Update to a recent version of the PowerShell Azure Module

ModuleOne/create.ps1

@@ -1,4 +1,4 @@
-# This PowerShell Script will create Module 1
+# This PowerShell Script will create Module 1
 
 param($SubTwo, $SubOne, $userNum, $domainname)
 
@@ -66,12 +66,16 @@ Write-Host "Starting Key Vault created"
 Write-Host "Creating User Key Vault"
 New-AzKeyVault -Name $UserVaultName -ResourceGroupName $RG1Name -Location $Location
 Write-Host "User Key Vault created"
+
+$currentUser = az ad signed-in-user show --query objectId -o tsv
+Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all
 Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $group.Id -PermissionsToKeys get,list -PermissionsToSecrets get,list
 New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -ResourceName $theVault.VaultName -ResourceType Microsoft.KeyVault/vaults -ResourceGroupName $RG1Name
 
 # Fill the Vaults with secrets
 Write-Host "Adding secrets to starting Key Vault"
 Set-AzKeyVaultSecret -VaultName $VaultName -Name $KeyName -SecretValue $SecretKey1
+Remove-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser
 
 # Create the Users
 ..\Utils\create_users.ps1 $guid1 $domainname "m1" $userNum

ModuleThree/create.ps1

@@ -60,7 +60,8 @@ Update-AzFunctionApp -Name $functionApp -ResourceGroupName $RG1Name -Application
 New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -ResourceName $appInsightsName -ResourceType Microsoft.Insights/components -ResourceGroupName $RG1Name
 
 # Create function
-func new -n $function -t "Timer trigger" -l PowerShell
+func init --worker-runtime powershell
+func new -n $function -t "Timer trigger"
 
 # Switch Subscriptions
 Get-AzSubscription -SubscriptionId $SubTwo.Id -TenantId $SubTwo.TenantId | Set-AzContext
@@ -91,6 +92,7 @@ Write-Host "Key Vault created"
 Write-Host "Creating Service Principal"
 $appScope = '/subscriptions/' + $SubTwo.Id + '/resourceGroups/' + $RG2Name + '/providers/Microsoft.KeyVault/vaults/' + $VaultName
 $app = New-AzADServicePrincipal -DisplayName $appName -Scope $appScope
+New-AzRoleAssignment -ObjectId $app.Id -RoleDefinitionName Reader -Scope $appScope
 Write-Host "Service Principal created"
 
 # Set KV policy
@@ -111,7 +113,10 @@ New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -Scope $dsco
 Write-Host "John Doe created"
 
 # Add user info to KV
+$currentUser = az ad signed-in-user show --query objectId -o tsv
+Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all
 Set-AzKeyVaultSecret -VaultName $VaultName -Name $displayname -SecretValue $sspw
+Remove-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $currentUser
 
 # Switch Subscription
 Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-AzContext 
@@ -122,11 +127,10 @@ Copy-Item .\run.ps1 .\$function\
 Set-Location .\$function\
 $str = '$TenantId = "' + $SubTwo.TenantId + '"'
 (Get-Content .\run.ps1).replace('$TenantId = ', $str) | Set-Content .\run.ps1
-$str = '$AppObjectId = "' + $app.ApplicationId + '"'
-(Get-Content .\run.ps1).replace('$AppObjectId = ', $str) | Set-Content .\run.ps1
-$secret = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($app.Secret)
-$secret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($secret)
-$str = '$Password = "' + $secret.ToString() + '"'
+$spAppId = $app.AppId.ToString()
+$str = '$AppId = "' + $spAppId + '"'
+(Get-Content .\run.ps1).replace('$AppId = ', $str) | Set-Content .\run.ps1
+$str = '$Password = "' + $app.PasswordCredentials.SecretText + '"'
 (Get-Content .\run.ps1).replace('$Password = ', $str) | Set-Content .\run.ps1
 Set-Location ..
 Write-Host "Function code modified"

ModuleThree/run.ps1

@@ -1,11 +1,11 @@
 # Input bindings are passed in via param block.
 param($Timer)
 
-Write-Host "Entering function ProcessData. TIME: $currentUTCtime"
-
 # Get the current universal time in the default string format
 $currentUTCtime = (Get-Date).ToUniversalTime()
 
+Write-Host "Entering function ProcessData. TIME: $currentUTCtime"
+
 # The 'IsPastDue' porperty is 'true' when the current function invocation is later than scheduled.
 if ($Timer.IsPastDue) {
     Write-Host "Timer is running late!"
@@ -15,10 +15,10 @@ Write-Host "Processing request..."
 
