ps/Modules/Alkami.DevOps.SystemEngineering/Public/Get-ACMCertificateBindingList.ps1

function Get-ACMCertificateBindingList {

    <#
.SYNOPSIS
    Retrieves the Alkami AWS ACM certificate bindings for all AWS accounts.

.DESCRIPTION
    Retrieves ACM certificate bindings for all AWS accounts and includes the ELB listeners. The script will search all AWS accounts
    and each region Alkami has resources in. Alternatively, the example below demonstrates how to limit the search by profile and region.

.PARAMETER DomainName
    The Alkami domain name of the AWS ACM certificates to retrieve.

.PARAMETER ProfileName
    The Alkami AWS profile name to query for ACM certificates.

.PARAMETER Region
    The supported Alkami AWS region in which to query for ACM certificates.

.EXAMPLE
    Get-ACMCertificateBindingList -DomainName '*.dev.alkamitech.com'' -ProfileName 'temp-dev' -Region 'us-east-1'
#>

    [CmdletBinding()]
    [OutputType([PSObject[]])]
    param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $DomainName,

        [Parameter(Mandatory = $false) ]
        [ValidateScript( { $_ -in (Get-AlkamiAwsProfileList) })]
        [string] $ProfileName = $null,

        [Parameter(Mandatory = $false)]
        [ValidateScript( { $_ -in (Get-SupportedAwsRegions) })]
        [string] $Region = $null
    )

    $output = @()

    $logLead = Get-LogLeadName

    Import-AWSModule

    if ( $PSBoundParameters.ContainsKey('ProfileName')) {

        $profileList = @($ProfileName)

    } else {

        Write-Host "$logLead : User did not provide a ProfileName, using all standard Alkami AWS ProfileNames"
        $profileList = Get-AlkamiAwsProfileList
    }

    if ($PSBoundParameters.ContainsKey('Region')) {

        $regionList = @($Region)

    } else {

        Write-Host "$logLead : User did not provide a Region, using all supported Alkami AWS Regions"
        $regionList = Get-SupportedAwsRegions
    }

    foreach ( $curProfile in $profileList ) {

        Write-Host "$logLead : Processing $curProfile"

        foreach ( $curRegion in $regionList ) {

            Write-Host "$logLead : Processing $curRegion"

            try {

                $certList = Get-ACMCertificateDetailsListByName -DomainName $DomainName -ProfileName $curProfile -Region $curRegion

            } catch {

                Write-Warning "$logLead : Unable to retrieve ACM certificate details by name : $($_.Exception.Message)"
                Continue
            }

            if (Test-IsCollectionNullOrEmpty $certList) {

                Write-Warning "$logLead : No certificates found with a domain name of [$($DomainName)]"
                Continue
            }

            $apiGatewayDomains = Get-AG2DomainNameList -ProfileName $curProfile -Region $curRegion

            foreach ( $curCert in $certList ) {

                Write-Host "$logLead : Processing $($curCert.CertificateArn) : expires on $($curCert.NotAfter.Date)"

                $tempObject = [pscustomobject]@{
                    'DomainName'         = $curCert.DomainName
                    'Profile'            = $curProfile
                    'Region'             = $curRegion
                    'ARN'                = $curCert.CertificateArn
                    'NotAfter'           = $curCert.NotAfter.Date
                    'RenewalEligibility' = $curCert.RenewalEligibility.Value
                    'InUseBy'            = @()
                }

                foreach ( $curUser in $curCert.InUseBy ) {

                    Write-Host "$logLead : Cert is in use by ARN: $curUser"

                    if ( $curUser -match 'loadbalancer' ) {

                        try {

                            $elbListeners = Get-ELB2Listener -LoadBalancerArn $curUser -ProfileName $curProfile -Region $curRegion

                        } catch {

                            Write-Warning "$logLead : Encountered an error retrieving ELB Listener details for $curUser : $($_.Exception.Message)"
                            $tempObject.InUseBy += $curUser
                        }

                        foreach ( $elbListener in $elbListeners ) {

                            try {

                                $elbListenerCertList = (Get-ELB2ListenerCertificate -ListenerArn $elbListener.ListenerArn -ProfileName $curProfile -Region $curRegion).CertificateArn

                            } catch {

                                Write-Warning "$logLead : Error encountered while retrieving ELB Listener certificate list for $($elbListener.ListenerArn): $($_.Exception.Message)"
                            }

                            if ( $elbListenerCertList -contains $curCert.CertificateArn ) {

                                Write-Verbose "$logLead : Cert is in use by ELB Listener $($elbListener.ListenerArn)"
                                $tempObject.InUseBy += $elbListener.ListenerArn
                            }
                        }

                    } else {

                        $tempObject.InUseBy += $curUser
                    }
                }

                $filteredAGDomains = $apiGatewayDomains | Where-Object { $_.DomainNameConfigurations.CertificateArn -eq $curCert.CertificateArn }
                foreach ( $agDomain in $filteredAGDomains ) {

                    $agMaps = Get-AG2ApiMappingList -DomainName $agDomain.Name -ProfileName $curProfile -Region $curRegion
                    foreach ( $agMap in $agMaps ) {
                        $tempObject.InUseBy += "arn:aws:apigateway:$curRegion::/restapis/$($agMap.ApiId)/stages/$($agMap.Stage)"
                    }
                }

                $output += $tempObject
            }
        }
    }

    return $output
}