-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathRunbook-FixResourcetags.ps1
110 lines (91 loc) · 3.17 KB
/
Runbook-FixResourcetags.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
<#
.DESCRIPTION
An example runbook which illustrates how you can use an Azure Policy plus some automation to enforce correct resource tags.
.NOTES
AUTHOR: Cary Roys
LASTEDIT: September 22, 2022
#>
import-module Az.ResourceGraph
import-module Az.Resources
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$subscriptionID = "e36582a6-9e0c-4644-9b78-592ffe29a705"
Set-AzContext -Subscription $subscriptionID
$valueMap = @{}
#populate our tag value mappings to fix. Include good ones here too, since every iteration will rewrite stuff.
$valueMap["asdf"] = "CaryApp"
$valueMap["AnotherTest"] = "CaryApp2"
$valueMap["Test"] = "CaryApp"
$valueMap["test"] = "CaryApp"
$valueMap["testing4"] = "CaryApp"
$valueMap["CaryApp"] = "CaryApp"
$valueMap["CaryApp2"] = "CaryApp"
$valueMap["blhblah"] = "CaryApp2"
$GoodName = "ApplicationName"
# All the bad permutations for a tag name we want to fix up
$possibleTags = @("application name","Application name","Application Name","Application name", "AppName")
$getpolicyId = @'
policyresources
| where kind == "policyassignments"
| where properties.displayName == "Require an ApplicationName tag on resources"
| extend policyDefinitionId = properties.policyDefinitionId
'@
$policyId = (search-azgraph -Query $getpolicyId).policyDefinitionId
$getpolicyViolations = @'
policyresources
| where kind != "policyassignments"
| extend resourceId = properties.resourceId
'@
$getpolicyViolations += "`n| where properties.policyDefinitionId =~ `"$policyId`""
$foundValue = ""
foreach($resource in (search-azgraph -Query $getpolicyViolations))
{
$bFoundName = $false
$tags = (Get-AzTag -ResourceId $resource.properties.resourceId)
$tagscol = @{}
if($tags.Properties.TagsProperty -ne $null)
{
foreach($tag in $tags.Properties.TagsProperty.GetEnumerator())
{
if($tag.Key -like $GoodName -or $possibleTags -contains $tag.Key)
{
$tagscol[$GoodName] = $valueMap[$tag.value]
#check the app name mapping
$bFoundName = $true
}
else
{
$tagscol[$tag.Key] = $tag.Value
}
if($bFoundName)
{
New-AzTag -tag $tagscol -ResourceId $resource.properties.resourceId
}
}
}
if($bFoundName -eq $false)
{
Write-Host "No tag mappable to ApplicationName was found! See resourceID: $($resource.properties.resourceId)"
#Do stuff. Probably log it somewhere, or trigger an action
}
}