SubscriptionPolicy/task_keyvaults.py at main · grecoe/SubscriptionPolicy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
"""
Tasks to perform enabling soft delete on AKV.

EnableSoftDelete (Force soft delete on all key vaults)

    "keyvault" : {
        "taskOutputDirectory" : "./logs/kevault_status",
        "availableTasks" : {
            "EnableSoftDelete" : {
                "Descripton" :"Scans subscriptions and forces soft delete on for key vaults",
                "Parameters" : null
            }
        },
        "active_tasks" : {
            "EnableSoftDelete" : null
        }
    },
"""
import os
import json
from microsoft.submaintenance.utils import(
    Configuration,
    AzLoginUtils,
    PathUtils,
    AzKeyVaultUtils
)

CREDENTIALS_FILE = "./credentials.json"
CONFIGURATION_FILE = "./configuration.json"

# Ensure a login and switch to SP if requested
try:
    AzLoginUtils.validate_login(CREDENTIALS_FILE)
except Exception as ex:
    print(str(ex))
    quit()

# Load configuration and create instance of identities
configuration = Configuration(CONFIGURATION_FILE)

allowed_tasks = [
    "enablesoftdelete"
    ]

# Validate the minimum on the configuration
if not hasattr(configuration, "subscriptions") or len(configuration.subscriptions) == 0:
    raise Exception("Update configuration.json with sub ids")
if not hasattr(configuration, "keyvault"):
    raise Exception("Update configuration.json keyvault section")
if not configuration.compute["taskOutputDirectory"]:
    raise Exception("Update configuration.json compute.taskOutputDirectory section")

# Create output path for all tasks
task_output_path = PathUtils.ensure_path(configuration.keyvault["taskOutputDirectory"])

for task_name in configuration.keyvault["active_tasks"]:
    if task_name.lower() not in allowed_tasks:
        print("Unknown task {} skipping...".format(task_name))

    task_settings = configuration.keyvault["active_tasks"][task_name]

    if task_name.lower() == allowed_tasks[0]:
        print("Performing Key Vault Soft Delete task")
        stats = AzKeyVaultUtils.check_soft_delete_status(configuration.subscriptions)

        file_name = os.path.join(task_output_path, "vault_scan.json")
        with open(file_name, "w") as output:
            data = {
                "total_subs" : len(configuration.subscriptions),
                "total_vaults" : stats["total"],
                "unlocked_vaults" : stats["unlocked"]
            }
            output.writelines(json.dumps(data, indent=4))