-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathDeploy.ps1
169 lines (132 loc) · 6.2 KB
/
Deploy.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
Connect-AzureAD
az login
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "%cP&KCuC48YEYs3l3t9o!fIJU"
$PasswordProfile.ForceChangePasswordNextLogin = $false
New-AzureADUser -DisplayName "nfp" -PasswordProfile $PasswordProfile `
-UserPrincipalName "nfp@adsikkerhed.dk" -AccountEnabled $true `
-MailNickName "nfp"
New-AzureADUser -DisplayName "AppOwner" -PasswordProfile $PasswordProfile `
-UserPrincipalName "AppOwner@adsikkerhed.dk" -AccountEnabled $true `
-MailNickName "AppOwner"
New-AzureADUser -DisplayName "privadmin" -PasswordProfile $PasswordProfile `
-UserPrincipalName "privadmin@adsikkerhed.dk" -AccountEnabled $true `
-MailNickName "privadmin"
New-AzureADUser -DisplayName "AutomationAdmin" -PasswordProfile $PasswordProfile `
-UserPrincipalName "AutomationAdmin@adsikkerhed.dk" -AccountEnabled $true `
-MailNickName "AutomationAdmin"
[pscustomobject]@{ username = 'nfp@adsikkerhed.dk'; password = '%cP&KCuC48YEYs3l3t9o!fIJU'; } | `
Export-Csv -Path .\test.csv -Append -NoTypeInformation -delimiter ";" -Encoding UTF8
$resourceGroup = "STORAGE"
$location = "northeurope"
New-AzResourceGroup -Name $resourceGroup -Location $location
$StorageAccountProv = @{
ResourceGroupName = $resourceGroup
Name = 'adsikkerhed'
SkuName = 'Standard_LRS'
Location = $location
EnableHttpsTrafficOnly = $false
}
$StorageAccount = New-AzStorageAccount @StorageAccountProv
$Context = $StorageAccount.Context
$ContainerName = 'files'
New-AzStorageContainer -Name $ContainerName -Context `
$Context -Permission Container
$TestCSV = @{
File = '.\test.csv'
Container = $ContainerName
Blob = "test.csv"
Context = $Context
StandardBlobTier = 'Hot'
}
Set-AzStorageBlobContent @TestCSV
Import-Module AzureADPreview -Force
New-AzureADMSGroup -DisplayName "AutomationAdmins" -Description `
"This dynamic group will add any AAD user with 'automationadmin' in Display Name" `
-MailEnabled $False -MailNickName "AutomationAdmins" -SecurityEnabled $True `
-GroupTypes "DynamicMembership" -MembershipRule `
'(user.displayName -contains "automationadmin")' `
-MembershipRuleProcessingState "On"
$AutomationAdminsID = (Get-AzADGroup -DisplayName AutomationAdmins).id
New-AzRoleAssignment -ObjectId $AutomationAdminsID `
-RoleDefinitionName "Automation Contributor"
az ad sp create-for-rbac --name VMContributor --role "Virtual Machine Contributor"
$resourceGroup = "AUTOMATION"
$location = "northeurope"
New-AzResourceGroup -Name $resourceGroup -Location $location
New-AzAutomationAccount -Name "AutomationAccount" -Location $location -ResourceGroupName $resourceGroup
$params = @{
AutomationAccountName = 'AutomationAccount'
Name = 'RunBookPowerShell'
ResourceGroupName = 'AUTOMATION'
Type = 'PowerShell'
Path = '.\VMContribScript.ps1'
}
Import-AzAutomationRunbook @params
$rgName = 'VMRG'
$location = 'northeurope'
New-AzResourceGroup -Name $rgName -Location $location
## Create IP. ##
$ip = @{
Name = 'AZVMPUBLICIP'
ResourceGroupName = $rgName
Location = $location
Sku = 'Standard'
AllocationMethod = 'Static'
IpAddressVersion = 'IPv4'
Zone = 1,2,3
}
New-AzPublicIpAddress @ip
# Create a Virtual Machine
$vmName = 'AZHACK'
$userName = 'rootnation'
$plainTextPassword = '6#d_PL)tC@%2D[N'
$securePassword = $plainTextPassword | ConvertTo-SecureString -AsPlainText -Force
$credential = [pscredential]::new($userName, $securePassword)
$vm = New-AzVM -ResourceGroupName $rgName -Name $vmName `
-Location $location -Credential $credential -PublicIpAddressName 'AZVMPUBLICIP'
#Allow all inbound to VM
Get-AzNetworkSecurityGroup -Name $vmName -ResourceGroupName $rgName `
| Add-AzNetworkSecurityRuleConfig -Name "ALL" -Description "Allow all ports" `
-Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority 100 `
-SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" `
-DestinationPortRange "*" | Set-AzNetworkSecurityGroup
Install-Module -Name Az.ManagedServiceIdentity -Scope CurrentUser -Force
$identityName = 'AZHACKManagedIdentity'
$identity = New-AzUserAssignedIdentity -Name $identityName `
-ResourceGroupName $rgName -Location $location
$keyVaultName = 'ADSIKKERHED'
$keyVault = New-AzKeyVault -ResourceGroupName $rgName `
-Name $keyVaultName -Location $location
$secretValue = ConvertTo-SecureString -String $PasswordProfile.Password -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyVaultName `
-Name AppOwner -SecretValue $secretValue
New-AzRoleAssignment -RoleDefinitionName Reader `
-Scope $keyVault.ResourceId -ObjectId $identity.PrincipalId
Set-AzKeyVaultAccessPolicy -ResourceGroupName $rgName -VaultName $keyVaultName `
-ServicePrincipalName $identity.ClientId -PermissionsToSecrets get,list
Update-AzVM -ResourceGroupName $rgName -VM $vm `
-IdentityType UserAssigned -IdentityID $identity.Id
Write-Host "Continue App Registration in GUI"
$Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
$ObjectID = Get-AzureADApplication -Filter "DisplayName eq 'HackingApp'" `
| Select-Object ObjectID
$RefObjectId = Get-AzureADUser -Filter `
"userPrincipalName eq 'AppOwner@adsikkerhed.dk'" | Select-Object ObjectID
Add-AzureADApplicationOwner -ObjectId $ObjectID.ObjectId -RefObjectId $RefObjectId.ObjectId
$ObjectID = Get-AzureADServicePrincipal -SearchString HackingApp | Select-Object ObjectID
Add-AzureADServicePrincipalOwner -ObjectId $ObjectID.ObjectId -RefObjectId $RefObjectId.ObjectId
$user = Get-AzureADUser -Filter "userPrincipalName eq 'privadmin@adsikkerhed.dk'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Privileged Role Administrator'"
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId '/' `
-RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
$resourceGroup = "CLOUDSHELL"
$location = "northeurope"
New-AzResourceGroup -Name $resourceGroup -Location $location
New-AzRoleAssignment -ObjectId $user.ObjectId `
-RoleDefinitionName "Contributor" `
-ResourceGroupName $resourceGroup
New-AzRoleAssignment -ObjectId $user.ObjectId `
-RoleDefinitionName "Reader" `
-ResourceGroupName $resourceGroup
Write-Host "Finish Cloud Shell for privadmin in GUI"