From 41040e78b2e827651e34187d4824df6325420364 Mon Sep 17 00:00:00 2001 From: Brunoga-MS Date: Fri, 11 Oct 2024 13:14:23 +0200 Subject: [PATCH 1/4] Created a new remediation script that will work with sovereign clouds --- .../scripts/Start-AMBA-ALZ-Remediation.ps1 | 228 ++++++++++++++++++ 1 file changed, 228 insertions(+) create mode 100644 patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 diff --git a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 new file mode 100644 index 000000000..87db9feb2 --- /dev/null +++ b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 @@ -0,0 +1,228 @@ +# The below copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +<# + .DESCRIPTION + This script is used to trigger remediation on a specific policy or policy set at management group scope. + It first calls the Azure REST API to get the policy assignments in the management group scope, then it iterates through the policy assignments, checking by name whether it's a policy set or an individual policy. + Depending on the result the script will either enumerate the policy set and trigger remediation for each individual policy in the set or trigger remediation for the individual policy. + + .LINK + https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/deploy/Remediate-Policies/ + + .PARAMETER -azureEnvironment + The Azure environment the customer is using. This parameter only allows for hard-coded values corresponding to the ppublic and sovereign clouds available today. + + .PARAMETER managementGroupName + The management group name where the policy assignments are located. + + .PARAMETER policyName + The name of the policy or policy set to remediate. + + .EXAMPLE + Modify the following variables to match your environment: + + $pseudoRootManagementGroup = "The pseudo root management group id parenting the Platform and Landing Zones management groups" + $identityManagementGroup = "The management group id for Identity" + $managementManagementGroup = "The management group id for Management" + $connectivityManagementGroup = "The management group id for Connectivity" + $LZManagementGroup = "The management group id for Landing Zones" + + Run the following commands to initiate remediation: + + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web + +#> + +# The following SuppressMessageAttribute entries are used to surpress PSScriptAnalyzer tests against known exceptions as per: +# https://github.com/powershell/psscriptanalyzer#suppressing-rules +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'False positive')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification = 'False positive')] +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '', Justification = 'Approved verbs are not available for this scenario')] + +Param( + [Parameter(Mandatory = $true)] [ValidateSet("AzureCloud", "AzureUSGovernment", "AzureChinaCloud", IgnoreCase = $true)] [string] $azureEnvironment, + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [string] $policyName +) + +#region general functions + +# Function to trigger remediation for a single policy +Function Start-PolicyRemediation { + Param( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [string] $policyAssignmentName, + [Parameter(Mandatory = $true)] [string] $polassignId, + [Parameter(Mandatory = $false)] [string] $policyDefinitionReferenceId + ) + $guid = New-Guid + + # Create remediation for the individual policy + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.PolicyInsights/remediations/$($policyName)-$($guid)?api-version=2021-10-01" + $body = @{ + properties = @{ + policyAssignmentId = "$polassignId" + } + } + if ($policyDefinitionReferenceId) { + $body.properties.policyDefinitionReferenceId = $policyDefinitionReferenceId + } + $body = $body | ConvertTo-Json -Depth 10 + Invoke-AzRestMethod -Uri $uri -Method PUT -Payload $body +} + +#Function to get the policy assignments in the management group scope +function Get-PolicyType { + Param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [string] $policyName + ) + + # Validate that the management group exists through the Azure REST API + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)?api-version=2021-04-01" + $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + if ($result.error) { + throw "Management group $managementGroupName does not exist, please specify a valid management group name" + } + + # Getting custom policySetDefinitions + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policySetDefinitions?&api-version=2023-04-01" + $initiatives = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + + # Get policy assignments at management group scope + $assignmentFound = $false + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policyAssignments?