf['checkContext'].Account.Id)' ($($azapicallConf['checkContext'].Account.Type)) Id: '$($azapicallConf['htparameters'].userObjectId)' succeeded" -ForegroundColor Green
Expand Down Expand Up @@ -33863,25 +33863,31 @@ Write-Host " Initialize 'AzAPICall' succeeded" -ForegroundColor Green
Write-Host " Setting `$ignoreARMLocation to `$false" -ForegroundColor Yellow
$ignoreARMLocation = $false

if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) {
Write-Host ''
Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid"
if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed
Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow
throw 'ARMLocation validation failed!'
if ($azApiCallConf['htParameters'].azureCloudEnvironment -ne 'AzureCloud') {
Write-Host " Non Public Cloud ($($azApiCallConf['htParameters'].azureCloudEnvironment)) -> Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}

if (-not $ignoreARMLocation) {
if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) {
Write-Host ''
Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid"
if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed
Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow
throw 'ARMLocation validation failed!'
}
else {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green
}
}
else {
Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green
Write-Host ''
Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')"
Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}
}
else {
Write-Host ''
Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')"
Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow
$ignoreARMLocation = $true
}

#EndRegion initAZAPICall

#region required AzAPICall version
Expand Down
2 changes: 1 addition & 1 deletion version.json
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"ProductVersion": "6.3.6"
"ProductVersion": "6.3.7"
}

0 comments on commit 4f06cc8

Please sign in to comment.