Export/Private/Get-ApplicationGatewaySslSetupAndIdentity.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
function Global:Get-ApplicationGatewaySslSetupAndIdentity {
    <#
    .SYNOPSIS
    ...
     
    .EXAMPLE
    ...
     
    .PARAMETER xxx
    ...
    #>

    [CmdletBinding()]    
    param
    (
        [Parameter(Mandatory = $true)]
        [string]
        $ResourceGroupName,
        [Parameter(Mandatory = $true)]
        [string]
        $ResourceLocation,
        [Parameter(Mandatory = $true)]
        [string]
        $ApplicationGatewayName,
        [Parameter(Mandatory = $true)]
        [string]
        $KeyVaultName,
        [Parameter(Mandatory = $false)]
        [string]
        $CertificateName = "ApplicationGateway"
    )
    process {
        $SslSetup = @{
            HandleSSL = $false
            Certificate  = $null
            Identity = $null
        }
        
        if ($KeyVaultName) {
            $certificate = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertificateName -ErrorAction SilentlyContinue
            if ($certificate) {
                $SslSetup.HandleSSL = $true
            }
        }
        if (-not($SslSetup.HandleSSL)){
            $SslSetup
            return 
        }
        Write-Verbose "Preparing SSL Setup..."
        if ($SslSetup.HandleSSL) {
            Write-Verbose "Retrieving certificate from KeyVault"
            $secret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $CertificateName
            $secretId = $secret.Id.Replace($secret.Version, "") # https://<keyvaultname>.vault.azure.net/secrets/
            $sslCertificate = New-AzApplicationGatewaySslCertificate -Name "$ApplicationGatewayName-certificate01" -KeyVaultSecretId $secretId

            # Identity is needed, to be able to read from KeyVault
            Write-Verbose "Generating identity for Application Gateway, to be able to read from KeyVault"
            $Identity = Get-AzUserAssignedIdentity -Name "$ApplicationGatewayName-Identity01" -ResourceGroupName $ResourceGroupName -ErrorAction SilentlyContinue
            if (-not($Identity)) {
                $Identity = New-AzUserAssignedIdentity -Name "$ApplicationGatewayName-Identity01" -ResourceGroupName $ResourceGroupName -Location $ResourceLocation
            }
            Wait-ForNewlyCreatedIdentity -ResourceGroupName $ResourceGroupName -ObjectId $Identity.PrincipalId  -Verbose:$Verbose

            $AppgwIdentity = New-AzApplicationGatewayIdentity -UserAssignedIdentity $Identity.Id
            Write-Verbose "Updating KeyVault-access policy for new identity"
            Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -ObjectId $Identity.PrincipalId -PermissionsToKeys get -PermissionsToSecrets get -PermissionsToCertificates get | Out-Null

            $SslSetup.Certificate = $sslCertificate
            $SslSetup.Identity = $AppgwIdentity
        }
        $SslSetup
    }
}