 $Resource = "https://vault.azure.net"
 $TenantId = 
-$AppObjectId = 
+$AppId = 
 $Password = 
 
-$body = @{Resource = $Resource; client_id = $AppObjectId; grant_type = "client_credentials"; client_secret = $Password} 
+$body = @{Resource = $Resource; client_id = $AppId; grant_type = "client_credentials"; client_secret = $Password} 
 
 $url = "https://login.microsoftonline.com/$TenantId/oauth2/token" 
 

ModuleThree/teardown.ps1

@@ -19,7 +19,7 @@ Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-A
 ..\Utils\delete_users.ps1 "m3"
 
 # Delete dummy value 
-Remove-AzADUser -DisplayName "JohnDoe" -Force
+Remove-AzADUser -DisplayName "JohnDoe"
 
 # ------Sub One------ #
 
@@ -38,7 +38,7 @@ Remove-AzResourceGroup -Name $RG2.ResourceGroupName -Force
 
 # Remove created directory and files
 $dir = Get-ChildItem . -Directory
-if ($dir) {Remove-Item .\$dir -Recurse}
+if ($dir) {Remove-Item $dir -Recurse}
 Remove-Item "host.json"
 Remove-Item "local.settings.json"
 

ModuleTwo/create.ps1

@@ -70,6 +70,9 @@ $sp1 = New-AzADServicePrincipal -DisplayName $sp1Name -Role Reader -Scope $sp1Sc
 $sp2Name = "m2webapp-admin"
 $sp2Scope = '/subscriptions/' + $SubTwo.Id + '/resourceGroups/' + $RG2Name
 $sp2 = New-AzADServicePrincipal -DisplayName $sp2Name -Scope $sp2Scope
+New-AzRoleAssignment -ObjectId $sp2.Id -RoleDefinitionName "Reader" -Scope $sp2Scope
+$sa2Scope = $sp2Scope + '/providers/Microsoft.Storage/storageAccounts/' + $SA2Name
+New-AzRoleAssignment -ObjectId $sp2.Id -RoleDefinitionName "Classic Storage Account Key Operator Service Role" -Scope $sa2Scope
 Write-Host "Service Principals created"
 
 # Add the flag to the SA
@@ -78,10 +81,17 @@ New-AzStorageContainer -Name $BlobName -Context $ctx -Permission Blob
 Set-AzStorageBlobContent -File "..\Utils\flag.txt" -Container $BlobName -Blob flag.txt -Context $ctx
 
 # Add in the appKey to the prived app
-Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appKey" -SecretValue $sp2.Secret
+$currentUser = az ad signed-in-user show --query objectId -o tsv
+Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all
+$sp2AppId = $sp2.AppId.ToString()
+$ssid = ConvertTo-SecureString -String $sp2AppId -AsPlainText -Force
+Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appId" -SecretValue $ssid
+$sspw = ConvertTo-SecureString -String $sp2.PasswordCredentials.SecretText -AsPlainText -Force
+Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appKey" -SecretValue $sspw
 
 # Set Key Vault permissions
 Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $sp1.Id -PermissionsToKeys get,list -PermissionsToSecrets get,list
+Remove-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser
 
 # ------In Sub One------ #
 Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-AzContext 
@@ -94,11 +104,9 @@ $settings = @{}
 foreach ($kvp in $appSettings) {
     $settings[$kvp.Name] = $kvp.Value
 }
-$spAppId = $sp1.ApplicationId.ToString()
+$spAppId = $sp1.AppId.ToString()
 $settings['application_id'] = $spAppId
-$secret = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp1.Secret)
-$secret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($secret)
-$settings['application_key'] = $secret.ToString()
+$settings['application_key'] = $sp1.PasswordCredentials.SecretText
 Set-AzWebApp -ResourceGroupName $RG1Name -Name $webServiceName -AppSettings $settings
 Write-Host "Web App Application settings updated"
 

Utils/create_users.ps1

@@ -26,8 +26,11 @@ for ($cur = 1; $cur -le $n; $cur++) {
     $thisuser = New-AzADUser -DisplayName $displayname -UserPrincipalName $upn -Password $sspw -MailNickname $displayname
     Add-AzADGroupMember -MemberObjectId $thisuser.Id -TargetGroupObjectId $toAdd.Id
 
-    # Store username and password in keyvault 
+    # Store username and password in keyvault
+    $currentUser = az ad signed-in-user show --query objectId -o tsv
+    Set-AzKeyVaultAccessPolicy -VaultName $UserKV.Name -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all
     Set-AzKeyVaultSecret -VaultName $UserKV.Name -Name $displayname -SecretValue $sspw
+    Remove-AzKeyVaultAccessPolicy -VaultName $UserKV.Name -ObjectId $currentUser
 }
 
 Write-Host "Finished creating $module users"

Utils/delete_users.ps1

@@ -10,7 +10,7 @@ $toDel = $groups | Where-Object DisplayName -Clike $groupname
 
 # Remove all the users
 $usrList = Get-AzADGroupMember -GroupObjectId $toDel.Id
-foreach ($usr in $usrList) {Remove-AzADUser -DisplayName $usr.DisplayName -Force}
+foreach ($usr in $usrList) {Remove-AzADUser -DisplayName $usr.DisplayName}
 
 # Remove the group from AAD
-Remove-AzADGroup -ObjectId $toDel.id -Force
+Remove-AzADGroup -ObjectId $toDel.id

convex.ps1

@@ -107,7 +107,7 @@ foreach ($mod in $dirs.Name) {
     if ($decision -eq "create") {
         .\create.ps1 $SubOne $SubTwo $users $domainname
     } else {
-        .\teardown $SubOne $SubTwo
+        .\teardown.ps1 $SubOne $SubTwo
     }
     Set-Location ..
 }