diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml
index 9ac93ee..b8c72b2 100644
--- a/.github/workflows/keyfactor-starter-workflow.yml
+++ b/.github/workflows/keyfactor-starter-workflow.yml
@@ -11,10 +11,9 @@ on:
jobs:
call-starter-workflow:
- uses: keyfactor/actions/.github/workflows/starter.yml@3.2.0
+ uses: keyfactor/actions/.github/workflows/starter.yml@v5
secrets:
- token: ${{ secrets.V2BUILDTOKEN}}
- APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
- gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
- gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
- scan_token: ${{ secrets.SAST_TOKEN }}
+ token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED
+ gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds
+ gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds
+ scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED
diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs b/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs
index 47c3351..045b9a2 100644
--- a/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs
+++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Security.Cryptography.X509Certificates;
using Azure.ResourceManager.Network.Models;
diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj b/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj
index 4fe114f..f01a97a 100644
--- a/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj
+++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj
@@ -1,35 +1,36 @@
-
-
-
- net8.0
- enable
- enable
-
- false
-
-
-
-
-
-
-
-
-
- runtime; build; native; contentfiles; analyzers; buildtransitive
- all
-
-
- runtime; build; native; contentfiles; analyzers; buildtransitive
- all
-
-
-
+
+
+
+ net8.0
+ enable
+ enable
+
+ false
+
+
+
+
+
+
+
+
+
+
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+ all
+
+
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+ all
+
+
+
-
+
-
-
+
+
diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs b/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs
index 7207547..acebc43 100644
--- a/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs
+++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Security.Cryptography.X509Certificates;
using Azure.ResourceManager.Network.Models;
diff --git a/AzureAppGatewayOrchestrator.Tests/Client.cs b/AzureAppGatewayOrchestrator.Tests/Client.cs
index d2e3452..dcd8d39 100644
--- a/AzureAppGatewayOrchestrator.Tests/Client.cs
+++ b/AzureAppGatewayOrchestrator.Tests/Client.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
diff --git a/AzureAppGatewayOrchestrator.Tests/FakeClient.cs b/AzureAppGatewayOrchestrator.Tests/FakeClient.cs
index 651fcb2..bd68e82 100644
--- a/AzureAppGatewayOrchestrator.Tests/FakeClient.cs
+++ b/AzureAppGatewayOrchestrator.Tests/FakeClient.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Security.Cryptography.X509Certificates;
using Azure.ResourceManager.Network.Models;
diff --git a/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs b/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs
index ce21f39..b1349e0 100644
--- a/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs
+++ b/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
namespace AzureAppGatewayOrchestrator.Tests;
diff --git a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs
index f953d86..ade1bb3 100644
--- a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs
+++ b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
@@ -20,7 +14,9 @@
using AzureApplicationGatewayOrchestratorExtension.Client;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
+using Moq;
using NLog.Extensions.Logging;
public class JobClientBuilder
@@ -142,6 +138,70 @@ public void AppGatewayJobClientBuilder_ValidCertificateStoreConfigClientCertific
_logger.LogInformation("AppGatewayJobClientBuilder_ValidCertificateStoreConfigClientCertificate_BuildValidClient - Success");
}
+ [Fact]
+ public void AppGatewayJobClientBuilder_WithPAMResolver_CertificateStoreDetails_ResolvesCredentials()
+ {
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve("pam-key-for-username")).Returns("resolved-azure-application-id");
+ mockResolver.Setup(r => r.Resolve("pam-key-for-password")).Returns("resolved-azure-client-secret");
+
+ AppGatewayJobClientBuilder jobClientBuilderWithFakeBuilder = new();
+ jobClientBuilderWithFakeBuilder.resolver = mockResolver.Object;
+
+ CertificateStore fakeCertificateStoreDetails = new()
+ {
+ ClientMachine = "fake-tenant-id",
+ StorePath = "fake-azure-resource-id",
+ Properties = "{\"ServerUsername\":\"pam-key-for-username\",\"ServerPassword\":\"pam-key-for-password\",\"AzureCloud\":\"fake-azure-cloud\"}"
+ };
+
+ // Act
+ jobClientBuilderWithFakeBuilder
+ .WithCertificateStoreDetails(fakeCertificateStoreDetails)
+ .Build();
+
+ // Assert
+ Assert.Equal("resolved-azure-application-id", jobClientBuilderWithFakeBuilder._builder._applicationId);
+ Assert.Equal("resolved-azure-client-secret", jobClientBuilderWithFakeBuilder._builder._clientSecret);
+ mockResolver.Verify(r => r.Resolve("pam-key-for-username"), Times.Once);
+ mockResolver.Verify(r => r.Resolve("pam-key-for-password"), Times.Once);
+
+ _logger.LogInformation("AppGatewayJobClientBuilder_WithPAMResolver_CertificateStoreDetails_ResolvesCredentials - Success");
+ }
+
+ [Fact]
+ public void AppGatewayJobClientBuilder_WithPAMResolver_DiscoveryJobConfiguration_ResolvesCredentials()
+ {
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve("pam-key-for-username")).Returns("resolved-azure-application-id");
+ mockResolver.Setup(r => r.Resolve("pam-key-for-password")).Returns("resolved-azure-client-secret");
+
+ AppGatewayJobClientBuilder jobClientBuilderWithFakeBuilder = new();
+ jobClientBuilderWithFakeBuilder.resolver = mockResolver.Object;
+
+ DiscoveryJobConfiguration config = new()
+ {
+ ClientMachine = "fake-tenant-id",
+ ServerUsername = "pam-key-for-username",
+ ServerPassword = "pam-key-for-password"
+ };
+
+ // Act
+ jobClientBuilderWithFakeBuilder
+ .WithDiscoveryJobConfiguration(config, "fake-tenant-id")
+ .Build();
+
+ // Assert
+ Assert.Equal("resolved-azure-application-id", jobClientBuilderWithFakeBuilder._builder._applicationId);
+ Assert.Equal("resolved-azure-client-secret", jobClientBuilderWithFakeBuilder._builder._clientSecret);
+ mockResolver.Verify(r => r.Resolve("pam-key-for-username"), Times.Once);
+ mockResolver.Verify(r => r.Resolve("pam-key-for-password"), Times.Once);
+
+ _logger.LogInformation("AppGatewayJobClientBuilder_WithPAMResolver_DiscoveryJobConfiguration_ResolvesCredentials - Success");
+ }
+
static void ConfigureLogging()
{
var config = new NLog.Config.LoggingConfiguration();
diff --git a/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs b/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs
new file mode 100644
index 0000000..7650fcd
--- /dev/null
+++ b/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs
@@ -0,0 +1,293 @@
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using AzureApplicationGatewayOrchestratorExtension;
+using AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
+using FluentAssertions;
+using Keyfactor.Logging;
+using Keyfactor.Orchestrators.Common.Enums;
+using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+using Microsoft.Extensions.Logging;
+using Moq;
+using NLog.Extensions.Logging;
+
+namespace AzureAppGatewayOrchestrator.Tests;
+
+public class PAMUtilitiesTests
+{
+ ILogger _logger { get; set; }
+
+ public PAMUtilitiesTests()
+ {
+ ConfigureLogging();
+ _logger = LogHandler.GetClassLogger();
+ }
+
+ // -------------------------------------------------------------------------
+ // PAMUtilities.ResolvePAMField - direct unit tests
+ // -------------------------------------------------------------------------
+
+ [Fact]
+ public void ResolvePAMField_NullResolver_ReturnsKeyDirectly()
+ {
+ // When no PAM resolver is configured, the raw value from store config
+ // should be passed through unchanged - PAMUtilities is not a middleman.
