AzRbacFramework/Create-RbacFrameworkRgMap.ps1 at main · trindels/AzRbacFramework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Param(
    [Parameter(Mandatory=$True, ParameterSetName="FromResourceGroups", Position=0)]
    [switch]$UseResourceGroups,

    [Parameter(Mandatory=$True, ParameterSetName="FromRoleAssignment", Position=0)]
    [Parameter(Mandatory=$True, ParameterSetName="FromRoleAssignmentObject", Position=0)]
    [Parameter(Mandatory=$True, ParameterSetName="FromRoleAssignmentFile", Position=0)]
    [switch]$UseRoleAssignments,

    [Parameter(Mandatory=$False, ParameterSetName="FromResourceGroups", Position=1)]
    [Parameter(Mandatory=$False, ParameterSetName="FromRoleAssignment", Position=1)]
    [ValidateNotNullOrEmpty()]
    [string]$SubscriptionId = "",

    [Parameter(Mandatory=$True, ParameterSetName="FromRoleAssignmentObject", Position=1)]
    [ValidateNotNullOrEmpty()]
    [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleAssignment[]]$RoleAssignments,

    [Parameter(Mandatory=$True, ParameterSetName="FromRoleAssignmentFile", Position=1)]
    [ValidateScript({
        if ( -not (Test-Path $_) ) { throw "File $_ does not exist." }
        if ( $_ -notmatch "(\.csv)" ) { throw "File $_ is not a CSV file." }
        return $True
    })]
    [string]$RoleAssignmentsFile = "",

    [Parameter(Mandatory=$True, Position=2)]
    [ValidateNotNullOrEmpty()]
    [string]$OutputFileName
)

$output = @()

if ( $PSCmdlet.ParameterSetName -ne "FromRoleAssignmentFile" ) {
    try {
        $ctx = Get-AzContext -ErrorAction Stop
    } catch {
        Write-Error "Please Connect to Azure Powershell (Connect-AzAccount) before running this script."
        exit
    }

    try {
        if ( $SubscriptionId -ne "" -and $ctx.Subscription.Id -ne $SubscriptionId ) {
            $ctx = Set-AzContext -SubscriptionId $SubscriptionId -ErrorAction Stop
        }
    }
    catch {
        Write-Error "Subscription $SubscriptionId not found."
        exit
    }
}

if ( $PSCmdlet.ParameterSetName -eq "FromResourceGroups") {
    $rgs = Get-AzResourceGroup -ErrorAction SilentlyContinue
    foreach ( $rg in $rgs ) {
        $output += [PSCustomObject]@{
            SourceResourceGroup = $rg.ResourceGroupName.ToLower()
            TargetResourceGroup = ""
        }
    }
} elseif ( $PSCmdlet.ParameterSetName -like "FromRoleAssignment*" ) {
    if ( $PSCmdlet.ParameterSetName -eq "FromRoleAssignment" ) {
        try {
            $assignments = Get-AzRoleAssignment -Scope "/subscriptions/$($ctx.Subscription.Id)" -ErrorAction Stop
        } catch {
            Write-Error "No Role Assignments found in Subscription $($ctx.Subscription.Id)."
            exit
        }
    } elseif ( $PSCmdlet.ParameterSetName -eq "FromRoleAssignmentFile" ) {
        if ( -not (Test-Path $RoleAssignmentsFile) ) {
            Write-Error "File $RoleAssignmentsFile does not exist."
            exit
        }
        $assignments = Import-Csv $RoleAssignmentsFile -Delimiter ","
    } elseif ( $PSCmdlet.ParameterSetName -eq "FromRoleAssignmentObject" ) {
        $assignments = $RoleAssignments
    }

    $assignments = $assignments `
        | Where-Object { $_.Scope.split("/").Count -gt 4 } `
        | Where-Object { $_.Scope -notlike "/providers/Microsoft.Management/*" }
    foreach ( $assignment in $assignments ) {
        $output += [PSCustomObject]@{
            SourceResourceGroup = $assignment.Scope.Split("/")[4].ToLower()
            TargetResourceGroup = ""
        }
    }
}

if ( $output.Count -gt 0 ) {
    $output | Select-Object * -Unique | Sort-Object SourceResourceGroup | Export-Csv -Path $OutputFileName -NoTypeInformation -Force
    Write-Host "Resource Group Mapping Complete: $OutputFileName"
} else {
    Write-Error "No Resource Group Mapping Found."
}