/
run.ps1
84 lines (63 loc) · 3.14 KB
/
run.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
param($eventGridEvent, $TriggerMetadata)
function RegenerateKey($keyId, $providerAddress){
Write-Host "Regenerating key. Id: $keyId Resource Id: $providerAddress"
$storageAccountName = ($providerAddress -split '/')[8]
$resourceGroupName = ($providerAddress -split '/')[4]
#Regenerate key
New-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName -KeyName $keyId
$newKeyValue = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -AccountName $storageAccountName|where KeyName -eq $keyId).value
return $newKeyValue
}
function AddSecretToKeyVault($keyVAultName,$secretName,$newAccessKeyValue,$exprityDate,$tags){
$secretvalue = ConvertTo-SecureString "$newAccessKeyValue" -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyVAultName -Name $secretName -SecretValue $secretvalue -Tag $tags -Expires $expiryDate
}
function GetAlternateCredentialId($keyId){
$validCredentialIdsRegEx = 'key[1-2]'
If($keyId -NotMatch $validCredentialIdsRegEx){
throw "Invalid credential id: $keyId. Credential id must follow this pattern:$validCredentialIdsRegEx"
}
If($keyId -eq 'key1'){
return "key2"
}
Else{
return "key1"
}
}
function RoatateSecret($keyVaultName,$secretName){
#Retrieve Secret
$secret = (Get-AzKeyVaultSecret -VaultName $keyVAultName -Name $secretName)
Write-Host "Secret Retrieved"
#Retrieve Secret Info
$validityPeriodDays = $secret.Tags["ValidityPeriodDays"]
$credentialId= $secret.Tags["CredentialId"]
$providerAddress = $secret.Tags["ProviderAddress"]
Write-Host "Secret Info Retrieved"
Write-Host "Validity Period: $validityPeriodDays"
Write-Host "Credential Id: $credentialId"
Write-Host "Provider Address: $providerAddress"
#Get Credential Id to rotate - alternate credential
$alternateCredentialId = GetAlternateCredentialId $credentialId
Write-Host "Alternate credential id: $alternateCredentialId"
#Regenerate alternate access key in provider
$newAccessKeyValue = (RegenerateKey $alternateCredentialId $providerAddress)[-1]
Write-Host "Access key regenerated. Access Key Id: $alternateCredentialId Resource Id: $providerAddress"
#Add new access key to Key Vault
$newSecretVersionTags = @{}
$newSecretVersionTags.ValidityPeriodDays = $validityPeriodDays
$newSecretVersionTags.CredentialId=$alternateCredentialId
$newSecretVersionTags.ProviderAddress = $providerAddress
$expiryDate = (Get-Date).AddDays([int]$validityPeriodDays).ToUniversalTime()
AddSecretToKeyVault $keyVAultName $secretName $newAccessKeyValue $expiryDate $newSecretVersionTags
Write-Host "New access key added to Key Vault. Secret Name: $secretName"
}
# Make sure to pass hashtables to Out-String so they're logged correctly
$eventGridEvent | ConvertTo-Json | Write-Host
$secretName = $eventGridEvent.subject
$keyVaultName = $eventGridEvent.data.VaultName
Write-Host "Key Vault Name: $keyVAultName"
Write-Host "Secret Name: $secretName"
#Rotate secret
Write-Host "Rotation started."
RoatateSecret $keyVAultName $secretName
Write-Host "Secret Rotated Successfully"