+
+ // Arrange
+ string key = "literal-credential-value";
+
+ // Act
+ string result = PAMUtilities.ResolvePAMField(_logger, null, "Server Username", key);
+
+ // Assert
+ result.Should().Be(key);
+
+ _logger.LogInformation("ResolvePAMField_NullResolver_ReturnsKeyDirectly - Success");
+ }
+
+ [Fact]
+ public void ResolvePAMField_WithResolver_CallsResolveAndReturnsResolvedValue()
+ {
+ // When a PAM resolver is present, Resolve() must be called with the key
+ // and its return value used instead of the raw key.
+
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve("pam-secret-key")).Returns("resolved-secret-value");
+
+ // Act
+ string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "Server Password", "pam-secret-key");
+
+ // Assert
+ result.Should().Be("resolved-secret-value");
+ mockResolver.Verify(r => r.Resolve("pam-secret-key"), Times.Once);
+
+ _logger.LogInformation("ResolvePAMField_WithResolver_CallsResolveAndReturnsResolvedValue - Success");
+ }
+
+ [Fact]
+ public void ResolvePAMField_WithResolver_ResolverCalledExactlyOnce()
+ {
+ // Resolve() should be called exactly once per field - no caching or double-calling.
+
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve(It.IsAny())).Returns("any-resolved-value");
+
+ // Act
+ PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "description", "any-key");
+
+ // Assert
+ mockResolver.Verify(r => r.Resolve(It.IsAny()), Times.Once);
+
+ _logger.LogInformation("ResolvePAMField_WithResolver_ResolverCalledExactlyOnce - Success");
+ }
+
+ [Fact]
+ public void ResolvePAMField_WithResolver_ReturnsNullWhenResolverReturnsNull()
+ {
+ // If the PAM provider returns null (e.g. secret not found), null should
+ // be surfaced as-is rather than silently falling back to the key.
+
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve(It.IsAny())).Returns((string)null);
+
+ // Act
+ string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "Server Password", "pam-key");
+
+ // Assert
+ result.Should().BeNull();
+
+ _logger.LogInformation("ResolvePAMField_WithResolver_ReturnsNullWhenResolverReturnsNull - Success");
+ }
+
+ [Theory]
+ [InlineData("pam-key-one", "resolved-value-one")]
+ [InlineData("pam-key-two", "resolved-value-two")]
+ [InlineData("pam-key-three", "resolved-value-three")]
+ public void ResolvePAMField_WithResolver_CorrectKeyForwardedToResolver(string key, string resolvedValue)
+ {
+ // The exact key string from store config must be forwarded to the resolver
+ // unchanged - PAMUtilities must not mangle or trim the key.
+
+ // Arrange
+ var mockResolver = new Mock();
+ mockResolver.Setup(r => r.Resolve(key)).Returns(resolvedValue);
+
+ // Act
+ string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "field description", key);
+
+ // Assert
+ result.Should().Be(resolvedValue);
+ mockResolver.Verify(r => r.Resolve(key), Times.Once);
+
+ _logger.LogInformation($"ResolvePAMField_WithResolver_CorrectKeyForwardedToResolver ({key}) - Success");
+ }
+
+ // -------------------------------------------------------------------------
+ // AppGatewayJobClientBuilder - PAM passthrough (no resolver configured)
+ // -------------------------------------------------------------------------
+
+ [Fact]
+ public void AppGatewayJobClientBuilder_NoPAMResolver_CertificateStoreDetails_UsesValuesDirectly()
+ {
+ // Without a resolver, the raw ServerUsername / ServerPassword values from
+ // store config should be used as-is (no PAM lookup attempted).
+
+ // Arrange
+ AppGatewayJobClientBuilder builder = new();
+ // resolver left null (default)
+
+ CertificateStore storeDetails = new()
+ {
+ ClientMachine = "fake-tenant-id",
+ StorePath = "fake-resource-id",
+ Properties = "{\"ServerUsername\":\"direct-app-id\",\"ServerPassword\":\"direct-secret\",\"AzureCloud\":\"fake-cloud\"}"
+ };
+
+ // Act
+ builder.WithCertificateStoreDetails(storeDetails).Build();
+
+ // Assert
+ builder._builder._applicationId.Should().Be("direct-app-id");
+ builder._builder._clientSecret.Should().Be("direct-secret");
+
+ _logger.LogInformation("AppGatewayJobClientBuilder_NoPAMResolver_CertificateStoreDetails_UsesValuesDirectly - Success");
+ }
+
+ [Fact]
+ public void AppGatewayJobClientBuilder_NoPAMResolver_DiscoveryJobConfiguration_UsesValuesDirectly()
+ {
+ // Same passthrough guarantee for the Discovery path.
