Skip to content

CorgiDev/Key-Vault-Expiration-Notification

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Key Vault Expiration Notification

This Powershell script can be adjusted to check a Key Vault for expiring objects, send email notifications, and create User Stories in Azure Devops.

About the Script

A Tale of 2 folders

You will notice that there are 2 main folders:

  1. AzureRunbook: Versions of the script meant to be used in Azure Runbooks
    1. Requires the following Azure Modules to run:
      1. Az
      2. Azure.DevOps
      3. Az.KeyVault
      4. Az.Profile
      5. There may be others that were just already installed in the environment I was testing with.
      6. Also may work with AzureRM variants of these, but some commands would need to be changed to their AzureRM equivalents.
      7. Also you are better off sticking with Az because it is meant to replace AzureRM.
  2. LocalRun: Versions of the script meant to be able to use locally, or possibly outside Azure.
    1. Important: These ones are not set up yet.

What does it do?

There are 2 main versions of the script in each of the main folders listed previously. I will describe each version below.

  1. Notification Only
    1. Checks for expiring assets in a KeyVault based on a number of days you set.
    2. It then shoots off an email to a designated recipient email address using a service account whose credentials you provide if any assets are expiring within that number of days from the current date. These emails will include a clear subject and a body with some details on where to find documentation. Can be customized to your needs.
  2. Notification & ADO Work Item Creation
    1. Checks for expiring assets in a KeyVault based on a number of days you set.
    2. If anything is expiring, it then checks if a work item exists for it based on the notification subject, which includes the secret label and expiration date
      1. If the work item exists, it sends out the notification still, but lists the matching work item(s).
      2. If the work item does not exist, it creates the work item.
      3. Then sends the notification, and lets you know it created a work item.
    3. If nothing is expiring, it still sends a notification so you know it is still working, but lets you know nothing was found to be expiring.
      1. This can also be a warning for you if you were expecting something to be expiring but it says nothing is expiring.

Additional Notes

  • Uses a WIQL query for the Work Item search and a different API call for the work item creation.
  • In my experience the Azure Runbook must be in an Automation Account on the same subscription as the KeyVault being checked.
  • Runbook variant requires an Azure DevOps Personal Access Token to access the ADO portions. This is meant to be stored in an encrypted variable within the Automation Account itself. Though you could alter it to pull from a KeyVault instead.
    • Looking into ways to use something not linked to a specific user account in the future.

External Documentation Referenced

Additional Thanks

I want to thank some of my wonderful friends, coworkers, and my boyfriend who helped me troubleshoot this script and get it working. It started as a fun personal project I was playing with outside work, which then turned into something helpful at work and in my personal play areas. While functional, I am going to be looking at ways to refactor it soon to clean it up and improve its quality. However, I hope that it can serve as a helpful tool to people in the mean time.

About

This Powershell script can be adjusted to check a Key Vault for expiring objects, send email notifications, and create User Stories in Azure Devops.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published