`$filter=atScope()&api-version=2022-06-01" + $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 + + # Iterate through the policy assignments + $result.value | ForEach-Object { + + #check if the policy assignment is for the specified policy set definition + If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$policyName") { + + # Go to enumerating policy set + $assignmentFound = $true + Enumerate-PolicySet -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + } + Elseif ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policyDefinitions/$policyName") { + + # Go to handling individual policy + $assignmentFound = $true + Enumerate-Policy -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + } + Else { + + # Getting parent initiative for unassigned individual policies + If ($initiatives) { + $parentInitiative = $initiatives.value | Where-Object { ($_.properties.policyType -eq 'Custom') -and ($_.properties.metadata -like '*_deployed_by_amba*') } | Where-Object { $_.properties.policyDefinitions.policyDefinitionReferenceId -eq $policyname } + + # Getting the assignment of the parent initiative + If ($parentInitiative) { + If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$($parentInitiative.name)") { + + # Invoking policy remediation + $assignmentFound = $true + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $PSItem.name -polassignId $PSItem.id -policyDefinitionReferenceId $policyName + } + } + } + } + } + + # If no policy assignments were found for the specified policy name, throw an error + If (!$assignmentFound) { + throw "No policy assignments found for policy $policyName at management group scope $managementGroupName" + } +} + +# Function to enumerate the policies in the policy set and trigger remediation for each individual policy +function Enumerate-PolicySet { + param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [object] $policyAssignmentObject + ) + + # Extract policy assignment information + $policyAssignmentObject + $polassignId = $policyAssignmentObject.id + $name = $policyAssignmentObject.name + $policySetId = $policyAssignmentObject.properties.policyDefinitionId + $policySetId + $psetUri = "https://$($azureEnvironmentURI)$($policySetId)?api-version=2021-06-01" + $policySet = (Invoke-AzRestMethod -Uri $psetUri -Method GET).Content | ConvertFrom-Json -Depth 100 + $policySet + $policies = $policySet.properties.policyDefinitions + + # Iterate through the policies in the policy set + If ($policyAssignmentObject.properties.policyDefinitionId -match "/providers/Microsoft.Authorization/policySetDefinitions/Alerting-ServiceHealth") { + $policyDefinitionReferenceId = "Deploy_ServiceHealth_ActionGroups" + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId + Write-Host " Waiting for 5 minutes while remediating the 'Deploy Service Health Action Group' policy before continuing." -ForegroundColor Cyan + Start-Sleep -Seconds 360 + } + Foreach ($policy in $policies) { + $policyDefinitionId = $policy.policyDefinitionId + $policyDefinitionReferenceId = $policy.policyDefinitionReferenceId + + # Trigger remediation for the individual policy + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId + } +} + +#Function to get specific information about a policy assignment for a single policy and trigger remediation +function Enumerate-Policy { + param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, + [Parameter(Mandatory = $true)] [string] $managementGroupName, + [Parameter(Mandatory = $true)] [object] $policyAssignmentObject + ) + + # Extract policy assignment information + $polassignId = $policyAssignmentObject.id + $name = $policyAssignmentObject.name + $policyDefinitionId = $policyAssignmentObject.properties.policyDefinitionId + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId +} + +#endregion + +#Main script +switch ($azureEnvironment) { + "AzureCloud" { + $azureEnvironmentURI = "management.azure.com" + } + + "AzureUSGovernment" { + $azureEnvironmentURI = "management.usgovcloudapi.net" # See API Endpoints for Azure US Government at https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers + } + + "AzureChinaCloud" { + $azureEnvironmentURI = "management.chinacloudapi.cn" # See API Endpoints for Azure China at https://learn.microsoft.com/en-us/azure/reliability/sovereign-cloud-china#azure-in-china-rest-endpoints + } + + Default {azureEnvironmentURI = "management.azure.com"} +} +Get-PolicyType -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyName $policyName From 2eda74293a6f38ca666b0ea96d30536987fa96cc Mon Sep 17 00:00:00 2001 From: Brunoga-MS Date: Tue, 15 Oct 