+
+ // Arrange
+ AppGatewayJobClientBuilder builder = new();
+
+ DiscoveryJobConfiguration config = new()
+ {
+ ClientMachine = "fake-tenant-id",
+ ServerUsername = "direct-app-id",
+ ServerPassword = "direct-secret"
+ };
+
+ // Act
+ builder.WithDiscoveryJobConfiguration(config, "fake-tenant-id").Build();
+
+ // Assert
+ builder._builder._applicationId.Should().Be("direct-app-id");
+ builder._builder._clientSecret.Should().Be("direct-secret");
+
+ _logger.LogInformation("AppGatewayJobClientBuilder_NoPAMResolver_DiscoveryJobConfiguration_UsesValuesDirectly - Success");
+ }
+
+ // -------------------------------------------------------------------------
+ // Job-level: PAM resolver accepted via constructor and threaded through
+ // -------------------------------------------------------------------------
+
+ [Fact]
+ public void AzureAppGw_Inventory_ProcessJob_WithPAMResolver_ResolvesCredentials()
+ {
+ // Inventory accepts an IPAMSecretResolver via its constructor and must
+ // thread it through to the client builder so PAM keys are resolved
+ // before the Azure client is constructed.
+ //
+ // Here we inject a pre-built FakeClient so the builder path is skipped,
+ // and verify the job completes successfully with the resolver in place.
+
+ // Arrange
+ var mockResolver = new Mock();
+
+ var inventory = new Inventory(mockResolver.Object)
+ {
+ Client = new FakeClient
+ {
+ CertificatesAvailableOnFakeAppGateway = new Dictionary
+ {
+ { "cert1", new Azure.ResourceManager.Network.Models.ApplicationGatewaySslCertificate { Name = "cert1" } }
+ }
+ }
+ };
+
+ var config = new InventoryJobConfiguration
+ {
+ CertificateStoreDetails = new CertificateStore
+ {
+ ClientMachine = "fake-tenant-id",
+ StorePath = "fake-resource-id",
+ Properties = "{\"ServerUsername\":\"pam-username-key\",\"ServerPassword\":\"pam-password-key\",\"AzureCloud\":\"\"}"
+ },
+ JobHistoryId = 1
+ };
+
+ // Act
+ JobResult result = inventory.ProcessJob(config, items =>
+ {
+ items.Should().ContainSingle();
+ return true;
+ });
+
+ // Assert
+ result.Result.Should().Be(OrchestratorJobStatusJobResult.Success);
+
+ _logger.LogInformation("AzureAppGw_Inventory_ProcessJob_WithPAMResolver_ResolvesCredentials - Success");
+ }
+
+ [Fact]
+ public void AzureAppGwBin_Discovery_ProcessJob_WithPAMResolver_ResolvesCredentials()
+ {
+ // Discovery accepts an IPAMSecretResolver via its constructor and must
+ // thread it through to the client builder.
+
+ // Arrange
+ var mockResolver = new Mock();
+
+ var discovery = new AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs.Discovery(mockResolver.Object)
+ {
+ Client = new FakeClient
+ {
+ AppGatewaysAvailableOnFakeTenant = new List { "fake-gateway" }
+ }
+ };
+
+ var config = new DiscoveryJobConfiguration
+ {
+ ClientMachine = "fake-tenant-id",
+ ServerUsername = "pam-username-key",
+ ServerPassword = "pam-password-key",
+ JobProperties = new Dictionary { { "dirs", "fake-tenant-id" } }
+ };
+
+ // Act
+ JobResult result = discovery.ProcessJob(config, discovered =>
+ {
+ discovered.Should().ContainSingle().Which.Should().Be("fake-gateway");
+ return true;
+ });
+
+ // Assert
+ result.Result.Should().Be(OrchestratorJobStatusJobResult.Success);
+
+ _logger.LogInformation("AzureAppGwBin_Discovery_ProcessJob_WithPAMResolver_ResolvesCredentials - Success");
+ }
+
+ static void ConfigureLogging()
+ {
+ var config = new NLog.Config.LoggingConfiguration();
+ var logconsole = new NLog.Targets.ConsoleTarget("logconsole");
+ logconsole.Layout = @"${date:format=HH\:mm\:ss} ${logger} [${level}] - ${message}";
+ config.AddRule(NLog.LogLevel.Trace, NLog.LogLevel.Fatal, logconsole);
+ NLog.LogManager.Configuration = config;
+
+ LogHandler.Factory = LoggerFactory.Create(builder =>
+ {
+ builder.AddNLog();
+ });
+ }
+}
diff --git a/AzureAppGatewayOrchestrator.Tests/Usings.cs b/AzureAppGatewayOrchestrator.Tests/Usings.cs
index e56a59f..41cb57d 100644
--- a/AzureAppGatewayOrchestrator.Tests/Usings.cs
+++ b/AzureAppGatewayOrchestrator.Tests/Usings.cs
@@ -1,15 +1,9 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
global using Xunit;
diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs
index a1200a5..78084c5 100644
--- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs
+++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using System.Collections.Generic;
@@ -18,6 +12,7 @@
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
@@ -31,6 +26,18 @@ public class Discovery : IDiscoveryJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+
+ public Discovery(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+
+ public Discovery()
+ {
+
+ }
+
public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback)
{
if (Client != null) _clientInitializedByInjection = true;
@@ -49,11 +56,14 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd
{
_logger.LogTrace($"Processing tenantId: {tenantId}");
- // If the client was not injected, create a new one with the tenant ID determied by
+ // If the client was not injected, create a new one with the tenant ID determined by
// the TenantIdsToSearchFromJobConfig method
if (!_clientInitializedByInjection)
{
- Client = new AppGatewayJobClientBuilder()
+ var clientBuilder = new AppGatewayJobClientBuilder();
+ clientBuilder.resolver = _resolver;
+
+ Client = clientBuilder
.WithDiscoveryJobConfiguration(config, tenantId)
.Build();
}
diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs
index 6c93f49..21a7839 100644
--- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs
+++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs
@@ -1,24 +1,20 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using System.Collections.Generic;
using System.Linq;
+using Azure.ResourceManager.Network.Models;
using AzureApplicationGatewayOrchestratorExtension.Client;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
@@ -30,13 +26,28 @@ public class Inventory : IInventoryJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+
+ public Inventory(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+
+ public Inventory()
+ {
+
+ }
+
public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate cb)
{
_logger.LogDebug($"Beginning App Gateway Inventory Job");
if (Client == null)
{
- Client = new AppGatewayJobClientBuilder()
+ var clientBuilder = new AppGatewayJobClientBuilder();
+ clientBuilder.resolver = _resolver;
+
