forked from inspec/inspec-azure
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure_key_vault.rb
125 lines (113 loc) · 5.48 KB
/
azure_key_vault.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
require 'azure_generic_resource'
class AzureKeyVault < AzureGenericResource
name 'azure_key_vault'
desc 'Verifies settings and configuration for an Azure Key Vault'
example <<-EXAMPLE
describe azure_key_vault(resource_group: 'rg-1', vault_name: 'vault-1') do
it { should exist }
its('name') { should eq('vault-1') }
end
EXAMPLE
def initialize(opts = {})
# Options should be Hash type. Otherwise Ruby will raise an error when we try to access the keys.
raise ArgumentError, 'Parameters must be provided in an Hash object.' unless opts.is_a?(Hash)
# Azure REST API endpoint URL format for the resource:
# GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/
# Microsoft.KeyVault/vaults/{vaultName}?api-version=2019-09-01
#
# The dynamic part that has to be created in this resource:
# Microsoft.KeyVault/vaults/{vaultName}?api-version=2019-09-01
#
# Parameters acquired from environment variables:
# - {subscriptionId} => Required parameter. It will be acquired by the backend from environment variables.
#
# For parameters applicable to all resources, see project's README.
#
# User supplied parameters:
# - resource_group => Required parameter unless `resource_id` is provided. {resourceGroupName}
# - name => Required parameter unless `resource_id` is provided. Name of the resource to be tested.
# - resource_id => Optional parameter. If exists, other resource related parameters must not be provided.
# In the following format:
# /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/
# Microsoft.KeyVault/vaults/{vaultName}
# - api_version => Optional parameter. The latest version will be used unless provided.
#
# **`resource_group`, (resource) `name` and `resource_id` will be validated in the backend appropriately.
# We don't have to do anything here.
#
# Following resource parameters have to be defined/created here.
# resource_provider => Microsoft.KeyVault/vaults
# The `specific_resource_constraint` method will validate the user input
# not to accept a different `resource_provider`.
#
opts[:resource_provider] = specific_resource_constraint('Microsoft.KeyVault/vaults', opts)
# Key vault name can be accepted with a different keyword, `vault_name`. `name` is default accepted.
opts[:resource_identifiers] = %i(vault_name)
opts[:allowed_parameters] = %i(diagnostic_settings_api_version)
# static_resource parameter must be true for setting the resource_provider in the backend.
super(opts, true)
# `api_version` is fixed for backward compatibility.
@opts[:diagnostic_settings_api_version] ||= '2017-05-01-preview'
end
def to_s
super(AzureKeyVault)
end
# Resource specific methods can be created.
# `return unless exists?` is necessary to prevent any unforeseen Ruby error.
# Following methods are created to provide the same functionality with the current resource pack >>>>
# @see https://github.com/inspec/inspec-azure
# Diagnostic settings can be acquired from:
# GET https://management.azure.com/{resourceUri}/
# providers/microsoft.insights/diagnosticSettings?api-version=2017-05-01-preview
# resource uri is the same as (resource) `id` of the key vault.
# @see: https://docs.microsoft.com/en-us/rest/api/monitor/diagnosticsettings/list
#
# `#additional_resource_properties` method will be used to get the diagnostic settings from the Rest API.
# property_name => The name of the properties, `diagnostic_settings`.
# property_endpoint => id + '/providers/microsoft.insights/diagnosticSettings'
# api_version => The api_version for the microsoft.insights/diagnosticSettings
# If not provided the `latest` version will be used. (RECOMMENDED)
#
def diagnostic_settings
return unless exists?
# `additional_resource_properties` method will create a singleton method with the `property_name`
# and make api response available through this property.
additional_resource_properties(
{
property_name: 'diagnostic_settings',
property_endpoint: "#{id}/providers/microsoft.insights/diagnosticSettings",
api_version: @opts[:diagnostic_settings_api_version],
},
)
end
def diagnostic_settings_logs
return nil if diagnostic_settings.nil? || diagnostic_settings.empty?
result = []
diagnostic_settings.each do |setting|
logs = setting.properties&.logs
next unless logs
result += logs.map { |log| log.enabled if log.category }.compact
end
result
end
end
# Provide the same functionality under the old resource name.
# This is for backward compatibility.
class AzurermKeyVault < AzureKeyVault
name 'azurerm_key_vault'
desc 'Verifies settings and configuration for an Azure Key Vault'
example <<-EXAMPLE
describe azurerm_key_vault(resource_group: 'rg-1', vault_name: 'vault-1') do
it { should exist }
its('name') { should eq('vault-1') }
end
EXAMPLE
def initialize(opts = {})
Inspec::Log.warn Helpers.resource_deprecation_message(@__resource_name__, AzureKeyVault.name)
# Options should be Hash type. Otherwise Ruby will raise an error when we try to access the keys.
raise ArgumentError, 'Parameters must be provided in an Hash object.' unless opts.is_a?(Hash)
# For backward compatibility.
opts[:api_version] ||= '2016-10-01'
super
end
end