-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGet-AppSvcCertificates.ps1
143 lines (119 loc) · 5.73 KB
/
Get-AppSvcCertificates.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[System.String]
$Subscription,
[Parameter(Mandatory = $false)]
[System.String[]]
$ResourceGroups,
[Parameter(Mandatory = $false)]
[System.DateTime]
$ExpiresBefore,
[Parameter(Mandatory = $false)]
[System.String[]]
$Thumbprints
)
function SearchAndLinkSllBindingsForWebAppOrSlot {
param (
[Parameter(Mandatory = $true)]
[PSObject[]]
$CertsAggregates,
[Parameter(Mandatory = $true)]
[Microsoft.Azure.Management.WebSites.Models.HostNameSslState[]]
$HostNameSslStates,
[Parameter(Mandatory = $true)]
[System.String]
$WebAppName,
[Parameter(Mandatory = $false)]
[System.String]
$WebAppSlotName
)
$activeHostNameSslStates = $HostNameSslStates | Where-Object { ($_.SslState -ne "Disabled") -and ($_.Thumbprint -ne "") }
foreach ($hostNameSslState in $activeHostNameSslStates) {
$certsAggregateMatches = $CertsAggregates | Where-Object { $_.Thumbprint -eq $hostNameSslState.Thumbprint }
foreach ($certsAggregateMatch in $certsAggregateMatches) {
if ($certsAggregateMatch.WebAppName -eq "") {
$certsAggregateMatch.WebAppName = $WebAppName
}
else {
throw "Error: web app $WebAppName has an SSL binding for cert $(certsAggregateMatch.Name) but web app $(certsAggregateMatch.WebAppName) slot $(certsAggregateMatch.WebAppSlot) also has."
}
if ($certsAggregateMatch.WebAppSlot -eq "") {
$certsAggregateMatch.WebAppSlot = $WebAppSlotName
}
else {
throw "Error: web app $WebAppName slot $WebAppSlotName has an SSL binding for cert $(certsAggregateMatch.Name) but web app $(certsAggregateMatch.WebAppName) slot $(certsAggregateMatch.WebAppSlot) also has."
}
}
}
}
$context = Get-AzContext
if (($null -eq $context.Subscription) -or ($context.Subscription.Name -ne "$Subscription")) {
Write-Host "Connect account and set context to subscription $Subscription"
$connectResult = Connect-AzAccount -Subscription "$Subscription"
if ($connectResult.SubjectName -ne "$Subscription") {
throw "Could not connect to Azure subscription $Subscription"
}
}
$resourceGroupNames = $ResourceGroups
if ($null -eq $resourceGroupNames) {
Write-Host "Searching all resource groups in subscription $Subscription"
$resourceGroupNames = Get-AzResourceGroup | Select-Object -ExpandProperty ResourceGroupName
}
$certsAggregates = @()
Write-Host "Searching web app certificates in resource groups of subscription $Subscription"
foreach ($resourceGroupName in $resourceGroupNames) {
Write-Host "Searching web app certificates in RG $resourceGroupName"
$certs = Get-AzWebAppCertificate -ResourceGroupName "$resourceGroupName"
foreach ($cert in $certs) {
if ($null -ne $ExpiresBefore) {
if ([System.DateTime]::Compare($ExpiresBefore, $cert.ExpirationDate) -lt 0) {
continue
}
}
if ($null -ne $Thumbprints) {
if (-not ($Thumbprints.Contains($cert.Thumbprint))) {
continue
}
}
$certObj = New-Object -TypeName PSObject
$certObj | Add-Member -NotePropertyName "Name" -NotePropertyValue $cert.Name
$certObj | Add-Member -NotePropertyName "SubjectName" -NotePropertyValue $cert.SubjectName
$certObj | Add-Member -NotePropertyName "Thumbprint" -NotePropertyValue $cert.Thumbprint
$certObj | Add-Member -NotePropertyName "Issuer" -NotePropertyValue $cert.Issuer
$certObj | Add-Member -NotePropertyName "IssueDate" -NotePropertyValue $cert.IssueDate
$certObj | Add-Member -NotePropertyName "ExpirationDate" -NotePropertyValue $cert.ExpirationDate
$certObj | Add-Member -NotePropertyName "KeyVaultSecretName" -NotePropertyValue $cert.KeyVaultSecretName
$hostNames = [System.String]::Join(", ", $cert.HostNames)
$keyVaultName = ($cert.KeyVaultId -split '/')[-1]
$certObj | Add-Member -NotePropertyName "HostNamesFlat" -NotePropertyValue $hostNames
$certObj | Add-Member "KeyVaultName" $keyVaultName
$certObj | Add-Member "ResourceGroupName" $resourceGroupName
$certObj | Add-Member "AseName" $cert.HostingEnvironmentProfile.Name
$certObj | Add-Member "WebAppName" ""
$certObj | Add-Member "WebAppSlot" ""
$certsAggregates += $certObj
}
}
Write-Host "Searching web apps and SSL bindings in resource groups of subscription $Subscription"
foreach ($resourceGroupName in $resourceGroupNames) {
# Only add web app and slot to certs found in the same RG
$certAggregatesOfCurrentResourceGroup = $certsAggregates | Where-Object { $_.ResourceGroupName -eq $ResourceGroupName }
if ($null -eq $certAggregatesOfCurrentResourceGroup) {
Write-Host "No web app certificates found in RG $resourceGroupName"
continue
}
Write-Host "Searching web apps in RG $resourceGroupName"
$webApps = Get-AzWebApp -ResourceGroupName "$resourceGroupName"
foreach ($webApp in $webApps) {
$webAppName = $webApp.Name
SearchAndLinkSllBindingsForWebAppOrSlot $certAggregatesOfCurrentResourceGroup $webApp.HostNameSslStates $webAppName
Write-Host "Searching deployment slots of web app $webAppName"
$webAppSlots = Get-AzWebAppSlot -WebApp $webApp
foreach ($webAppSlot in $webAppSlots) {
$webAppSlotName = ($webAppSlot.Name -split '/')[-1]
SearchAndLinkSllBindingsForWebAppOrSlot $certAggregatesOfCurrentResourceGroup $webAppSlot.HostNameSslStates $webAppName $webAppSlotName
}
}
}
Write-Output $certsAggregates