+ Client = clientBuilder
.WithCertificateStoreDetails(config.CertificateStoreDetails)
.Build();
}
diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs
index e8414eb..7d3ba37 100644
--- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs
+++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs
@@ -1,22 +1,17 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using AzureApplicationGatewayOrchestratorExtension.Client;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
@@ -28,13 +23,27 @@ public class Management : IManagementJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+
+ public Management(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+
+ public Management()
+ {
+ }
+
public JobResult ProcessJob(ManagementJobConfiguration config)
{
_logger.LogDebug("Beginning App Gateway Management Job");
if (Client == null)
{
- Client = new AppGatewayJobClientBuilder()
+ var clientBuilder = new AppGatewayJobClientBuilder();
+ clientBuilder.resolver = _resolver;
+
+ Client = clientBuilder
.WithCertificateStoreDetails(config.CertificateStoreDetails)
.Build();
}
diff --git a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs
index dfc7a34..86ca5ea 100644
--- a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs
+++ b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs
@@ -1,24 +1,20 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
+using AzureAppGatewayOrchestrator;
using AzureApplicationGatewayOrchestratorExtension.Client;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
using Newtonsoft.Json;
@@ -28,6 +24,7 @@ namespace AzureApplicationGatewayOrchestratorExtension;
{
public TBuilder _builder = new TBuilder();
private ILogger _logger = LogHandler.GetClassLogger>();
+ public IPAMSecretResolver resolver;
public class CertificateStoreProperties
{
@@ -39,33 +36,36 @@ public class CertificateStoreProperties
public AppGatewayJobClientBuilder WithCertificateStoreDetails(CertificateStore details)
{
- _logger.LogDebug($"Builder - Setting values from Certificate Store Details: {JsonConvert.SerializeObject(details)}");
+ _logger.LogDebug($"Builder - Configuring client from Certificate Store: ClientMachine={details.ClientMachine}, StorePath={details.StorePath}");
CertificateStoreProperties properties = JsonConvert.DeserializeObject(details.Properties);
+ string serverUserName = PAMUtilities.ResolvePAMField(_logger, resolver, "Server UserName", properties.ServerUsername);
+ string serverPassword = PAMUtilities.ResolvePAMField(_logger, resolver, "Server Password", properties.ServerPassword);
+
_logger.LogTrace($"Builder - ClientMachine => TenantId: {details.ClientMachine}");
_logger.LogTrace($"Builder - StorePath => ResourceId: {details.StorePath}");
- _logger.LogTrace($"Builder - ServerUsername => ApplicationId: {properties.ServerUsername}");
- _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {properties.ServerPassword}");
+ _logger.LogTrace($"Builder - ServerUsername => ApplicationId: {serverUserName}");
+ _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}");
_logger.LogTrace($"Builder - AzureCloud => AzureCloud: {properties.AzureCloud}");
_builder
.WithTenantId(details.ClientMachine)
- .WithApplicationId(properties.ServerUsername)
+ .WithApplicationId(serverUserName)
.WithResourceId(details.StorePath)
.WithAzureCloud(properties.AzureCloud);
if (string.IsNullOrWhiteSpace(properties.ClientCertificate))
{
- _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {properties.ServerPassword}");
+ _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}");
_logger.LogDebug("Client certificate not present - Using Client Secret authentication");
- _builder.WithClientSecret(properties.ServerPassword);
+ _builder.WithClientSecret(serverPassword);
}
else
{
- _logger.LogTrace($"Builder - ServerPassword => ClientCertificateKeyPassword: {properties.ServerPassword}");
+ _logger.LogTrace($"Builder - ServerPassword => ClientCertificateKeyPassword: {"********"}");
_logger.LogDebug("Client certificate present - Using Client Certificate authentication");
- X509Certificate2 clientCert = SerializeClientCertificate(properties.ClientCertificate, properties.ServerPassword);
+ X509Certificate2 clientCert = SerializeClientCertificate(properties.ClientCertificate, serverPassword);
_builder.WithClientCertificate(clientCert);
}
@@ -76,12 +76,15 @@ public AppGatewayJobClientBuilder WithDiscoveryJobConfiguration(Discov
{
_logger.LogTrace($"Builder - tenantId => TenantId: {tenantId}");
_logger.LogTrace($"Builder - ServerUsername => ApplicationId: {config.ServerUsername}");
- _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {config.ServerPassword}");
+ _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}");
+
+ string serverUserName = PAMUtilities.ResolvePAMField(_logger, resolver, "Server UserName", config.ServerUsername);
+ string serverPassword = PAMUtilities.ResolvePAMField(_logger, resolver, "Server Password", config.ServerPassword);
_builder
.WithTenantId(tenantId)
- .WithApplicationId(config.ServerUsername)
- .WithClientSecret(config.ServerPassword);
+ .WithApplicationId(serverUserName)
+ .WithClientSecret(serverPassword);
return this;
}
diff --git a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj
index 45cee8c..0b3b8da 100644
--- a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj
+++ b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj
@@ -1,19 +1,22 @@
-
+
+true
- net6.0;net8.0
+ net6.0;net8.0;net10.0truedisable
-
-
-
+
+
+
-
+
+
+
diff --git a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs
index c810faf..c186c5b 100644
--- a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs
+++ b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using System.Collections.Generic;
@@ -110,9 +104,6 @@ public IAzureAppGatewayClientBuilder WithAzureCloud(string azureCloud)
case "china":
_azureCloudEndpoint = AzureAuthorityHosts.AzureChina;
break;
- case "germany":
- _azureCloudEndpoint = AzureAuthorityHosts.AzureGermany;
- break;
case "government":
_azureCloudEndpoint = AzureAuthorityHosts.AzureGovernment;
break;
diff --git a/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs b/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs
index f1d8bbd..96f8443 100644
--- a/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs
+++ b/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs
index 3a8d5e0..6ca56ce 100644
--- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs
+++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs
@@ -1,20 +1,15 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using AzureApplicationGatewayOrchestratorExtension.Client;
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs;
@@ -26,13 +21,25 @@ public class Discovery : IDiscoveryJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+ public Discovery(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+
+ public Discovery()
+ {
+
+ }
+
public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback)
{
_logger.LogDebug("Beginning App Gateway Listener Binding Discovery Job - using AppGatewayCertificateJobs.Discovery.ProcessJob()");
AppGatewayCertificateJobs.Discovery discovery = new AppGatewayCertificateJobs.Discovery
{
- Client = Client
+ Client = Client,
+ _resolver = this._resolver
};
return discovery.ProcessJob(config, callback);
diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs
index 9ac349e..dc3ded0 100644
--- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs
+++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using System.Collections.Generic;
@@ -19,6 +13,7 @@
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs;
@@ -30,13 +25,28 @@ public class Inventory : IInventoryJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+
+ public Inventory(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+
+ public Inventory()
+ {
+
+ }
+
public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate cb)
{
_logger.LogDebug($"Beginning App Gateway Inventory Job");
if (Client == null)
{
- Client = new AppGatewayJobClientBuilder()
+ var clientBuilder = new AppGatewayJobClientBuilder();
+ clientBuilder.resolver = _resolver;
+
+ Client = clientBuilder
.WithCertificateStoreDetails(config.CertificateStoreDetails)
.Build();
}
diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs
index 4206c46..82ce262 100644
--- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs
+++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs
@@ -1,16 +1,10 @@
-// Copyright 2024 Keyfactor
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
using System;
using Azure.ResourceManager.Network.Models;
@@ -18,6 +12,7 @@
using Keyfactor.Logging;
using Keyfactor.Orchestrators.Common.Enums;
using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
using Microsoft.Extensions.Logging;
namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs;
@@ -29,13 +24,26 @@ public class Management : IManagementJobExtension
ILogger _logger = LogHandler.GetClassLogger();
+ public IPAMSecretResolver _resolver;
+ public Management(IPAMSecretResolver resolver)
+ {
+ _resolver = resolver;
+ }
+ public Management()
+ {
+
+ }
+
public JobResult ProcessJob(ManagementJobConfiguration config)
{
_logger.LogDebug("Beginning App Gateway Binding Management Job");
if (Client == null)
{
- Client = new AppGatewayJobClientBuilder()
+ var clientBuilder = new AppGatewayJobClientBuilder();
+ clientBuilder.resolver = _resolver;
+
+ Client = clientBuilder
.WithCertificateStoreDetails(config.CertificateStoreDetails)
.Build();
}
diff --git a/AzureAppGatewayOrchestrator/PAMUtilities.cs b/AzureAppGatewayOrchestrator/PAMUtilities.cs
new file mode 100644
index 0000000..1ae35ab
--- /dev/null
+++ b/AzureAppGatewayOrchestrator/PAMUtilities.cs
@@ -0,0 +1,38 @@
+
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using System.Runtime.CompilerServices;
+using Keyfactor.Logging;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+using Microsoft.Extensions.Logging;
+
+[assembly: InternalsVisibleTo("AzureAppGatewayOrchestrator.Tests")]
+
+namespace AzureAppGatewayOrchestrator
+{
+ internal class PAMUtilities
+ {
+ internal static string ResolvePAMField(ILogger logger, IPAMSecretResolver resolver, string description, string key)
+ {
+ logger.MethodEntry();
+
+ if (resolver == null)
+ {
+ logger.LogTrace($"No PAM Resolver configured - using {description} value directly from store configuration.");
+ logger.MethodExit();
+ return key;
+ }
+
+ logger.LogDebug($"Fetching {description} value from PAM");
+ var value = resolver.Resolve(key);
+ logger.LogDebug($"Successfully fetched {description} value from PAM");
+ logger.MethodExit();
+ return value;
+ }
+ }
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e8d05ed..ae5b52b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+# 3.5.0
+
+- feat: Added PAM Support
+- chore(client): Removed Azure support for Germany datacenter - been depreicated by Microsoft.
+
# 3.4.0
- Renamed the extension's dll in the manifest.json so the UO would recognize and register the extension.
diff --git a/README.md b/README.md
index ff47098..6249b4d 100644
--- a/README.md
+++ b/README.md
@@ -38,17 +38,15 @@ The Azure Application Gateway Orchestrator extension remotely manages certificat
> If the certificate management capabilities of Azure Key Vault are desired over direct management of certificates in Application Gateways, the Azure Key Vault orchestrator can be used in conjunction with this extension for accurate certificate location reporting via the inventory job type. This management strategy requires manual binding of certificates imported to an Application Gateway from AKV and can result in broken state in the Azure Application Gateway in the case that the secret is deleted in AKV.
The Azure Application Gateway Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types. Descriptions of each are provided below.
-
- [Azure Application Gateway Certificate](#AzureAppGw)
-
- [Azure Application Gateway Certificate Binding](#AppGwBin)
-
## Compatibility
This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.
## Support
+
The Azure Application Gateway Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com.
> If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab.
@@ -57,7 +55,6 @@ The Azure Application Gateway Universal Orchestrator extension is supported by K
Before installing the Azure Application Gateway Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
-
### Azure Service Principal (Azure Resource Manager Authentication)
The Azure Application Gateway Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal.
@@ -137,7 +134,6 @@ authenticate to the Microsoft Graph API.
You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in
the [Certificate Store Configuration](#certificate-store-configuration) section.
