Merge pull request #143 from JulianHayward/networkFeatures

Network features

.azuredevops/pipelines/AzGovViz.pipeline.yml

@@ -1,7 +1,7 @@
-# AzGovViz v6_major_20220917_1
+# AzGovViz v6_major_20221023_1
 # First things first:
-# 1. Mandatory: Set needed variables 'ServiceConnection' and 'ManagementGroupId' in the AzGovViz.variables.yml file.
-# 2. Mandatory: Check line 20  
+# 1. Mandatory: In the AzGovViz.variables.yml file set needed variables 'ServiceConnection' and 'ManagementGroupId
+# 2. Mandatory: Check line 20
 # Documentation: https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting
 
 trigger: none
@@ -145,7 +145,7 @@ jobs:
                 else {
                     Compress-Archive -Path "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)/$($env:OUTPUTPATH)/AzGovViz_$($env:MANAGEMENTGROUPID).html", "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)/$($env:OUTPUTPATH)/AzGovViz_$($env:MANAGEMENTGROUPID)_DefinitionInsights.html" -DestinationPath "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)/$($env:OUTPUTPATH)/AzGovViz_$($env:MANAGEMENTGROUPID).zip"
                 }
-                
+
                 $null = Select-AzSubscription -SubscriptionId $($env:WEBAPPSUBSCRIPTIONID)
                 if (Publish-AzWebApp -ResourceGroupName $($env:WEBAPPRESOURCEGROUP) -Name $($env:WEBAPPNAME) -ArchivePath "$($env:SYSTEM_DEFAULTWORKINGDIRECTORY)/$($env:OUTPUTPATH)/AzGovViz_$($env:MANAGEMENTGROUPID).zip" -Force) {
                     if ($($env:NODEFINITIONINSIGHTSDEDICATEDHTML)) {
@@ -169,4 +169,4 @@ jobs:
             exit 1
         }
       azurePowerShellVersion: latestVersion
-    displayName: 'Publish HTML to WebApp'  
+    displayName: 'Publish HTML to WebApp'

.azuredevops/pipelines/AzGovViz.variables.yml

@@ -1,4 +1,4 @@
-# AzGovViz v6_major_20220930_1
+# AzGovViz v6_major_20221023_1
 # First things first:
 # 1. Replace <YourServiceConnection> with the name of your service connection
 # 2. Replace <YourManagementGroupId> with the your ManagementGroupId
@@ -293,7 +293,7 @@ variables:
   - name: PIMEligibilityIgnoreScope
     # Switch | example: value: true
     value:
-  
+
 # Prevent integration of PIM eligible assignments with RoleAssignmentsAll (HTML, CSV)
   - name: NoPIMEligibilityIntegrationRoleAssignmentsAll
     # Switch | example: value: true
@@ -304,7 +304,7 @@ variables:
     # Switch | example: value: true
     value:
 
-# Create a dedicated DefinitionInsights HTML file 
+# Create a dedicated DefinitionInsights HTML file
   - name: NoDefinitionInsightsDedicatedHTML
     # Switch | example: value: true
     value:
@@ -314,6 +314,11 @@ variables:
     # Switch | example: value: true
     value:
 
+# Do not execute Network analysis / Virtual Network and Virtual Network Peerings
+  - name: NoNetwork
+    # Switch | example: value: true
+    value:
+
 # Dynamic Variables - Do Not Modify Anything Below this line!
   - name: ExcludedResourceTypesDiagnosticsCapable
     value: ${{ join(',',parameters.ExcludedResourceTypesDiagnosticsCapableParameters) }}

.devcontainer/devcontainer.json

@@ -12,4 +12,4 @@
         "yzhang.markdown-all-in-one"
     ],
     "forwardPorts": []
-}
+}

.github/workflows/AzGovViz.yml

@@ -27,17 +27,17 @@ on:
 jobs:
   AzGovViz:
     runs-on: ubuntu-latest
-    
+
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout
         uses: actions/checkout@v2
-      
+
       - name: Connect Azure
         uses: azure/login@v1
         with:
           creds: ${{secrets.CREDS}}
-          enable-AzPSSession: true 
+          enable-AzPSSession: true
           # Create secret CREDS (GitHub/Setting/Secrets)
           # CREDS looks like this:
           # {
@@ -60,9 +60,9 @@ jobs:
           inlineScript: |
             . .\$($env:ScriptDir)\$($env:ScriptFile) -ManagementGroupId ${env:ManagementGroupId} -ScriptPath ${env:ScriptDir} -OutputPath ${env:OutputPath}
           azPSVersion: "latest"
-      
+
       - name: Push AzGovViz output to repository
-        run: |        
+        run: |
           git config --global user.email "[email protected]"
           git config --global user.name "$GITHUB_ACTOR"
           git config pull.rebase false