2024 18:10:31 +0200 Subject: [PATCH 2/4] Updating original script --- .../scripts/Start-AMBA-ALZ-Remediation.ps1 | 228 ------------------ .../alz/scripts/Start-AMBARemediation.ps1 | 122 +++++++--- 2 files changed, 84 insertions(+), 266 deletions(-) delete mode 100644 patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 diff --git a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 deleted file mode 100644 index 87db9feb2..000000000 --- a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 +++ /dev/null @@ -1,228 +0,0 @@ -# The below copyright notice and this permission notice shall be included in all -# copies or substantial portions of the Software. - -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -# SOFTWARE. - -<# - .DESCRIPTION - This script is used to trigger remediation on a specific policy or policy set at management group scope. - It first calls the Azure REST API to get the policy assignments in the management group scope, then it iterates through the policy assignments, checking by name whether it's a policy set or an individual policy. - Depending on the result the script will either enumerate the policy set and trigger remediation for each individual policy in the set or trigger remediation for the individual policy. - - .LINK - https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/deploy/Remediate-Policies/ - - .PARAMETER -azureEnvironment - The Azure environment the customer is using. This parameter only allows for hard-coded values corresponding to the ppublic and sovereign clouds available today. - - .PARAMETER managementGroupName - The management group name where the policy assignments are located. - - .PARAMETER policyName - The name of the policy or policy set to remediate. - - .EXAMPLE - Modify the following variables to match your environment: - - $pseudoRootManagementGroup = "The pseudo root management group id parenting the Platform and Landing Zones management groups" - $identityManagementGroup = "The management group id for Identity" - $managementManagementGroup = "The management group id for Management" - $connectivityManagementGroup = "The management group id for Connectivity" - $LZManagementGroup = "The management group id for Landing Zones" - - Run the following commands to initiate remediation: - - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web - -#> - -# The following SuppressMessageAttribute entries are used to surpress PSScriptAnalyzer tests against known exceptions as per: -# https://github.com/powershell/psscriptanalyzer#suppressing-rules -[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', '', Justification = 'False positive')] -[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification = 'False positive')] -[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '', Justification = 'Approved verbs are not available for this scenario')] - -Param( - [Parameter(Mandatory = $true)] [ValidateSet("AzureCloud", "AzureUSGovernment", "AzureChinaCloud", IgnoreCase = $true)] [string] $azureEnvironment, - [Parameter(Mandatory = $true)] [string] $managementGroupName, - [Parameter(Mandatory = $true)] [string] $policyName -) - -#region general functions - -# Function to trigger remediation for a single policy -Function Start-PolicyRemediation { - Param( - [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, - [Parameter(Mandatory = $true)] [string] $managementGroupName, - [Parameter(Mandatory = $true)] [string] $policyAssignmentName, - [Parameter(Mandatory = $true)] [string] $polassignId, - [Parameter(Mandatory = $false)] [string] $policyDefinitionReferenceId - ) - $guid = New-Guid - - # Create remediation for the individual policy - $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.PolicyInsights/remediations/$($policyName)-$($guid)?api-version=2021-10-01" - $body = @{ - properties = @{ - policyAssignmentId = "$polassignId" - } - } - if ($policyDefinitionReferenceId) { - $body.properties.policyDefinitionReferenceId = $policyDefinitionReferenceId - } - $body = $body | ConvertTo-Json -Depth 10 - Invoke-AzRestMethod -Uri $uri -Method PUT -Payload $body -} - -#Function to get the policy assignments in the management group scope -function Get-PolicyType { - Param ( - [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, - [Parameter(Mandatory = $true)] [string] $managementGroupName, - [Parameter(Mandatory = $true)] [string] $policyName - ) - - # Validate that the management group exists through the Azure REST API - $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)?api-version=2021-04-01" - $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 - if ($result.error) { - throw "Management group $managementGroupName does not exist, please specify a valid management group name" - } - - # Getting custom policySetDefinitions - $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policySetDefinitions?