-
## Certificate Store Types
To use the Azure Application Gateway Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
@@ -148,7 +144,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
Click to expand details
-
The Azure Application Gateway Certificate store type, `AzureAppGw`, manages `ApplicationGatewaySslCertificate` objects
owned by Azure Application Gateways. This store type collects inventory and manages all ApplicationGatewaySslCertificate
objects associated with an Application Gateway. The store type is implemented primarily for Inventory and Management
@@ -201,24 +196,22 @@ have appropriate permissions to read secrets from the AKV that the App Gateway i
in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in
AKV.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | ✅ Checked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | ✅ Checked |
+| Discovery | ✅ Checked |
| Reenrollment | 🔲 Unchecked |
-| Create | 🔲 Unchecked |
+| Create | 🔲 Unchecked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand AzureAppGw kfutil details
##### Using online definition from GitHub:
@@ -237,10 +230,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the AzureAppGw store type manually in
the Keyfactor Command Portal
+
Click to expand manual AzureAppGw details
Create a store type called `AzureAppGw` with the attributes in the tables below:
@@ -251,11 +244,11 @@ the Keyfactor Command Portal
| Name | Azure Application Gateway Certificate | Display name for the store type (may be customized) |
| Short Name | AzureAppGw | Short display name for the store type |
| Capability | AzureAppGw | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -264,18 +257,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -287,13 +280,12 @@ the Keyfactor Command Portal
| ServerUsername | Server Username | Application ID of the service principal, representing the identity used for managing the Application Gateway. | Secret | | 🔲 Unchecked |
| ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | Secret | | 🔲 Unchecked |
| ClientCertificate | Client Certificate | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | Secret | | 🔲 Unchecked |
- | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |
+ | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,government | 🔲 Unchecked |
| ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
Application ID of the service principal, representing the identity used for managing the Application Gateway.
@@ -303,8 +295,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate
@@ -313,32 +303,25 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Client Certificate
The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.
- 
- 
-
+ 
+ 
###### Azure Global Cloud Authority Host
Specifies the Azure Cloud instance used by the organization.
- 
- 
-
+ 
+ 
###### Use SSL
Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.
- 
- 
-
-
-
+ 
+ 
@@ -348,7 +331,6 @@ the Keyfactor Command Portal
Click to expand details
-
The Azure Application Gateway Certificate Binding store type, `AzureAppGwBin`, represents certificates bound to TLS
Listeners on Azure App Gateways. The only supported operations on this store type are Management Add and Inventory. The
Management Add operation for this store type creates and binds an ApplicationGatewaySslCertificate to a pre-existing TLS
@@ -411,24 +393,22 @@ have appropriate permissions to read secrets from the AKV that the App Gateway i
in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in
AKV.
-
-
-
#### Supported Operations
-| Operation | Is Supported |
-|--------------|------------------------------------------------------------------------------------------------------------------------|
-| Add | ✅ Checked |
-| Remove | 🔲 Unchecked |
-| Discovery | ✅ Checked |
+| Operation | Is Supported |
+|--------------|--------------|
+| Add | ✅ Checked |
+| Remove | 🔲 Unchecked |
+| Discovery | ✅ Checked |
| Reenrollment | 🔲 Unchecked |
-| Create | 🔲 Unchecked |
+| Create | 🔲 Unchecked |
#### Store Type Creation
##### Using kfutil:
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
+
Click to expand AppGwBin kfutil details
##### Using online definition from GitHub:
@@ -447,10 +427,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out
```
-
#### Manual Creation
Below are instructions on how to create the AppGwBin store type manually in
the Keyfactor Command Portal
+
Click to expand manual AppGwBin details
Create a store type called `AppGwBin` with the attributes in the tables below:
@@ -461,11 +441,11 @@ the Keyfactor Command Portal
| Name | Azure Application Gateway Certificate Binding | Display name for the store type (may be customized) |
| Short Name | AppGwBin | Short display name for the store type |
| Capability | AzureAppGwBin | Store type name orchestrator will register with. Check the box to allow entry of value |
- | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add |
- | Supports Remove | 🔲 Unchecked | Indicates that the Store Type supports Management Remove |
- | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery |
- | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
- | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
+ | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add |
+ | Supports Remove | 🔲 Unchecked | Indicates that the Store Type supports Management Remove |
+ | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery |
+ | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment |
+ | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | ✅ Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell |
@@ -474,18 +454,18 @@ the Keyfactor Command Portal
The Basic tab should look like this:
- 
+ 
##### Advanced Tab
| Attribute | Value | Description |
| --------- | ----- | ----- |
| Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
- | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
+ | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
- 
+ 
> For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
@@ -497,13 +477,12 @@ the Keyfactor Command Portal
| ServerUsername | Server Username | Application ID of the service principal, representing the identity used for managing the Application Gateway. | Secret | | 🔲 Unchecked |
| ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | Secret | | 🔲 Unchecked |
| ClientCertificate | Client Certificate | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | Secret | | 🔲 Unchecked |
- | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked |
+ | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,government | 🔲 Unchecked |
| ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked |
The Custom Fields tab should look like this:
- 
-
+ 
###### Server Username
Application ID of the service principal, representing the identity used for managing the Application Gateway.
@@ -513,8 +492,6 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Server Password
A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate
@@ -523,32 +500,25 @@ the Keyfactor Command Portal
> This field is created by the `Needs Server` on the Basic tab, do not create this field manually.
-
-
###### Client Certificate
The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.
- 
- 
-
+ 
+ 
###### Azure Global Cloud Authority Host
Specifies the Azure Cloud instance used by the organization.
- 
- 
-
+ 
+ 
###### Use SSL
Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.
- 
- 
-
-
-
+ 
+ 
@@ -559,14 +529,15 @@ the Keyfactor Command Portal
1. **Download the latest Azure Application Gateway Universal Orchestrator extension from GitHub.**
- Navigate to the [Azure Application Gateway Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/azure-appgateway-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive.
+ Navigate to the [Azure Application Gateway Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/azure-appgateway-orchestrator/releases/latest). Refer to the compatibility matrix below to determine which asset should be downloaded. Then, click the corresponding asset to download the zip archive.
| Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `azure-appgateway-orchestrator` .NET version to download |
| --------- | ----------- | ----------- | ----------- |
| Older than `11.0.0` | | | `net6.0` |
| Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` |
- | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` || Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |
- | `11.6` _and_ newer | `net8.0` | | `net8.0` |
+ | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` |
+ | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` |
+ | `11.6` _and_ newer | `net8.0` | | `net8.0` |
Unzip the archive containing extension assemblies to a known location.
@@ -588,25 +559,20 @@ the Keyfactor Command Portal
Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm).
