-
Notifications
You must be signed in to change notification settings - Fork 2
/
pim
214 lines (187 loc) · 6.93 KB
/
pim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#!/bin/bash
# This script is used to make PIM assignments
print_help() {
cat <<EOF
Usage: $(basename "$0") [OPTIONS]
Required parameters:
--subscription, -s Subscription ID or name (fuzzy search enabled)
--resource-group, -g Resource group name (fuzzy search enabled)
Optional parameters:
--message, -m Justification message
--role, -r Role name (will be prompted if not provided)
--time, -t Duration (will be prompted if not provided)
--help Show this help message
EOF
exit 1
}
check_dependencies() {
for cmd in curl az jq fzf; do
if ! command -v $cmd &>/dev/null; then
echo "$cmd is required but not installed. Exiting."
exit 1
fi
done
}
validate_time() {
if [[ ! $time =~ ^[0-9]+[HM]$ ]]; then
echo "Invalid time format. Use nH (hours, max 8) or nM (minutes, min 5, max 60)"
exit 1
fi
if [[ $time == *H ]]; then
local hours=${time%H}
if ((hours < 1 || hours > 8)); then
echo "Invalid hour format. Use 1-8H."
exit 1
fi
elif [[ $time == *M ]]; then
local minutes=${time%M}
if ((minutes < 5 || minutes > 60)); then
echo "Invalid minute format. Use 5-60M."
exit 1
fi
fi
}
parse_arguments() {
while [[ "$#" -gt 0 ]]; do
case $1 in
-s | --subscription)
subscription="$2"
shift
;;
-g | --resource-group)
resource_group="$2"
shift
;;
-m | --message)
message="$2"
shift
;;
-r | --role)
role="$2"
shift
;;
-t | --time)
time="$2"
shift
;;
--help)
print_help
;;
*)
echo "Unknown parameter passed: $1"
print_help
;;
esac
shift
done
}
fuzzy_select_subscription() {
subscription=$(az account list --query "[].{name:name, id:id}" -o tsv | fzf --prompt="Select Subscription: " | awk '{$NF=""; print $0}' | sed 's/ $//')
if [[ -z "$subscription" ]]; then
echo "No subscription selected. Exiting."
exit 1
fi
}
fuzzy_select_resource_group() {
resource_group=$(az group list --subscription "$subscription" --query "[].name" -o tsv | fzf --prompt="Select Resource Group: ")
if [[ -z "$resource_group" ]]; then
echo "No resource group selected. Exiting."
exit 1
fi
}
fuzzy_select_role() {
roles=$(curl -s -H "Authorization: Bearer $token" -X GET \
"https://management.azure.com/subscriptions/${subscription_id}/resourceGroups/${resource_group}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&\$filter=asTarget()" |
jq -r '.value[].properties.expandedProperties.roleDefinition.displayName' | sort -u)
role=$(echo "$roles" | fzf --prompt="Select Role: ")
if [[ -z "$role" ]]; then
echo "No role selected. Exiting."
exit 1
fi
}
main() {
check_dependencies
parse_arguments "$@"
if [[ -z "$subscription" ]]; then
fuzzy_select_subscription
fi
if [[ -z "$resource_group" ]]; then
fuzzy_select_resource_group
fi
user_object_id=$(az ad user list --filter "mail eq '$(az account show --query user.name -o tsv)'" --query "[0].id" -o tsv)
guid=$(uuidgen | tr '[:upper:]' '[:lower:]')
token=$(az account get-access-token --query accessToken -o tsv)
subscription_id=$(az account list --query "[?id=='$subscription' || name=='$subscription'].id" -o tsv)
if [[ -z "$role" ]]; then
fuzzy_select_role
fi
role_definition_id=$(curl -s -H "Authorization: Bearer $token" -X GET \
"https://management.azure.com/subscriptions/${subscription_id}/resourceGroups/${resource_group}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&\$filter=asTarget()" |
jq -r --arg resource_group "$resource_group" --arg role "$role" \
'.value[] | select(.properties.scope | endswith($resource_group)) | select(.properties.expandedProperties.roleDefinition.displayName == $role) | .properties.expandedProperties.roleDefinition.id' | awk -F'/' '{print $NF}')
if [[ -z "$time" ]]; then
read -p "Please provide duration time (default: 1H, if empty). Format: 8H (hours) or 5M (minutes): " time
time=${time:-"1H"}
fi
validate_time
if [[ -z "$message" ]]; then
read -p "Please provide a justification message: " message
if [[ -z "$message" ]]; then
echo "Justification message cannot be empty"
exit 1
fi
fi
justification="${message// /_}"
data=$(
cat <<EOF
{
"Properties": {
"RoleDefinitionId": "/subscriptions/${subscription_id}/providers/Microsoft.Authorization/roleDefinitions/${role_definition_id}",
"PrincipalId": "${user_object_id}",
"RequestType": "SelfActivate",
"Justification": "${justification}",
"ScheduleInfo": {
"StartDateTime": null,
"Expiration": {
"Type": "AfterDuration",
"EndDateTime": null,
"Duration": "PT${time}"
}
}
}
}
EOF
)
response=$(curl -s -H "Authorization: Bearer $token" -X PUT -H "Content-Type: application/json" -d "$data" \
"https://management.azure.com/subscriptions/${subscription_id}/resourceGroups/${resource_group}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/${guid}?api-version=2020-10-01")
if [[ $(echo "$response" | jq -r '.error') != "null" ]]; then
echo "Error: $(echo "$response" | jq -r '.error.message')"
exit 1
fi
if [[ $(echo "$response" | jq -r '.properties.status') == "Provisioned" ]]; then
duration=$(echo "$response" | jq -r '.properties.scheduleInfo.expiration.duration')
if [[ $duration == *"H" ]]; then
# Extract hours and convert to minutes for the date command
hours=$(echo "$duration" | grep -o '[0-9]\+')
# fixes issue #5
if [[ "$OSTYPE" == "darwin"* ]]; then
expiration_time=$(date -v +${hours}H +"%Y-%m-%d %H:%M:%S")
else
expiration_time=$(date -d "+${hours} hours" +"%Y-%m-%d %H:%M:%S")
fi
elif [[ $duration == *"M" ]]; then
# Extract minutes directly for the date command
minutes=$(echo "$duration" | grep -o '[0-9]\+')
# fixes issue #5
if [[ "$OSTYPE" == "darwin"* ]]; then
expiration_time=$(date -v +${minutes}M +"%Y-%m-%d %H:%M:%S")
else
expiration_time=$(date -d "+${minutes} minutes" +"%Y-%m-%d %H:%M:%S")
fi
fi
echo "PIM assignment active. Expires: $expiration_time"
else
echo "An unknown error occurred."
fi
}
main "$@"