Merge pull request #936 from ronfriedner/main

improve script

Powershell scripts/Agentless Scanning CMK support/AddCmkPermissions.ps1

@@ -36,6 +36,25 @@ if (-not $PSBoundParameters.ContainsKey('DryRun')) {
     $DryRun = $false
 }
 
+# Function to apply Key Vault policy (access policies only)
+function Set-KeyVaultPolicy {
+    param(
+        [string]$KeyVaultName,
+        [string]$Subscription,
+        [string]$AppId,
+        [bool]$DryRun
+    )
+
+    Write-Output "Processing Key Vault: $KeyVaultName in subscription: $Subscription" | Green
+
+    if ($DryRun) {
+        Write-Output "DRY RUN: Would apply access policies for App ID '$AppId' to Key Vault: $KeyVaultName." | Green
+    } else {
+        Write-Output "Applying access policies for App ID '$AppId' to Key Vault: $KeyVaultName." | Green
+        az keyvault set-policy --subscription $Subscription --name $KeyVaultName --spn $AppId --key-permissions get wrapKey unwrapKey
+    }
+}
+
 function Green { process { Write-Host $_ -ForegroundColor Green } }
 function Red { process { Write-Host $_ -ForegroundColor Red } }
 
@@ -54,49 +73,54 @@ $appId = '0c7668b5-3260-4ad0-9f53-34ed54fa19b2'
 foreach ($subscription in $Subscriptions) {
     Write-Output "Processing subscription $subscription" | Green
 
-    # Step 1: Get Disk Encryption Sets (DES) from VMs
-    $vmsInSubscription = az vm list --subscription $subscription --query "[].{OsDiskDES:storageProfile.osDisk.managedDisk.diskEncryptionSet.id, DataDisksDES:storageProfile.dataDisks[].managedDisk.diskEncryptionSet.id}" --output json
-
-    # Step 2: Extract Unique DES IDs
-    $desOsIds = $vmsInSubscription | ConvertFrom-Json | ForEach-Object { $_.OsDiskDES } | Where-Object { $_ -ne $null }
-    $desDataIds = $vmsInSubscription | ConvertFrom-Json | ForEach-Object { $_.DataDisksDES } | Where-Object { $_ -ne $null }
-    $desIds = @($desOsIds + $desDataIds | Sort-Object -Unique)
+    # Get Disk Encryption Sets
+    $desIds = az disk list --subscription $subscription --query "[?encryption.diskEncryptionSetId != null].encryption.diskEncryptionSetId" --output json | ConvertFrom-Json | Sort-Object -Unique
 
     if ($desIds.count -eq 0) {
         Write-Output "No disk encryption sets found in subscription $subscription" | Green
         continue
     }
 
-    if ($ApplyAtKeyVaultLevel) {
-        # Step 3: Get Key Vaults associated with DES
-        Write-Output "Applying permissions at the Key Vault level." | Green
-        $keyVaultIds = az disk-encryption-set show --ids @desIds --query "[].activeKey.sourceVault.id || activeKey.sourceVault.id" --output json
-        $keyVaultIds = $keyVaultIds | ConvertFrom-Json | Sort-Object -Unique
+    # Get Key Vaults associated with DES
+    $keyVaultIds = az disk-encryption-set show --ids @desIds --query "[].activeKey.sourceVault.id" --output json | ConvertFrom-Json | Sort-Object -Unique
 
+    if ($ApplyAtKeyVaultLevel) {
+        $response = Read-Host "Do you want to apply access policies for all Key Vaults or one-by-one?
+        (A)ll - Apply permissions to all Key Vaults
+        (O)ne-by-one - Ask for approval for each Key Vault"
         foreach ($keyVaultId in $keyVaultIds) {
             $keyVaultName = ($keyVaultId -split '/')[-1]
             $keyVaultSubscription = ($keyVaultId -split '/')[2]
+
             Write-Output "Processing Key Vault: $keyVaultName in subscription: $keyVaultSubscription" | Green
+
+            if ($response -eq "O" -or $response -eq "o") {
+                $confirm = Read-Host "Apply permissions to $keyVaultName? (Y/N)"
+                if ($confirm -ne "Y" -and $confirm -ne "y") {
+                    Write-Output "Skipping Key Vault: $keyVaultName" | Green
+                    continue
+                }
+            }
 
             # Check if the Key Vault is RBAC or Access Policy-based
             $keyVaultProperties = az keyvault show --subscription $subscription --name $keyVaultName --query "properties" --output json | ConvertFrom-Json
             $keyVaultRbacEnabled = $keyVaultProperties.enableRbacAuthorization -eq $true
             Write-Output "Key Vault: $keyVaultName, RBAC Enabled: $keyVaultRbacEnabled" | Green
 
