We've been on a mission lately at work to find expiring credentials and certificates in our Azure environments. One of the resources we had on our radar is Azure Application Gateway. Here's what I did to solve this problem and to enable us to be more proactive.
- PowerShell Az module
- Az.ResourceGraph module v 0.7.6+
It is always stressful to have people landing at your desk, panic in their eyes because some HTTPS certificate just expired in a critical environment. Some resources in Azure are more easily detected than others. Expiring certificates in App Services can be easily detected using only Azure Resource Graph, here's the recipe if you want it. Others, like Application Gateway cannot be checked only using Resource Graph (at the moment of writing this).
My first reflex was to use PowerShell to call Azure Resource Graph to automate this. Basically, I want to extract all certificate information from Azure, decode it from Base64, create the certificate (X509Certificate2) in memory and check the
NotAfter property against the date I wanted. Well, in the case of Application Gateway, it turned out to be a bit more complicated than I thought.
I tried, and tried for an hour to decode the certificate
publicCertData property without success. I turned to the internet and found the following PowerShell module: AzureRMAppGWCert. A big thank you by the way to Victor Santana for this gem. When I examined the code, I understood why it didn't work like I was always doing elsewhere. In the case of Application Gateway, we need to remove some of the data after the base64 conversion.
After the tricky truncate part. I created a PowerShell script with Azure Resource Graph to scan all subscriptions you have access to. Here is how to use it:
# Default is in the next 90 days .\Get-AzureAppGatewayExpiringCertificates.ps1 # To look further, i.e. 180 days .\Get-AzureAppGatewayExpiringCertificates.ps1 -ExpiresInDay 180
If you have any expired or soon expiring certificates, you'll have one or more of the following output:
Name Value ---- ----- SubscriptionId 00000000-0000-0000-0000-000000000000 Thumbprint 4956BCC058BCA4BCB1349357AB474CCDBB37C28AB ResourceGroup poc-prod-common SubscriptionName my-company-subscription NotAfter 3/4/2019 4:51:03 PM Cert [Subject]... Name poc-prod-common-ag
Again, the truncate thing was a nice pitfall, but very glad I finally worked it out with the help of Azure Resource Graph. In my case I scan 30+ subscriptions and check all of them in under 3 seconds which is blazing fast!
You can download the script (it's free) from ScriptCenter here. Enjoy!
Hope it help!