diff --git a/README.md b/README.md index dc161af..e1bd6f0 100644 --- a/README.md +++ b/README.md @@ -78,17 +78,9 @@ The [Azure Governance Visualizer Accelerator](https://github.com/Azure/Azure-Gov ## Release history -__Changes__ (2023-Dec-16 / 6.3.6 Minor) +__Changes__ (2024-Jan-08 / 6.3.7 Minor) -* fix: processing of Service Principal names that contain special characters -* fix: RBAC reporting correct RBAC Role assignment related Policy assignment Policy definition displayName -* update ARM API-version for CostManagement. Using `2023-03-01` instead of `2019-11-01` - -__Changes__ (2023-Dec-15 / 6.3.5 Minor) - -* Checking if the response of the storage account properties request is a byte array (type 'byte[]') and decode it to a string -* Different handling of BOM (Byte order mark) for XML returns on storage account properties request (since Powershell version 7.4.0) -* use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.85 +* fix: Ignore `ARMLocation` in case not Public Cloud (AzureCloud) [Full release history](history.md) diff --git a/history.md b/history.md index e945cbd..332c3ef 100644 --- a/history.md +++ b/history.md @@ -4,7 +4,11 @@ ### Azure Governance Visualizer version 6 -__Changes__ (2023-Dec-16 / 6.3.6 Minor) +__Changes__ (2024-Jan-08 / 6.3.7 Minor) + +* fix: Ignore `ARMLocation` in case not Public Cloud (AzureCloud) + +__Changes__ (2023-Dec-17 / 6.3.6 Minor) * fix: processing of Service Principal names that contain special characters * fix: RBAC reporting correct RBAC Role assignment related Policy assignment Policy definition displayName diff --git a/pwsh/AzGovVizParallel.ps1 b/pwsh/AzGovVizParallel.ps1 index 2f18c17..1fd2f75 100644 --- a/pwsh/AzGovVizParallel.ps1 +++ b/pwsh/AzGovVizParallel.ps1 @@ -365,7 +365,7 @@ Param $Product = 'AzGovViz', [string] - $ProductVersion = '6.3.6', + $ProductVersion = '6.3.7', [string] $GithubRepository = 'aka.ms/AzGovViz', @@ -33865,25 +33865,31 @@ Write-Host " Initialize 'AzAPICall' succeeded" -ForegroundColor Green Write-Host " Setting `$ignoreARMLocation to `$false" -ForegroundColor Yellow $ignoreARMLocation = $false -if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) { - Write-Host '' - Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid" - if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) { - Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed - Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow - throw 'ARMLocation validation failed!' +if ($azApiCallConf['htParameters'].azureCloudEnvironment -ne 'AzureCloud') { + Write-Host " Non Public Cloud ($($azApiCallConf['htParameters'].azureCloudEnvironment)) -> Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow + $ignoreARMLocation = $true +} + +if (-not $ignoreARMLocation) { + if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) { + Write-Host '' + Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid" + if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) { + Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed + Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow + throw 'ARMLocation validation failed!' + } + else { + Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green + } } else { - Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green + Write-Host '' + Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')" + Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow + $ignoreARMLocation = $true } } -else { - Write-Host '' - Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')" - Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow - $ignoreARMLocation = $true -} - #EndRegion initAZAPICall #region required AzAPICall version diff --git a/pwsh/dev/devAzGovVizParallel.ps1 b/pwsh/dev/devAzGovVizParallel.ps1 index 992c316..a176cbe 100644 --- a/pwsh/dev/devAzGovVizParallel.ps1 +++ b/pwsh/dev/devAzGovVizParallel.ps1 @@ -365,7 +365,7 @@ Param $Product = 'AzGovViz', [string] - $ProductVersion = '6.3.6', + $ProductVersion = '6.3.7', [string] $GithubRepository = 'aka.ms/AzGovViz', @@ -12462,7 +12462,7 @@ function processStorageAccountAnalysis { else { try { # ? https://github.com/Azure/Azure-Governance-Visualizer/issues/218#issuecomment-1854516882 - if($saProperties.gettype().Name -eq 'Byte[]') { + if ($saProperties.gettype().Name -eq 'Byte[]') { $byteArray = [byte[]]$saProperties $saProperties = [System.Text.Encoding]::UTF8.GetString($byteArray) } @@ -12504,7 +12504,7 @@ function processStorageAccountAnalysis { if ($listContainersSuccess -eq $true) { # ? https://github.com/Azure/Azure-Governance-Visualizer/issues/218#issuecomment-1854516882 - if($listContainers.gettype().Name -eq 'Byte[]') { + if ($listContainers.gettype().Name -eq 'Byte[]') { $byteArray = [byte[]]$listContainers $listContainers = [System.Text.Encoding]::UTF8.GetString($byteArray) } @@ -29076,10 +29076,10 @@ function validateLeastPrivilegeForUser { $uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/providers/Microsoft.Management/managementGroups/$($ManagementGroupId)/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&`$filter=principalId eq '$($azapicallConf['htParameters'].userObjectId)'" $method = 'GET' $getRoleAssignmentsForExecutingUserAtManagementGroupId = AzAPICall -AzAPICallConfiguration $azapicallConf -uri $uri - $nonReaderRolesAssigned = ($getRoleAssignmentsForExecutingUserAtManagementGroupId.properties.RoleDefinitionId | Sort-object -Unique).where({$_ -notlike '*acdd72a7-3385-48ef-bd42-f606fba81ae7'}) + $nonReaderRolesAssigned = ($getRoleAssignmentsForExecutingUserAtManagementGroupId.properties.RoleDefinitionId | Sort-Object -Unique).where({ $_ -notlike '*acdd72a7-3385-48ef-bd42-f606fba81ae7' }) if ($nonReaderRolesAssigned.Count -gt 0) { - Write-Host "* * * LEAST PRIVILEGE ADVICE" -ForegroundColor DarkRed - Write-Host "The Azure Governance Visualizer script is executed with more permissions than required." + Write-Host '* * * LEAST PRIVILEGE ADVICE' -ForegroundColor DarkRed + Write-Host 'The Azure Governance Visualizer script is executed with more permissions than required.' Write-Host "The executing identity '$($azapicallConf['checkContext'].Account.Id)' ($($azapicallConf['checkContext'].Account.Type)) Id: '$($azapicallConf['htparameters'].userObjectId)' has the following RBAC Role(s) assigned at Management Group scope '$ManagementGroupId':" foreach ($nonReaderRoleAssigned in $nonReaderRolesAssigned) { $currentTask = "Get RBAC Role definition '$nonReaderRoleAssigned'" @@ -29090,14 +29090,14 @@ function validateLeastPrivilegeForUser { if ($getRole.properties.roleName -eq 'owner' -or $getRole.properties.roleName -eq 'contributor') { Write-Host " - $($getRole.properties.roleName) ($($getRole.properties.type)) !!!" } - else{ + else { Write-Host " - $($getRole.properties.roleName) ($($getRole.properties.type))" } } Write-Host "The required Azure RBAC role at Management Group scope '$ManagementGroupId' is 'Reader' (acdd72a7-3385-48ef-bd42-f606fba81ae7)." Write-Host "Recommendation: consider executing the script in context of a Service Principal with least privilege. Review the Azure Governance Visualizer Setup Guide at 'https://github.com/Azure/Azure-Governance-Visualizer/blob/master/setup.md'" Write-Host ' * * * * * * * * * * * * * * * * * * * * * *' -ForegroundColor DarkRed - pause + Pause } else { Write-Host "Azure Governance Visualizer Least Privilege check (Azure Resource side) for executing identity '$($azapicallConf['checkContext'].Account.Id)' ($($azapicallConf['checkContext'].Account.Type)) Id: '$($azapicallConf['htparameters'].userObjectId)' succeeded" -ForegroundColor Green @@ -33863,25 +33863,31 @@ Write-Host " Initialize 'AzAPICall' succeeded" -ForegroundColor Green Write-Host " Setting `$ignoreARMLocation to `$false" -ForegroundColor Yellow $ignoreARMLocation = $false -if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) { - Write-Host '' - Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid" - if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) { - Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed - Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow - throw 'ARMLocation validation failed!' +if ($azApiCallConf['htParameters'].azureCloudEnvironment -ne 'AzureCloud') { + Write-Host " Non Public Cloud ($($azApiCallConf['htParameters'].azureCloudEnvironment)) -> Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow + $ignoreARMLocation = $true +} + +if (-not $ignoreARMLocation) { + if ($azApiCallConf['htParameters'].ARMLocations.count -gt 0) { + Write-Host '' + Write-Host "Check if provided parameter value for -ARMLocation '$($ARMLocation)' is valid" + if ($azApiCallConf['htParameters'].ARMLocations -notcontains $ARMLocation) { + Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is not valid - please provide a valid ARMLocation" -ForegroundColor DarkRed + Write-Host " Valid ARMLocations: '$($azApiCallConf['htParameters'].ARMLocations -join ', ')'" -ForegroundColor Yellow + throw 'ARMLocation validation failed!' + } + else { + Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green + } } else { - Write-Host " Parameter value for -ARMLocation '$($ARMLocation)' is valid" -ForegroundColor Green + Write-Host '' + Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')" + Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow + $ignoreARMLocation = $true } } -else { - Write-Host '' - Write-Host "Skipping ARMLocation validation - no locations found in '`$azApiCallConf['htParameters'].ARMLocations'. (-SkipAzContextSubscriptionValidation = '$skipAzContextSubscriptionValidation')" - Write-Host " Setting `$ignoreARMLocation to `$true" -ForegroundColor Yellow - $ignoreARMLocation = $true -} - #EndRegion initAZAPICall #region required AzAPICall version diff --git a/version.json b/version.json index 43c2d44..441a8e5 100644 --- a/version.json +++ b/version.json @@ -1,3 +1,3 @@ { - "ProductVersion": "6.3.6" + "ProductVersion": "6.3.7" } \ No newline at end of file