.github/workflows/AzGovViz_OIDC.yml

@@ -33,19 +33,19 @@ permissions:
 jobs:
   AzGovViz:
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-       
+
       - name: Connect Azure OIDC
         uses: azure/login@v1
         with:
           client-id: ${{secrets.CLIENT_ID}} #create this secret
           tenant-id: ${{secrets.TENANT_ID}} #create this secret
           subscription-id: ${{secrets.SUBSCRIPTION_ID}} #create this secret
           enable-AzPSSession: true
-      
+
       - name: Check prerequisites
         uses: azure/powershell@v1
         with:
@@ -59,9 +59,9 @@ jobs:
           inlineScript: |
             . .\$($env:ScriptDir)\$($env:ScriptFile) -ManagementGroupId ${env:ManagementGroupId} -SubscriptionId4AzContext ${{secrets.SUBSCRIPTION_ID}} -ScriptPath ${env:ScriptDir} -OutputPath ${env:OutputPath} -GitHubActionsOIDC
           azPSVersion: "latest"
-      
+
       - name: Push AzGovViz output to repository
-        run: |        
+        run: |
           git config --global user.email "[email protected]"
           git config --global user.name "azgvz"
           git config pull.rebase false

.vscode/settings.json

@@ -0,0 +1,23 @@
+{
+    "editor.formatOnSave": true,
+    "files.trimTrailingWhitespace": true,
+    "[markdown]": {
+        "files.trimTrailingWhitespace": false
+    },
+    "powershell.codeFormatting.addWhitespaceAroundPipe": true,
+    "powershell.codeFormatting.alignPropertyValuePairs": true,
+    "powershell.codeFormatting.autoCorrectAliases": true,
+    "powershell.codeFormatting.ignoreOneLineBlock": true,
+    "powershell.codeFormatting.newLineAfterCloseBrace": true,
+    "powershell.codeFormatting.newLineAfterOpenBrace": true,
+    "powershell.codeFormatting.openBraceOnSameLine": true,
+    "powershell.codeFormatting.pipelineIndentationStyle": "IncreaseIndentationForFirstPipeline",
+    "powershell.codeFormatting.trimWhitespaceAroundPipe": true,
+    "powershell.codeFormatting.useConstantStrings": true,
+    "powershell.codeFormatting.useCorrectCasing": true,
+    "powershell.codeFormatting.whitespaceAfterSeparator": true,
+    "powershell.codeFormatting.whitespaceAroundOperator": true,
+    "powershell.codeFormatting.whitespaceBeforeOpenBrace": true,
+    "powershell.codeFormatting.whitespaceBeforeOpenParen": true,
+    "powershell.codeFormatting.whitespaceBetweenParameters": true
+}

README.md

@@ -59,10 +59,19 @@ Listed as [security monitoring tool](https://docs.microsoft.com/en-us/azure/arch
 
 ## Release history
 
-__Changes__ (2022-Oct-19 / Major)
-
-* Fix error for feature 'Storage Account Access Analysis' in sovereign clouds
-* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.43
+__Changes__ (2022-Oct-31 / Major)
+
+* New feature - Network analysis (__TenantSummary__ and CSV export)
+  * Virtual Networks
+  * Virtual Network Peerings
+* New parameter `-NoResourceProvidersAtAll` - processing Resource Providers in large tenants can consume a lot of memory / increase processing time significantly
+* Fix issue #139
+* Update `*_DailySummary.csv` with orphaned resources costs (disks, public IP addresses) - thanks @kaiaschulz
+* Slight adjustment on `*_RoleAssignments.csv` output - rename column tenOrMgOrSubOrRGOrRes to scopeTenOrMgOrSubOrRGOrRes
+* Publish .vscode
+* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.45
+* Minor optimizations
+* Add reference to [Media](#media): Microsoft Tech Talks - Bevan Sinclair (Cloud Solution Architect Microsoft) [Automated Governance Reporting in Azure (MTT0AEDT)](https://mtt.eventbuilder.com/event/66431) (register to view)
 
 Passed tests: Powershell Core 7.2.6 on Windows  
 Passed tests: Powershell Core 7.2.6 Azure DevOps hosted agent ubuntu-20.04  
@@ -82,6 +91,7 @@ More [demo output](https://github.com/JulianHayward/AzGovViz)
 
 ### Media
 
+* Microsoft Tech Talks - Bevan Sinclair (Cloud Solution Architect Microsoft) [Automated Governance Reporting in Azure (MTT0AEDT)](https://mtt.eventbuilder.com/event/66431) (register to view)
 * Microsoft Dev Radio (YouTube) [Get visibility into your environment with AzGovViz](https://www.youtube.com/watch?v=hZXvF5oypLE)  
 * Jack Tracey (Cloud Solution Architect Microsoft) [AzGovViz With Azure DevOps](https://jacktracey.co.uk/azgovviz-with-azure-devops/)
 
