Skip to content

Latest commit

 

History

History
98 lines (78 loc) · 3.98 KB

azure_key_vaults.md

File metadata and controls

98 lines (78 loc) · 3.98 KB
title platform
About the azure_key_vaults Resource
azure

azure_key_vaults

Use the azure_key_vaults InSpec audit resource to test properties related to key vaults for a resource group or the entire subscription.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, the latest version will be used. For more information, refer to azure_generic_resource.

Unless defined, azure_cloud global endpoint and default values for the HTTP client will be used. For more information, refer to the resource pack README.

Availability

Installation

This resource is available in the InSpec Azure resource pack. For an example inspec.yml file and how to set up your Azure credentials, refer to resource pack README.

Syntax

An azure_key_vaults resource block returns all Azure key vaults, either within a Resource Group (if provided), or within an entire Subscription.

describe azure_key_vaults do
  #...
end

or

describe azure_key_vaults(resource_group: 'my-rg') do
  #...
end

Parameters

  • resource_group (Optional)

Properties

Property Description Filter Criteria*
ids A list of the unique resource ids. id
names A list of all the key vault names. name
tags A list of tag:value pairs defined on the resources. tags
types A list of types of all the key vaults. type
locations A list of locations for all the key vaults. location
properties A list of properties for all the key vaults. properties

* For information on how to use filter criteria on plural resources refer to FilterTable usage.

Examples

Loop through Key Vaults by Their Ids

azure_key_vaults.ids.each do |id|
  describe azure_key_vault(resource_id: id) do
    it { should exist }
  end
end  

Test that There are Key Vaults that Includes a Certain String in their Names (Client Side Filtering)

describe azure_key_vaults.where { name.include?('deployment') } do
  it { should exist }
end

Test that There are Key Vaults that Includes a Certain String in their Names (Server Side Filtering via Generic Resource - Recommended)

describe azure_generic_resources(resource_provider: 'Microsoft.KeyVault/vaults', substring_of_name: 'deployment') do
  it { should exist }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# Should not exist if no key vaults are in the resource group
describe azure_key_vaults(resource_group: 'MyResourceGroup') do
  it { should_not exist }
end

# Should exist if the filter returns at least one key vault
describe azure_key_vaults(resource_group: 'MyResourceGroup') do
  it { should exist }
end

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test.