&api-version=2023-04-01" - $initiatives = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 - - # Get policy assignments at management group scope - $assignmentFound = $false - $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policyAssignments?`$filter=atScope()&api-version=2022-06-01" - $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 - - # Iterate through the policy assignments - $result.value | ForEach-Object { - - #check if the policy assignment is for the specified policy set definition - If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$policyName") { - - # Go to enumerating policy set - $assignmentFound = $true - Enumerate-PolicySet -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem - } - Elseif ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policyDefinitions/$policyName") { - - # Go to handling individual policy - $assignmentFound = $true - Enumerate-Policy -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem - } - Else { - - # Getting parent initiative for unassigned individual policies - If ($initiatives) { - $parentInitiative = $initiatives.value | Where-Object { ($_.properties.policyType -eq 'Custom') -and ($_.properties.metadata -like '*_deployed_by_amba*') } | Where-Object { $_.properties.policyDefinitions.policyDefinitionReferenceId -eq $policyname } - - # Getting the assignment of the parent initiative - If ($parentInitiative) { - If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$($parentInitiative.name)") { - - # Invoking policy remediation - $assignmentFound = $true - Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $PSItem.name -polassignId $PSItem.id -policyDefinitionReferenceId $policyName - } - } - } - } - } - - # If no policy assignments were found for the specified policy name, throw an error - If (!$assignmentFound) { - throw "No policy assignments found for policy $policyName at management group scope $managementGroupName" - } -} - -# Function to enumerate the policies in the policy set and trigger remediation for each individual policy -function Enumerate-PolicySet { - param ( - [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, - [Parameter(Mandatory = $true)] [string] $managementGroupName, - [Parameter(Mandatory = $true)] [object] $policyAssignmentObject - ) - - # Extract policy assignment information - $policyAssignmentObject - $polassignId = $policyAssignmentObject.id - $name = $policyAssignmentObject.name - $policySetId = $policyAssignmentObject.properties.policyDefinitionId - $policySetId - $psetUri = "https://$($azureEnvironmentURI)$($policySetId)?api-version=2021-06-01" - $policySet = (Invoke-AzRestMethod -Uri $psetUri -Method GET).Content | ConvertFrom-Json -Depth 100 - $policySet - $policies = $policySet.properties.policyDefinitions - - # Iterate through the policies in the policy set - If ($policyAssignmentObject.properties.policyDefinitionId -match "/providers/Microsoft.Authorization/policySetDefinitions/Alerting-ServiceHealth") { - $policyDefinitionReferenceId = "Deploy_ServiceHealth_ActionGroups" - Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId - Write-Host " Waiting for 5 minutes while remediating the 'Deploy Service Health Action Group' policy before continuing." -ForegroundColor Cyan - Start-Sleep -Seconds 360 - } - Foreach ($policy in $policies) { - $policyDefinitionId = $policy.policyDefinitionId - $policyDefinitionReferenceId = $policy.policyDefinitionReferenceId - - # Trigger remediation for the individual policy - Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId - } -} - -#Function to get specific information about a policy assignment for a single policy and trigger remediation -function Enumerate-Policy { - param ( - [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, - [Parameter(Mandatory = $true)] [string] $managementGroupName, - [Parameter(Mandatory = $true)] [object] $policyAssignmentObject - ) - - # Extract policy assignment information - $polassignId = $policyAssignmentObject.id - $name = $policyAssignmentObject.name - $policyDefinitionId = $policyAssignmentObject.properties.policyDefinitionId - Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -} - -#endregion - -#Main script -switch ($azureEnvironment) { - "AzureCloud" { - $azureEnvironmentURI = "management.azure.com" - } - - "AzureUSGovernment" { - $azureEnvironmentURI = "management.usgovcloudapi.net" # See API Endpoints for Azure US Government at https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers - } - - "AzureChinaCloud" { - $azureEnvironmentURI = "management.chinacloudapi.cn" # See API Endpoints for Azure China at https://learn.microsoft.com/en-us/azure/reliability/sovereign-cloud-china#azure-in-china-rest-endpoints - } - - Default {azureEnvironmentURI = "management.azure.com"} -} -Get-PolicyType -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyName $policyName diff --git a/patterns/alz/scripts/Start-AMBARemediation.ps1 b/patterns/alz/scripts/Start-AMBARemediation.ps1 index 7226acd92..87db9feb2 100644 --- a/patterns/alz/scripts/Start-AMBARemediation.ps1 +++ b/patterns/alz/scripts/Start-AMBARemediation.ps1 @@ -1,12 +1,26 @@ -<# - .SYNOPSIS - Remediates Azure Policy Assignments +# The below copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +<# .DESCRIPTION This script is used to trigger remediation on a specific policy or policy set at management group scope. It first calls the Azure REST API to get the policy assignments in the management group scope, then it iterates through the policy assignments, checking by name whether it's a policy set or an individual policy. Depending on the result the script will either enumerate the policy set and trigger remediation for each individual policy in the set or trigger remediation for the individual policy. + .LINK + https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/deploy/Remediate-Policies/ + + .PARAMETER -azureEnvironment + The Azure environment the customer is using. This parameter only allows for hard-coded values corresponding to the ppublic and sovereign clouds available today. + .PARAMETER managementGroupName The management group name where the policy assignments are located. @@ -24,21 +38,19 @@ Run the following commands to initiate remediation: - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $identityManagementGroup -policyName Alerting-Identity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Storage - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-VM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Web + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM + .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web - .LINK - https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/deploy/Remediate-Policies/ #> # The following SuppressMessageAttribute entries are used to surpress PSScriptAnalyzer tests against known exceptions as per: @@ -48,21 +60,26 @@ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '', Justification = 'Approved verbs are not available for this scenario')] Param( + [Parameter(Mandatory = $true)] [ValidateSet("AzureCloud", "AzureUSGovernment", "AzureChinaCloud", IgnoreCase = $true)] [string] $azureEnvironment, [Parameter(Mandatory = $true)] [string] $managementGroupName, [Parameter(Mandatory = $true)] [string] $policyName ) +#region general functions + # Function to trigger remediation for a single policy Function Start-PolicyRemediation { Param( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, [Parameter(Mandatory = $true)] [string] $managementGroupName, [Parameter(Mandatory = $true)] [string] $policyAssignmentName, [Parameter(Mandatory = $true)] [string] $polassignId, [Parameter(Mandatory = $false)] [string] $policyDefinitionReferenceId ) $guid = New-Guid - #create remediation for the individual policy - $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.PolicyInsights/remediations/$($policyName)-$($guid)?api-version=2021-10-01" + + # Create remediation for the individual policy + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.PolicyInsights/remediations/$($policyName)-$($guid)?api-version=2021-10-01" $body = @{ properties = @{ policyAssignmentId = "$polassignId" @@ -78,40 +95,45 @@ Function Start-PolicyRemediation { #Function to get the policy assignments in the management group scope function Get-PolicyType { Param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, [Parameter(Mandatory = $true)] [string] $managementGroupName, [Parameter(Mandatory = $true)] [string] $policyName ) - #Validate that the management group exists through the Azure REST API - $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)?api-version=2021-04-01" + # Validate that the management group exists through the Azure REST API + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)?api-version=2021-04-01" $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 if ($result.error) { throw "Management group $managementGroupName does not exist, please specify a valid management group name" } # Getting custom policySetDefinitions - $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policySetDefinitions?&api-version=2023-04-01" + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policySetDefinitions?