-            if ($DryRun) {
-                Write-Output "DryRun mode enabled. No changes will be made for Key Vault: $keyVaultName." | Green
-            } else {
-                if ($keyVaultRbacEnabled) {
+            # Apply permissions at the Key Vault level
+            if ($keyVaultRbacEnabled) {
+                if ($DryRun) {
+                    Write-Output "DRY RUN: Would apply RBAC permissions for App ID '$appId' to Key Vault: $keyVaultName." | Green
+                } else {
                     Write-Output "Applying RBAC permissions for App ID '$appId' to Key Vault: $keyVaultName." | Green
                     az role assignment create --assignee $appId --role "Key Vault Crypto Service Encryption User" --scope $keyVaultId
-                } else {
-                    Write-Output "Applying access policies for App ID '$appId' to Key Vault: $keyVaultName." | Green
-                    az keyvault set-policy --subscription $subscription --name $keyVaultName --spn $appId --key-permissions get wrapKey unwrapKey
                 }
+            } else {
+                Set-KeyVaultPolicy -KeyVaultName $keyVaultName -Subscription $subscription -AppId $appId -DryRun $DryRun
             }
         }
     } else {
-        # Step 4: Apply RBAC permissions at the subscription level (default)
+        # Apply RBAC permissions at the subscription level (default)
         Write-Output "Applying RBAC permissions at the subscription level for App ID '$appId' in subscription $subscription." | Green
 
         if ($DryRun) {
@@ -106,39 +130,53 @@ foreach ($subscription in $Subscriptions) {
             az role assignment create --assignee $appId --role "Key Vault Crypto Service Encryption User" --scope "/subscriptions/$subscription"
         }
 
-        # Step 5: Handle Access Policy Key Vaults (since RBAC does not apply to them)
-        $accessPolicyKVs = az disk-encryption-set show --ids @desIds --query "[?properties.activeKey.sourceVault.id && !properties.enableRbacAuthorization].properties.activeKey.sourceVault.id" --output json | ConvertFrom-Json | Sort-Object -Unique
+        $accessPolicyKVs = @()
+        foreach ($keyVaultId in $keyVaultIds) {
+            $keyVaultName = ($keyVaultId -split '/')[-1]
+            $keyVaultSubscription = ($keyVaultId -split '/')[2]
+
+            # Check if RBAC is enabled on the Key Vault
+            $keyVaultProperties = az keyvault show --subscription $keyVaultSubscription --name $keyVaultName --query "properties.enableRbacAuthorization" --output json | ConvertFrom-Json
+            $keyVaultRbacEnabled = $keyVaultProperties -eq $true
+
+            if (-not $keyVaultRbacEnabled) {
+                $accessPolicyKVs += $keyVaultId
+            }
+        }
 
         if ($accessPolicyKVs.Count -gt 0) {
             Write-Output "Found $( $accessPolicyKVs.Count ) Key Vault(s) using Access Policies. They need separate permission setup." | Red
 
-            if ($DryRun) {
-                Write-Output "DryRun mode enabled. No changes will be made for Access Policies Key Vaults." | Green
-            } else {
-                $response = Read-Host "Do you want to apply Key Vault permissions for access policy Key Vaults?`n
-                (A)ll - Apply permissions to all access policy Key Vaults`n
-                (O)ne-by-one - Ask for approval for each Key Vault`n
-                (N)o - Skip access policy Key Vaults"
-
-                if ($response -eq "A" -or $response -eq "a") {
-                    foreach ($kvId in $accessPolicyKVs) {
-                        Write-Output "Applying permissions to $kvId" | Green
-                        az keyvault set-policy --subscription $subscription --name ($kvId -split '/')[-1] --spn $appId --key-permissions get wrapKey unwrapKey
-                    }
-                } elseif ($response -eq "O" -or $response -eq "o") {
-                    foreach ($kvId in $accessPolicyKVs) {
-                        $confirm = Read-Host "Apply permissions to $kvId? (Y/N)"
-                        if ($confirm -eq "Y" -or $confirm -eq "y") {
-                            Write-Output "Applying permissions to $kvId" | Green
-                            az keyvault set-policy --subscription $subscription --name ($kvId -split '/')[-1] --spn $appId --key-permissions get wrapKey unwrapKey
-                        }
+            $response = Read-Host "Do you want to apply Key Vault permissions for access policy Key Vaults?
+            (A)ll - Apply permissions to all access policy Key Vaults
+            (O)ne-by-one - Ask for approval for each Key Vault
+            (N)o - Skip access policy Key Vaults"
+
+            if ($response -eq "N" -or $response -eq "n") {
+                Write-Output "Skipping all access policy Key Vaults." | Green
+                return
+            }
+
+            foreach ($kvId in $accessPolicyKVs) {
+                $kvName = ($kvId -split '/')[-1] 
+                Write-Output "Processing Key Vault: $kvName" | Green
+
+                if ($response -eq "O" -or $response -eq "o") {
+                    $confirm = Read-Host "Apply permissions to $kvName? (Y/N)"
+                    if ($confirm -ne "Y" -and $confirm -ne "y") {
+                        Write-Output "Skipping Key Vault: $kvName" | Green
+                        continue
                     }
+                }
+
+                if ($DryRun) {
+                    Write-Output "DryRun mode enabled. No changes will be made for key vault: $keyVaultName." | Green
                 } else {
-                    Write-Output "Skipping access policy Key Vaults." | Green
+                    Set-KeyVaultPolicy -KeyVaultName $kvName -Subscription $subscription -AppId $appId -DryRun $DryRun
                 }
             }
         }
     }
 }
 
-Write-Output "Script execution complete." | Green
+Write-Output "Script execution complete." | Green