-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathValidate-RbacFrameworkRoleDefinitions.ps1
More file actions
42 lines (39 loc) · 1.66 KB
/
Copy pathValidate-RbacFrameworkRoleDefinitions.ps1
File metadata and controls
42 lines (39 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Param(
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[String]$SubscriptionId,
[Parameter(Mandatory=$True)]
[Object[]]$RoleAssignments,
[Parameter(Mandatory=$False)]
[Hashtable]$ResourceRoleDefinitionMap = @{},
[Parameter(Mandatory=$False)]
[Hashtable]$CustomResourceRoleDefinitionMap = @{}
)
$NeededRoles = $RoleAssignments `
| Where-Object { $_.Scope -like "/subscriptions/*" } `
| Select-Object @{Name="RoleDefinitionName";Expression={
if ( $_.Scope.Split("/").Count -ge 9 -and $_.RoleDefinitionName -in @("Owner", "Contributor", "Reader") ) {
"$($_.Scope.split("/")[6..7] -join "/") $($_.RoleDefinitionName)"
} else {
$_.RoleDefinitionName
}
}} -Unique `
| Select-Object @{Name="RoleDefinitionName";Expression={
if ( $_.RoleDefinitionName -in $CustomResourceRoleDefinitionMap.Keys ) {
$CustomResourceRoleDefinitionMap[$_.RoleDefinitionName]
} elseif ( $_.RoleDefinitionName -in $ResourceRoleDefinitionMap.Keys ) {
$ResourceRoleDefinitionMap[$_.RoleDefinitionName]
} else {
$_.RoleDefinitionName
}
}} -Unique `
| Sort-Object RoleDefinitionName
$RoleDefinitions = Get-AzRoleDefinition -Scope "/subscriptions/$($SubscriptionId)"
$MissingRoles = $NeededRoles | Where-Object { $_.RoleDefinitionName -notin $RoleDefinitions.Name }
if ( $null -ne $MissingRoles -and $MissingRoles.Count -gt 0 ) {
Write-Host "Role Definitions Missing:" -ForegroundColor Yellow
return $MissingRoles.RoleDefinitionName
} else {
Write-Host "Success! Role Definitions Validated!" -ForegroundColor Green
return $null
}