0

PowerShell Azure Runbook を簡素化して、サブスクリプション内のすべての KV から期限切れのシークレットと証明書 (繰り返しコードに対して) をすぐに収集し、書式設定されたテーブルを電子メールで送信できますか?

現在の Runbook は、サブスクリプションの Automation アカウントに構成された関連モジュールで正常に動作しますが、これを実行し、書式設定された電子メールを定期的に関係者に送信するためのよりクリーンな方法があると確信しています。

Param(
        [string]$SubscriptionID = "",
        [int]$DaysNearExpiration = "30",
        [string]$VaultName
)
 
Get-AzureRmSubscription -SubscriptionId $SubscriptionID | Select-AzureRmSubscription | Format-Table -Autosize
 
$ExpiredSecrets = @()
$NearExpirationSecrets = @()

#gather all key vaults from subscription
if ($VaultName) {
    $KeyVaults = Get-AzureRmKeyVault -VaultName $VaultName
}
else {
    $KeyVaults = Get-AzureRmKeyVault
}
#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)
 
# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
    # gather all secrets in each key vault
    $SecretsArray = Get-AzureKeyVaultSecret -VaultName $KeyVault.VaultName
    foreach ($secret in $SecretsArray) {
        # check if expiration date is set
        if ($secret.Expires) {
            $secretExpiration = Get-date $secret.Expires -Format yyyyMMdd
            # check if expiration date set on secret is before notify expiration date
            if ($ExpirationDate -gt $secretExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $secretExpiration) {
                    $NearExpirationSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                    }
                }
                # secret is already expired
                else {
                    $ExpiredSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                    }
                }
 
            }
        }
    }
         
}
 
Write-Output "Total number of expired secrets: $($ExpiredSecrets.Count)"
$ExpiredSecrets
  
Write-Output "Total number of secrets near expiration: $($NearExpirationSecrets.Count)"
$NearExpirationSecrets

$ExpiredCertificates = @()
$NearExpirationCertificates = @()

#gather all key vaults from subscription
if ($VaultName) {
    $KeyVaults = Get-AzureRmKeyVault -VaultName $VaultName
}
else {
    $KeyVaults = Get-AzureRmKeyVault
}
#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)
 
# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
    # gather all certificates in each key vault
    $CertificatesArray = Get-AzureKeyVaultCertificate -VaultName $KeyVault.VaultName
    foreach ($Certificate in $CertificatesArray) {
        # check if expiration date is set
        if ($certificate.Expires) {
            $certificateExpiration = Get-date $certificate.Expires -Format yyyyMMdd
            # check if expiration date set on certificate is before notify expiration date
            if ($ExpirationDate -gt $certificateExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $certificateExpiration) {
                    $NearExpirationCertificates += New-Object PSObject -Property @{
                        Name           = $certificate.Name;
                        Category       = 'CertificateNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $certificate.Expires;
                    }
                }
                # secret is already expired
                else {
                    $ExpiredCertificates += New-Object PSObject -Property @{
                        Name           = $certificate.Name;
                        Category       = 'CertificateNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $certificate.Expires;
                    }
                }
 
            }
        }
    }
         
}
 
Write-Output "Total number of expired certificates: $($ExpiredCertificates.Count)"
$ExpiredCertificates
  
Write-Output "Total number of certificates near expiration: $($NearExpirationCertificates.Count)"
$NearExpirationCertificates
4

1 に答える 1

0

考えられるリファクタリングは次のとおりです (テストされていません)。

Param(
        [string]$SubscriptionID = "",
        [int]$DaysNearExpiration = "30",
        [string]$VaultName
)
 
Get-AzureRmSubscription -SubscriptionId $SubscriptionID | Select-AzureRmSubscription | Format-Table -Autosize

$ExpiredSecrets = [System.Collections.Generic.List[PSCustomObject]] @()
$NearExpirationSecrets = [System.Collections.Generic.List[PSCustomObject]] @()

#gather all key vaults from subscription
$KeyVaultArgs = if( $VaultName ) { @{ VaultName = $VaultName } } else { @{} } 
# In PS 7+ you could write:
# $KeyVaultArgs = $VaultName ? @{ VaultName = $VaultName } : @{} 
$KeyVaults = Get-AzureRmKeyVault @KeyVaultArgs

#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)
 
# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
    # gather all secrets in each key vault
    $SecretsArray = Get-AzureKeyVaultSecret -VaultName $KeyVault.VaultName | Where-Object Expires

    foreach ($secret in $SecretsArray) {
        # check if expiration date is set
        $secretExpiration = Get-date $secret.Expires -Format yyyyMMdd
        # check if expiration date set on secret is before notify expiration date
        if ($ExpirationDate -gt $secretExpiration) {
            $secret = [PSCustomObject]@{
                Name           = $secret.Name
                Category       = 'SecretNearExpiration'
                KeyVaultName   = $KeyVault.VaultName
                ExpirationDate = $secret.Expires
            }

            # check if secret did not expire yet but will expire soon
            if ($CurrentDate -lt $secretExpiration) {
                $NearExpirationSecrets.Add( $secret )
            }
            # secret is already expired
            else {
                $ExpiredSecrets.Add( $secret )
            }
        }
    }       
}

# omitted unmodified code ...

変更点:

  • [System.Collections.Generic.List[PSCustomObject]]プレーン配列の代わりに使用します。配列が大きくなる可能性がある場合、これははるかに効率的です。Powershell は、演算子+=が使用されるたびにプレーン配列をサイズ +1 に再作成します。Alistの内部配列は、代わりに 2 の倍数でのみサイズ変更されます。
  • $KeyVaultArgs = if ...は、条件付き代入を使用してパラメーターをハッシュテーブルとして作成し、スプラッティングを使用してGet-AzureRmKeyVault.
  • $SecretsArray = Get-AzureKeyVaultSecret -VaultName $KeyVault.VaultName | Where-Object Expiresif ($secret.Expires)内のを取り除き、foreachネスト レベルを減らします。
  • $secret = [PSCustomObject]@{以下の構成から重複したコードを削除しif/elseます。また、よりわずかにきれいな構文ですNew-Object PSObject
  • $NearExpirationSecrets.Add( $secret )は演算子をサポートしていないため、必須$ExpiredSecrets.Add( $secret )です。list+=
于 2021-02-05T00:53:38.063 に答える