search

JulianHayward / Azure-MG-Sub-Governance-Reporting

Azure Governance Visualizer aka AzGovViz is a PowerShell script that captures Azure Governance related information such as Azure Policy, RBAC (a lot more) by polling Azure ARM, Storage and Microsoft Graph APIs.
MIT License
817 stars 295 forks source link

Manual private link service connections - unexpected value in property 'privateLinkServiceId' #150

Closed jsandquist closed 1 year ago

jsandquist commented 1 year ago

Hi, I've stumbled upon some more variations around manual private link service connections, after support was initially added a few days back in

Changes (2022-Nov-28 / Major)

  • Network analysis - fix Private Endpoints feature
    • Handle manual manualPrivateLinkServiceConnections

Added some debug output and found an unexpected value in the privateLinkServiceId property as it does not contain the expected '/' used for splitting it up - thus causing an exception at L59

Debug output as follows:

Processing Private Endpoints enrichment (7 Private Endpoints)

==> subscriptionId: (4d7d8a5c-xxxx-xxxx-xxxx-xxxxxxxxxxxx) ==> resourceGroup: (rg-xxxxxxxxxxx) ==> peConnectionType: (manual) ==> peConnectionState: (Approved) ==> resourceSplit: (s-nzgk0-privatelink-1.006c0d80-xxxx-xxxx-xxxx-xxxxxxxxxxxx.(region).azure.privatelinkservice)

I suspect it to be a cross-tenant or cross-subscription Private Endpoint but still looking into it. With a little luck I hope to submit a PR after some more testing. We could split on '.' instead of '/' but the second part 006c0d80-xxxx-xxxx-xxxx-xxxxxxxxxxxx does not identify a subscription in the tenant I'm testing with so not sure what we want to include in the output.

Any thoughts or feedback is most welcome.

JulianHayward commented 1 year ago

all right, so let´s add some more properties to $script:arrayPrivateEndpointsEnriched

in case you cannot find the subscriptionId ->Lookup: $htSubscriptionsMgPath.($remotesubscriptionId) Then let´s get the remote TenantId (in case of Lighthoused could be multiple)

$uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($remotesubscriptionId)?api-version=2020-01-01"
$remoteTenantId = AzAPICall -AzAPICallConfiguration $azApiCallConf -uri $uri -listenOn 'content' -currentTask "getTenantId for subscriptionId '$($remotesubscriptionId)'"
jsandquist commented 1 year ago

Closing this as fixed in the recent release from 2022-Dec-04. Great work on this great tool - thanks!