-
6. **(optional) PAM Integration**
The Azure Application Gateway Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.
To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).
-
> The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions).
-
-
## Defining Certificate Stores
The Azure Application Gateway Universal Orchestrator extension implements 2 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
Azure Application Gateway Certificate (AzureAppGw)
-
### Store Creation
#### Manually with the Command UI
@@ -621,8 +587,8 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "Azure Application Gateway Certificate" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |
@@ -636,8 +602,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
-
-
#### Using kfutil CLI
Click to expand details
@@ -672,7 +636,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -689,15 +652,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
Azure Application Gateway Certificate Binding (AppGwBin)
-
### Store Creation
#### Manually with the Command UI
@@ -712,8 +672,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form.
- | Attribute | Description |
- | --------- |---------------------------------------------------------|
+ | Attribute | Description |
+ | --------- | ----------- |
| Category | Select "Azure Application Gateway Certificate Binding" or the customized certificate store name from the previous step. |
| Container | Optional container to associate certificate store with. |
| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. |
@@ -727,8 +687,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
-
#### Using kfutil CLI
Click to expand details
@@ -763,7 +721,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
#### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
@@ -780,14 +737,11 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
-
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
-
-
## Discovery Job
The Discovery operation discovers all Azure Application Gateways in each resource group that the service principal has access to. The discovered Application Gateways are reported back to Command and can be easily added as certificate stores from the Locations tab.
@@ -798,11 +752,10 @@ The Discovery operation uses the "Directories to search" field, and accepts inpu
> The Discovery Job only supports Client Secret authentication.
-
## License
Apache License 2.0, see [LICENSE](LICENSE).
## Related Integrations
-See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).
\ No newline at end of file
+See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).
diff --git a/docsource/images/AppGwBin-advanced-store-type-dialog.svg b/docsource/images/AppGwBin-advanced-store-type-dialog.svg
new file mode 100644
index 0000000..123a979
--- /dev/null
+++ b/docsource/images/AppGwBin-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-basic-store-type-dialog.svg b/docsource/images/AppGwBin-basic-store-type-dialog.svg
new file mode 100644
index 0000000..0314686
--- /dev/null
+++ b/docsource/images/AppGwBin-basic-store-type-dialog.svg
@@ -0,0 +1,83 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg b/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg
new file mode 100644
index 0000000..74dd25b
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg
new file mode 100644
index 0000000..22f8bbd
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg b/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg
new file mode 100644
index 0000000..22f8bbd
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg b/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg
new file mode 100644
index 0000000..08ec420
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg
new file mode 100644
index 0000000..7993c23
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg b/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg
new file mode 100644
index 0000000..9cbdec9
--- /dev/null
+++ b/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg
@@ -0,0 +1,88 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-advanced-store-type-dialog.svg b/docsource/images/AzureAppGw-advanced-store-type-dialog.svg
new file mode 100644
index 0000000..123a979
--- /dev/null
+++ b/docsource/images/AzureAppGw-advanced-store-type-dialog.svg
@@ -0,0 +1,67 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-basic-store-type-dialog.svg b/docsource/images/AzureAppGw-basic-store-type-dialog.svg
new file mode 100644
index 0000000..5cdbc82
--- /dev/null
+++ b/docsource/images/AzureAppGw-basic-store-type-dialog.svg
@@ -0,0 +1,84 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg b/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg
new file mode 100644
index 0000000..74dd25b
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg
new file mode 100644
index 0000000..22f8bbd
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg b/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg
new file mode 100644
index 0000000..4b82ca9
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg
@@ -0,0 +1,49 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg
new file mode 100644
index 0000000..22f8bbd
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg
new file mode 100644
index 0000000..08ec420
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg
@@ -0,0 +1,54 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg
new file mode 100644
index 0000000..7993c23
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg
@@ -0,0 +1,39 @@
+
+
\ No newline at end of file
diff --git a/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg b/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg
new file mode 100644
index 0000000..9cbdec9
--- /dev/null
+++ b/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg
@@ -0,0 +1,88 @@
+
+
\ No newline at end of file
diff --git a/integration-manifest.json b/integration-manifest.json
index c4e728d..110b2b6 100644
--- a/integration-manifest.json
+++ b/integration-manifest.json
@@ -12,7 +12,8 @@
"about": {
"orchestrator": {
"UOFramework": "10.4",
- "pam_support": false,
+ "pam_support": true,
+ "keyfactor_platform_version": "9.10",
"store_types": [
{
"Name": "Azure Application Gateway Certificate",
@@ -54,7 +55,7 @@
"Name": "AzureCloud",
"DisplayName": "Azure Global Cloud Authority Host",
"Type": "MultipleChoice",
- "DefaultValue": "public,china,germany,government",
+ "DefaultValue": "public,china,government",
"Description": "Specifies the Azure Cloud instance used by the organization.",
"Required": false
},
@@ -118,7 +119,7 @@
"Name": "AzureCloud",
"DisplayName": "Azure Global Cloud Authority Host",
"Type": "MultipleChoice",
- "DefaultValue": "public,china,germany,government",
+ "DefaultValue": "public,china,government",
"Description": "Specifies the Azure Cloud instance used by the organization.",
"Required": false
},
diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh
new file mode 100755
index 0000000..b367afa
--- /dev/null
+++ b/scripts/store_types/bash/curl_create_store_types.sh
@@ -0,0 +1,147 @@
+#!/bin/bash
+# Store Type creation script using curl
+# Generated by Doctool
+
+set -e
+
+# Configuration - set these variables before running
+KEYFACTOR_HOSTNAME="${KEYFACTOR_HOSTNAME}"
+KEYFACTOR_API_PATH="${KEYFACTOR_API_PATH:-KeyfactorAPI}"
+KEYFACTOR_AUTH_TOKEN="${KEYFACTOR_AUTH_TOKEN}"
+
+echo "Creating store type: AzureAppGw"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "Azure Application Gateway Certificate",
+ "ShortName": "AzureAppGw",
+ "Capability": "AzureAppGw",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Remove": true,
+ "Enrollment": false,
+ "Discovery": true,
+ "Inventory": true
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.",
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate",
+ "Required": false
+ },
+ {
+ "Name": "ClientCertificate",
+ "DisplayName": "Client Certificate",
+ "Type": "Secret",
+ "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.",
+ "Required": false
+ },
+ {
+ "Name": "AzureCloud",
+ "DisplayName": "Azure Global Cloud Authority Host",
+ "Type": "MultipleChoice",
+ "DefaultValue": "public,china,government",
+ "Description": "Specifies the Azure Cloud instance used by the organization.",
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DefaultValue": "true",
+ "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
+ "Required": true
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+}'
+
+echo "Creating store type: AppGwBin"
+curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \
+ -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \
+ -H "Content-Type: application/json" \
+ -H "x-keyfactor-requested-with: APIClient" \
+ -d '{
+ "Name": "Azure Application Gateway Certificate Binding",
+ "ShortName": "AppGwBin",
+ "Capability": "AzureAppGwBin",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Remove": false,
+ "Enrollment": false,
+ "Discovery": true,
+ "Inventory": false
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.",
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate",
+ "Required": false
+ },
+ {
+ "Name": "ClientCertificate",
+ "DisplayName": "Client Certificate",
+ "Type": "Secret",
+ "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.",
+ "Required": false
+ },
+ {
+ "Name": "AzureCloud",
+ "DisplayName": "Azure Global Cloud Authority Host",
+ "Type": "MultipleChoice",
+ "DefaultValue": "public,china,government",
+ "Description": "Specifies the Azure Cloud instance used by the organization.",
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DefaultValue": "true",
+ "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
+ "Required": true
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+}'
+
diff --git a/scripts/store_types/bash/kfutil_create_store_types.sh b/scripts/store_types/bash/kfutil_create_store_types.sh
new file mode 100755
index 0000000..48b71d9
--- /dev/null
+++ b/scripts/store_types/bash/kfutil_create_store_types.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# Store Type creation script using kfutil
+# Generated by Doctool
+
+set -e
+
+echo "Creating store type: AzureAppGw"
+kfutil store-types create AzureAppGw
+
+echo "Creating store type: AppGwBin"
+kfutil store-types create AppGwBin
+
diff --git a/scripts/store_types/powershell/kfutil_create_store_types.ps1 b/scripts/store_types/powershell/kfutil_create_store_types.ps1
new file mode 100644
index 0000000..50ea6f3
--- /dev/null
+++ b/scripts/store_types/powershell/kfutil_create_store_types.ps1
@@ -0,0 +1,9 @@
+# Store Type creation script using kfutil
+# Generated by Doctool
+
+Write-Host "Creating store type: AzureAppGw"
+kfutil store-types create AzureAppGw
+
+Write-Host "Creating store type: AppGwBin"
+kfutil store-types create AppGwBin
+
diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1
new file mode 100644
index 0000000..b8f8a49
--- /dev/null
+++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1
@@ -0,0 +1,150 @@
+# Store Type creation script using Invoke-RestMethod
+# Generated by Doctool
+
+# Configuration - set these variables before running
+$KeyfactorHostname = $env:KEYFACTOR_HOSTNAME
+$KeyfactorApiPath = if ($env:KEYFACTOR_API_PATH) { $env:KEYFACTOR_API_PATH } else { "KeyfactorAPI" }
+$KeyfactorAuthToken = $env:KEYFACTOR_AUTH_TOKEN
+
+$Headers = @{
+ "Authorization" = "Bearer $KeyfactorAuthToken"
+ "Content-Type" = "application/json"
+ "x-keyfactor-requested-with" = "APIClient"
+}
+
+Write-Host "Creating store type: AzureAppGw"
+$Body = @'
+{
+ "Name": "Azure Application Gateway Certificate",
+ "ShortName": "AzureAppGw",
+ "Capability": "AzureAppGw",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Remove": true,
+ "Enrollment": false,
+ "Discovery": true,
+ "Inventory": true
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.",
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate",
+ "Required": false
+ },
+ {
+ "Name": "ClientCertificate",
+ "DisplayName": "Client Certificate",
+ "Type": "Secret",
+ "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.",
+ "Required": false
+ },
+ {
+ "Name": "AzureCloud",
+ "DisplayName": "Azure Global Cloud Authority Host",
+ "Type": "MultipleChoice",
+ "DefaultValue": "public,china,government",
+ "Description": "Specifies the Azure Cloud instance used by the organization.",
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DefaultValue": "true",
+ "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
+ "Required": true
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+
+Write-Host "Creating store type: AppGwBin"
+$Body = @'
+{
+ "Name": "Azure Application Gateway Certificate Binding",
+ "ShortName": "AppGwBin",
+ "Capability": "AzureAppGwBin",
+ "LocalStore": false,
+ "SupportedOperations": {
+ "Add": true,
+ "Remove": false,
+ "Enrollment": false,
+ "Discovery": true,
+ "Inventory": false
+ },
+ "Properties": [
+ {
+ "Name": "ServerUsername",
+ "DisplayName": "Server Username",
+ "Type": "Secret",
+ "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.",
+ "Required": false
+ },
+ {
+ "Name": "ServerPassword",
+ "DisplayName": "Server Password",
+ "Type": "Secret",
+ "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate",
+ "Required": false
+ },
+ {
+ "Name": "ClientCertificate",
+ "DisplayName": "Client Certificate",
+ "Type": "Secret",
+ "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.",
+ "Required": false
+ },
+ {
+ "Name": "AzureCloud",
+ "DisplayName": "Azure Global Cloud Authority Host",
+ "Type": "MultipleChoice",
+ "DefaultValue": "public,china,government",
+ "Description": "Specifies the Azure Cloud instance used by the organization.",
+ "Required": false
+ },
+ {
+ "Name": "ServerUseSsl",
+ "DisplayName": "Use SSL",
+ "Type": "Bool",
+ "DefaultValue": "true",
+ "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.",
+ "Required": true
+ }
+ ],
+ "PasswordOptions": {
+ "EntrySupported": false,
+ "StoreRequired": false,
+ "Style": "Default"
+ },
+ "PrivateKeyAllowed": "Required",
+ "ServerRequired": true,
+ "PowerShell": false,
+ "BlueprintAllowed": false,
+ "CustomAliasAllowed": "Required"
+}
+'@
+
+Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body
+