&api-version=2023-04-01" $initiatives = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 - #Get policy assignments at management group scope + # Get policy assignments at management group scope $assignmentFound = $false - $uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policyAssignments?`$filter=atScope()&api-version=2022-06-01" + $uri = "https://$($azureEnvironmentURI)/providers/Microsoft.Management/managementGroups/$($managementGroupName)/providers/Microsoft.Authorization/policyAssignments?`$filter=atScope()&api-version=2022-06-01" $result = (Invoke-AzRestMethod -Uri $uri -Method GET).Content | ConvertFrom-Json -Depth 100 - #iterate through the policy assignments + # Iterate through the policy assignments $result.value | ForEach-Object { + #check if the policy assignment is for the specified policy set definition If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$policyName") { + # Go to enumerating policy set $assignmentFound = $true - Enumerate-PolicySet -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + Enumerate-PolicySet -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem } Elseif ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policyDefinitions/$policyName") { + # Go to handling individual policy $assignmentFound = $true - Enumerate-Policy -managementGroupName $managementGroupName -policyAssignmentObject $PSItem + Enumerate-Policy -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentObject $PSItem } Else { + # Getting parent initiative for unassigned individual policies If ($initiatives) { $parentInitiative = $initiatives.value | Where-Object { ($_.properties.policyType -eq 'Custom') -and ($_.properties.metadata -like '*_deployed_by_amba*') } | Where-Object { $_.properties.policyDefinitions.policyDefinitionReferenceId -eq $policyname } @@ -119,16 +141,17 @@ function Get-PolicyType { # Getting the assignment of the parent initiative If ($parentInitiative) { If ($($PSItem.properties.policyDefinitionId) -match "/providers/Microsoft.Authorization/policySetDefinitions/$($parentInitiative.name)") { + # Invoking policy remediation $assignmentFound = $true - Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $PSItem.name -polassignId $PSItem.id -policyDefinitionReferenceId $policyName + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $PSItem.name -polassignId $PSItem.id -policyDefinitionReferenceId $policyName } } } } } - #if no policy assignments were found for the specified policy name, throw an error + # If no policy assignments were found for the specified policy name, throw an error If (!$assignmentFound) { throw "No policy assignments found for policy $policyName at management group scope $managementGroupName" } @@ -137,46 +160,69 @@ function Get-PolicyType { # Function to enumerate the policies in the policy set and trigger remediation for each individual policy function Enumerate-PolicySet { param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, [Parameter(Mandatory = $true)] [string] $managementGroupName, [Parameter(Mandatory = $true)] [object] $policyAssignmentObject ) - #extract policy assignment information + + # Extract policy assignment information $policyAssignmentObject $polassignId = $policyAssignmentObject.id $name = $policyAssignmentObject.name $policySetId = $policyAssignmentObject.properties.policyDefinitionId $policySetId - $psetUri = "https://management.azure.com$($policySetId)?api-version=2021-06-01" + $psetUri = "https://$($azureEnvironmentURI)$($policySetId)?api-version=2021-06-01" $policySet = (Invoke-AzRestMethod -Uri $psetUri -Method GET).Content | ConvertFrom-Json -Depth 100 $policySet $policies = $policySet.properties.policyDefinitions - #iterate through the policies in the policy set + + # Iterate through the policies in the policy set If ($policyAssignmentObject.properties.policyDefinitionId -match "/providers/Microsoft.Authorization/policySetDefinitions/Alerting-ServiceHealth") { $policyDefinitionReferenceId = "Deploy_ServiceHealth_ActionGroups" - Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId Write-Host " Waiting for 5 minutes while remediating the 'Deploy Service Health Action Group' policy before continuing." -ForegroundColor Cyan Start-Sleep -Seconds 360 } Foreach ($policy in $policies) { $policyDefinitionId = $policy.policyDefinitionId $policyDefinitionReferenceId = $policy.policyDefinitionReferenceId - #trigger remediation for the individual policy - Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId + + # Trigger remediation for the individual policy + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId -policyDefinitionReferenceId $policyDefinitionReferenceId } } #Function to get specific information about a policy assignment for a single policy and trigger remediation function Enumerate-Policy { param ( + [Parameter(Mandatory = $true)] [string] $azureEnvironmentURI, [Parameter(Mandatory = $true)] [string] $managementGroupName, [Parameter(Mandatory = $true)] [object] $policyAssignmentObject ) - #extract policy assignment information + + # Extract policy assignment information $polassignId = $policyAssignmentObject.id $name = $policyAssignmentObject.name $policyDefinitionId = $policyAssignmentObject.properties.policyDefinitionId - Start-PolicyRemediation -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId + Start-PolicyRemediation -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyAssignmentName $name -polassignId $polassignId } +#endregion + #Main script -Get-PolicyType -managementGroupName $managementGroupName -policyName $policyName +switch ($azureEnvironment) { + "AzureCloud" { + $azureEnvironmentURI = "management.azure.com" + } + + "AzureUSGovernment" { + $azureEnvironmentURI = "management.usgovcloudapi.net" # See API Endpoints for Azure US Government at https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure#guidance-for-developers + } + + "AzureChinaCloud" { + $azureEnvironmentURI = "management.chinacloudapi.cn" # See API Endpoints for Azure China at https://learn.microsoft.com/en-us/azure/reliability/sovereign-cloud-china#azure-in-china-rest-endpoints + } + + Default {azureEnvironmentURI = "management.azure.com"} +} +Get-PolicyType -azureEnvironmentURI $azureEnvironmentURI -managementGroupName $managementGroupName -policyName $policyName From ac3169359198ceecc707c507ffdbad7af83f152b Mon Sep 17 00:00:00 2001 From: Brunoga-MS Date: Tue, 15 Oct 2024 18:13:34 +0200 Subject: [PATCH 3/4] Renaming original script --- ...ion.ps1 => Start-AMBA-ALZ-Remediation.ps1} | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) rename patterns/alz/scripts/{Start-AMBARemediation.ps1 => Start-AMBA-ALZ-Remediation.ps1} (85%) diff --git a/patterns/alz/scripts/Start-AMBARemediation.ps1 b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 similarity index 85% rename from patterns/alz/scripts/Start-AMBARemediation.ps1 rename to patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 index 87db9feb2..a8605b1dc 100644 --- a/patterns/alz/scripts/Start-AMBARemediation.ps1 +++ b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 @@ -38,18 +38,18 @@ Run the following commands to initiate remediation: - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web #> From e641d0630b8456532501f45dfeb68c458caeee46 Mon Sep 17 00:00:00 2001 From: Brunoga-MS Date: Tue, 15 Oct 2024 18:50:59 +0200 Subject: [PATCH 4/4] Updating script and documentation --- .../Bring-your-own-Notifications.md | 8 +++- .../patterns/alz/deploy/Remediate-Policies.md | 40 ++++++++++++------- .../scripts/Start-AMBA-ALZ-Remediation.ps1 | 10 +++++ 3 files changed, 42 insertions(+), 16 deletions(-) diff --git a/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md b/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md index 426dc5b78..be9cef918 100644 --- a/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md +++ b/docs/content/patterns/alz/Available_features/Bring-your-own-Notifications.md @@ -60,6 +60,12 @@ Should customers decide to switch, it will be enough to: - change the values in the parameter file to match one of the three cases previously discussed - redeploy the ALZ pattern - run the remediation for both [Notification Assets](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-Notification-Assets.json) and [Alerting-ServiceHealth](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-ServiceHealth-Alerts.json) policy initiatives -- remove notification assets deployed by ALZ patterns using the [**Remove-AMBANotificationAssets.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1) script (_*** only if moving from ALZ notification assets to BYON_) +- remove notification assets deployed by ALZ patterns using the [**Start-AMBA-ALZ-Maintenance.ps1**](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/refs/heads/main/patterns/alz/scripts/Start-AMBA-ALZ-Maintenance.ps1) script (_*** only if moving from ALZ notification assets to BYON_). To Remove the notification assets, run the command passing the _**NotificationAssets**_ value to the _**-cleanItems**_ parameter: + + ```powershell + ./Start-AMBA-ALZ-Maintenance.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -cleanItems NotificationAssets + ``` + + Documentation about the ***Start-AMBA-ALZ-Maintenance.ps1*** script can be found at [Cleaning up a Deployment](../../Cleaning-up-a-Deployment) The code will reconfigure the Service Health alerts to use either the customer's action groups to the ALZ pattern notification assets according to the selected case. diff --git a/docs/content/patterns/alz/deploy/Remediate-Policies.md b/docs/content/patterns/alz/deploy/Remediate-Policies.md index 62f0bbd92..ee9f3a4dc 100644 --- a/docs/content/patterns/alz/deploy/Remediate-Policies.md +++ b/docs/content/patterns/alz/deploy/Remediate-Policies.md @@ -14,6 +14,16 @@ This script requires PowerShell 7.0 or higher and the following PowerShell modul {{< /hint >}} +{{< hint type=Important >}} +The Azure Landing Zones pattern is _**not**_ officially supported on sovereign clouds like "Azure US Government" or "Azure China". However, this script has been update to work with these 2 environments. You need to specify the Azure environment you use as a parameter for the script. +Allowed parameter values are: + +- AzureCloud +- AzureUSGovernment +- AzureChinaCloud + +{{< /hint >}} + To use the script, do the following: - Sign in Azure PowerShell with an account with at least Resource Policy Contributor permissions at the pseudo-root management group level @@ -32,7 +42,7 @@ To use the script, do the following: ```powershell #Run the following commands to initiate remediation - .\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management ``` - The script will return the output from the REST API calls, which should be a status code 201. If the script fails, check the error message and ensure that the management group name and policy name are correct. @@ -51,24 +61,24 @@ $LZManagementGroup="The management group id for Landing Zones" ```powershell #Run the following commands to initiate remediation -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $identityManagementGroup -policyName Alerting-Identity -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $managementManagementGroup -policyName Alerting-Management -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Storage -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-VM -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $LZManagementGroup -policyName Alerting-Web +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Notification-Assets +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName Alerting-ServiceHealth +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $connectivityManagementGroup -policyName Alerting-Connectivity +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $identityManagementGroup -policyName Alerting-Identity +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $managementManagementGroup -policyName Alerting-Management +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Web ``` Should you need to remediate just one policy definition and not the entire policy initiative, you can run the remediation script targeted at the policy reference id that can be found under [Policy Initiatives](../../Policy-Initiatives). For example, to remediate the **_Deploy AMBA Notification Assets_** policy, run the following command: ```powershell #Run the following command to initiate remediation of a single policy definition -.\patterns\alz\scripts\Start-AMBARemediation.ps1 -managementGroupName $pseudoRootManagementGroup -policyName ALZ_AlertProcessing_Rule +.\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $pseudoRootManagementGroup -policyName ALZ_AlertProcessing_Rule ``` diff --git a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 index a8605b1dc..3385c2968 100644 --- a/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 +++ b/patterns/alz/scripts/Start-AMBA-ALZ-Remediation.ps1 @@ -46,6 +46,7 @@ .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-KeyManagement .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-LoadBalancing .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-NetworkChanges + .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-RecoveryServices .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-HybridVM .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-Storage .\patterns\alz\scripts\Start-AMBA-ALZ-Remediation.ps1 -azureEnvironment "AzureCloud" -managementGroupName $LZManagementGroup -policyName Alerting-VM @@ -210,6 +211,15 @@ function Enumerate-Policy { #endregion #Main script + +# Checking for required module presence +If (-NOT(Get-Module -ListAvailable Az.Resources)) { + Write-Warning "This script requires the Az.Resources module." + + $response = Read-Host "Would you like to install the 'Az.Resources' module now? (y/n)" + If ($response -match '[yY]') { Install-Module Az.Resources -Scope CurrentUser } +} + switch ($azureEnvironment) { "AzureCloud" { $azureEnvironmentURI = "management.azure.com"