@@ -213,6 +223,9 @@ Short presentation on AzGovViz [[download](slides/AzGovViz_intro.pdf)]
     * Well-Architected Framework aligned best practice analysis for resources, including guidance for remediation
   * Storage Account Access Analysis
     * Provides insights on Storage Accounts with focus on anonymous access (containers/blobs and 'Static website' feature)
+* __Network__
+  * Virtual Networks
+  * Virtual Network Peerings
 * __Diagnostics__
   * Management Groups Diagnostic settings report
     * Management Group, Diagnostic setting name, target type (LA, SA, EH), target Id, Log Category status
@@ -442,6 +455,7 @@ AzAPICall resources:
   * ~~`-HierarchyTreeOnly`~~ `-HierarchyMapOnly` - Output only the __HierarchyMap__ for Management Groups including linked Subscriptions
   * `-SubscriptionQuotaIdWhitelist` - Process only Subscriptions with defined QuotaId(s). Example: .\AzGovVizParallel.ps1 `-SubscriptionQuotaIdWhitelist MSDN_,Enterprise_`
   * `-NoResourceProvidersDetailed` - Disables output for ResourceProvider states for all Subscriptions in the __TenantSummary__ section, in large Tenants this can become time consuming
+  * `-NoResourceProvidersAtAll` - Resource Providers will not be collected
   * `-NoMDfCSecureScore` - Disables Microsoft Defender for Cloud Secure Score request for Subscriptions and Management Groups.
   * ~~`-DisablePolicyComplianceStates`~~ `-NoPolicyComplianceStates` - Will not query policy compliance states. You may want to use this parameter to accellerate script execution or when receiving error 'ResponseTooLarge'. 
   * `-NoResourceDiagnosticsPolicyLifecycle` - Disables Resource Diagnostics Policy Lifecycle recommendations
@@ -487,6 +501,10 @@ AzAPICall resources:
     * `-NoPIMEligibilityIntegrationRoleAssignmentsAll` - Prevent integration of PIM eligible assignments with RoleAssignmentsAll (HTML, CSV)
   * ~~`-DefinitionInsightsDedicatedHTML`~~ `-NoDefinitionInsightsDedicatedHTML` - __DefinitionInsights__ will be written to a separate HTML file `*_DefinitionInsights.html`. If you want to keep __DefinitionInsights__ in the main html file then use this parameter
   * ~~`-NoALZEvergreen`~~ `-NoALZPolicyVersionChecker` - Do not execute the ~~'ALZ EverGreen'~~ 'Azure Landing Zones (ALZ) Policy Version Checker' feature
+  * `-NoStorageAccountAccessAnalysis` - Do not execute Storage Account Access Analysis (focus on anonymous access)
+  * `-StorageAccountAccessAnalysisSubscriptionTags` - Define Subscription tag names that should be added to the CSV output per Storage Account
+  * `-StorageAccountAccessAnalysisStorageAccountTags` - Define Storage Account tag names that should be added to the CSV output per Storage Account
+  * `-NoNetwork` - Do not execute Network analysis / Virtual Network and Virtual Network Peerings
 
 ### API reference
 

contributionGuide.md

@@ -5,8 +5,6 @@
     * In the folder `.\pwsh\dev` find the function you intend to work on, apply your changes
     * Edit the file `.\pwsh\dev\devAzGovVizParallel.ps1`
         * In the param block update the parameter variable `$ProductVersion` accordingly
-    * Edit the file `.\version.txt`
-        * Update with the new ProductVersion (same version as from the previous step)
     * Execute `.\pwsh\dev\buildAzGovVizParallel.ps1` - This step will rebuilt the main `.\pwsh\AzGovVizParallel.ps1` file (incorporating all changes you did in the `.\pwsh\dev` directory)
     * Edit the file `.\README.md`
         * Update the region `Release history`, replace the changes from the previous release with your changes

history.md

@@ -4,6 +4,20 @@
 
 ### AzGovViz version 6
 
+__Changes__ (2022-Oct-31 / Major)
+
+* New feature - Network analysis (__TenantSummary__ and CSV export)
+  * Virtual Networks
+  * Virtual Network Peerings
+* New parameter `-NoResourceProvidersAtAll` - processing Resource Providers in large tenants can consume a lot of memory / increase processing time significantly
+* Fix issue #139
+* Update `*_DailySummary.csv` with orphaned resources costs (disks, public IP addresses) - thanks @kaiaschulz
+* Slight adjustment on `*_RoleAssignments.csv` output - rename column tenOrMgOrSubOrRGOrRes to scopeTenOrMgOrSubOrRGOrRes
+* Publish .vscode
+* Use [AzAPICall](https://aka.ms/AzAPICall) PowerShell module version 1.1.45
+* Minor optimizations
+* Add reference to [Media](#media): Microsoft Tech Talks - Bevan Sinclair (Cloud Solution Architect Microsoft) [Automated Governance Reporting in Azure (MTT0AEDT)](https://mtt.eventbuilder.com/event/66431) (register to view)
+
 __Changes__ (2022-Oct-19 / Major)
 
 * Fix error for feature 'Storage Account Access Analysis' in sovereign clouds