Skip to content

Instantly share code, notes, and snippets.

@techdecline

techdecline/Get-AzPolicyCompliance.ps1

Created July 29, 2022 07:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save techdecline/a663343776f9233ca2d9773ea67de4ce to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save techdecline/a663343776f9233ca2d9773ea67de4ce to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Get-AzPolicyCompliance.ps1
[CmdletBinding()]
param (
[Parameter(Mandatory = $false)]
[string[]]$ManagementGroupName = @("mg-prd-core", "mg-prd-lz"),
[Parameter(Mandatory = $false)]
[switch]$OutputMarkdown
)
function GetNonCompliantResource {
param (
[string]$ManagementGroupName,
[string]$PolicyAssignmentName
)
$filterStr = "PolicyAssignmentName eq '" + $PolicyAssignmentName + "' and ComplianceState eq 'NonCompliant'"
$complianceReportArr = Get-AzPolicyState -ManagementGroupName $ManagementGroupName -Filter $filterStr
return ($complianceReportArr.ResourceId) -join ", "
}
# Markdown Function based on https://gist.github.com/mac2000/86150ab43cfffc5d0eef
Function ConvertTo-Markdown {
[CmdletBinding()]
[OutputType([string])]
Param (
[Parameter(
Mandatory = $true,
Position = 0,
ValueFromPipeline = $true
)]
[PSObject[]]$collection
)
Begin {
$items = @()
$columns = @{}
}
Process {
ForEach ($item in $collection) {
$items += $item
$item.PSObject.Properties | ForEach-Object {
if ($null -ne $_.Value ) {
if (-not $columns.ContainsKey($_.Name) -or $columns[$_.Name] -lt $_.Value.ToString().Length) {
$columns[$_.Name] = $_.Value.ToString().Length
}
}
}
}
}
End {
ForEach ($key in $($columns.Keys)) {
$columns[$key] = [Math]::Max($columns[$key], $key.Length)
}
$header = @()
ForEach ($key in $columns.Keys) {
$header += ('{0,-' + $columns[$key] + '}') -f $key
}
$header -join ' | '
$separator = @()
ForEach ($key in $columns.Keys) {
$separator += '-' * $columns[$key]
}
$separator -join ' | '
ForEach ($item in $items) {
$values = @()
ForEach ($key in $columns.Keys) {
$values += ('{0,-' + $columns[$key] + '}') -f $item.($key)
}
$values -join ' | '
}
}
}
#region CollectAllAssignmentsInScope
$mgProd = Get-AzManagementGroup | Where-Object { $ManagementGroupName -contains $_.DisplayName }
$policyAssignmentArr = [System.Collections.ArrayList]@()
foreach ($mg in $mgProd) {
Write-Verbose "Current Management Group: $($mg.DisplayName)"
$policyAssignmentComplianceArr = (Get-AzPolicyStateSummary -ManagementGroupName $mg.Name).PolicyAssignments
Get-AzPolicyAssignment -Scope $mg.Id | Where-Object { $_.Properties.Scope -eq $mg.Id } | ForEach-Object {
$tmpObj = $_
$complianceSummary = $policyAssignmentComplianceArr | Where-Object { ($_.PolicyAssignmentId -split "/")[-1] -eq $tmpObj.Name }
$tmpObj = $tmpObj | Select-Object -Property *, @{Name = 'NonCompliantResourceCount'; Expression = { $complianceSummary.results.NonCompliantresources } }, @{Name = 'NonCompliantResourceList'; Expression = { (GetNonCompliantResource -ManagementGroupName $mg.Name -PolicyAssignmentName $_.Name) } }
$null = $policyAssignmentArr.Add($tmpObj)
}
}
#endregion
#region ReturnOutput
if ($OutputMarkdown) {
return $policyAssignmentArr | select-Object -Property @{Name = 'DisplayName'; Expression = { $_.Properties.DisplayName } }, @{Name = 'Scope'; Expression = { $_.Properties.Scope } }, Name, ResourceId, NonCompliantResourceCount, NonCompliantResourceList | ConvertTo-Markdown
}
else {
return $policyAssignmentArr | select-Object -Property @{Name = 'DisplayName'; Expression = { $_.Properties.DisplayName } }, @{Name = 'Scope'; Expression = { $_.Properties.Scope } }, Name, ResourceId, NonCompliantResourceCount, NonCompliantResourceList
}
#endregion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment