|
| 1 | +Resources |
| 2 | +| where type == "microsoft.web/sites" |
| 3 | + |
| 4 | +// 1) Expand out every hostname binding up front |
| 5 | +| mv-expand hostSsl = properties.hostNameSslStates |
| 6 | + |
| 7 | +// 2) Pull in site-level lockdown flags + hostname/thumbprint |
| 8 | +| extend |
| 9 | + publicNetworkAccess = tostring(properties.publicNetworkAccess), |
| 10 | + clientCertRequired = tostring(properties.clientCertEnabled), |
| 11 | + privateEndpoints = array_length(properties.privateEndpointConnections), |
| 12 | + ipRestrictions = array_length(properties.siteConfig.ipSecurityRestrictions), |
| 13 | + hostName = tostring(hostSsl.name), |
| 14 | + thumbprint = tostring(hostSsl.thumbprint) |
| 15 | + |
| 16 | +// 3) Compute booleans for locking and custom domain |
| 17 | +| extend |
| 18 | + isLockedDown = ( |
| 19 | + publicNetworkAccess == "Disabled" or |
| 20 | + clientCertRequired == "Required" or |
| 21 | + privateEndpoints > 0 or |
| 22 | + ipRestrictions > 0 |
| 23 | + ), |
| 24 | + isCustom = not(tolower(hostName) endswith ".azurewebsites.net") |
| 25 | + |
| 26 | +// 4) Bring in ASMC certs (they all have a non-empty canonicalName) |
| 27 | +| join kind=leftouter ( |
| 28 | + Resources |
| 29 | + | where type == "microsoft.web/certificates" |
| 30 | + | extend |
| 31 | + certThumb = tostring(properties.thumbprint), |
| 32 | + canonical = tostring(properties.canonicalName) |
| 33 | + | where canonical != "" |
| 34 | + | project certThumb, certName = name, certExpiry = properties.expirationDate, canonical |
| 35 | +) on $left.thumbprint == $right.certThumb |
| 36 | + |
| 37 | +// 5) Keep rows that are either locked-down sites or custom hostnames WITH a managed cert |
| 38 | +| where |
| 39 | + isLockedDown |
| 40 | + or (isCustom and isnotempty(certThumb)) |
| 41 | + |
| 42 | +// 6) Final shape |
| 43 | +| project |
| 44 | + siteName = name, |
| 45 | + resourceGroup, |
| 46 | + publicNetworkAccess, |
| 47 | + clientCertRequired, |
| 48 | + privateEndpoints, |
| 49 | + ipRestrictions, |
| 50 | + hostName, |
| 51 | + thumbprint, |
| 52 | + isManagedCert = iff(isnotempty(certThumb), "Yes", "No"), |
| 53 | + certName, |
| 54 | + canonical, |
| 55 | + certExpiry |
| 56 | +| order by resourceGroup asc, siteName asc |
0 commit comments