Created
December 22, 2020 18:58
-
-
Save brentmcconnell/b14035fd71516354f15490c343431b01 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -o errexit # exit if any statement returns a non-true return value | |
| shopt -s expand_aliases | |
| # 3 digit random number | |
| RND=$(echo $RANDOM | grep -o ....$) | |
| echo "Check program requirements..." | |
| ( | |
| set +e | |
| programs=(az) | |
| missing=0 | |
| for i in ${programs[@]}; do | |
| command -v $i 2&> /dev/null | |
| if [ $? -eq 0 ]; then | |
| echo " * Found $i" | |
| else | |
| echo " * ERROR: missing $i" | |
| missing=1 | |
| fi | |
| done | |
| if [[ "$missing" -ne 0 ]]; then | |
| echo "Missing required commands" | |
| exit 1 | |
| fi | |
| ) | |
| usage() { | |
| echo "`basename $0`" | |
| echo " Usage: " | |
| echo " [-g <resource group>] vm resource group to use." | |
| echo " [-n <vm-name>] vm name to active JIT access to." | |
| exit 1 | |
| } | |
| # Catch any help requests | |
| for arg in "$@"; do | |
| case "$arg" in | |
| --help| -h) | |
| usage | |
| ;; | |
| esac | |
| done | |
| while getopts g:n: option | |
| do | |
| case "${option}" | |
| in | |
| g) RG=${OPTARG};; | |
| n) VM_NAME=${OPTARG};; | |
| *) usage;; | |
| : ) usage;; | |
| esac | |
| done | |
| shift "$(($OPTIND -1))" | |
| if [[ -z "$RG" || -z "$VM_NAME" ]]; then | |
| echo "ERROR: Set RG and VM_NAME must be set to continue." | |
| usage | |
| exit 1 | |
| fi | |
| echo "RG: $RG" | |
| echo "VM_NAME: $VM_NAME" | |
| # Catch --ignore-prompt request | |
| for arg in "$@"; do | |
| case "$arg" in | |
| --ignore-prompt | -i) | |
| NO_PROMPT=true | |
| ;; | |
| esac | |
| done | |
| if [ -z $NO_PROMPT ]; then | |
| read -p "Are you sure you want to Proceed and enable JIT Access [y/N]?" | |
| if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then | |
| exit 1 | |
| fi | |
| fi | |
| VMID=$(az vm show -g $RG -n $VM_NAME -o tsv --query "id") | |
| LOCATION=$(az vm show -g $RG -n $VM_NAME -o tsv --query "location") | |
| SUB=$(echo $VMID | cut -d \/ -f 3) | |
| ENDPOINT="https://management.azure.com/subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Security/locations/eastus/jitNetworkAccessPolicies/default?api-version=2020-01-01" | |
| POLICY_ID="/subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Security/locations/eastus/jitNetworkAccessPolicies/default" | |
| JSON=$(cat <<-EOF | |
| { | |
| "kind": "Basic", | |
| "properties": { | |
| "virtualMachines": [ | |
| { | |
| "id": "$VMID", | |
| "ports": [ | |
| { | |
| "number": "22", | |
| "protocol": "*", | |
| "allowedSourceAddressPrefix": "*", | |
| "maxRequestAccessDuration": "PT3H" | |
| }, | |
| { | |
| "number": "3389", | |
| "protocol": "*", | |
| "allowedSourceAddressPrefix": "*", | |
| "maxRequestAccessDuration": "PT3H" | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| "id": "$POLICY_ID", | |
| "name": "default", | |
| "type": "Microsoft.Security/locations/jitNetworkAccessPolicies", | |
| "location": "eastus" | |
| } | |
| EOF | |
| ) | |
| COMPRESSED_JSON=$(echo $JSON | jq -c) | |
| az rest --verbose --method put --uri "$ENDPOINT" --body "$COMPRESSED_JSON" -o json 2> nul |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment