Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support cache for storage accounts #628

Merged
merged 8 commits into from
Feb 1, 2022
23 changes: 19 additions & 4 deletions docs/resources/azure_storage_account.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ For more information, refer to the resource pack [README](../../README.md).

### Installation

This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
For an example `inspec.yml` file and how to set up your Azure credentials, refer to resource pack [README](../../README.md#Service-Principal).

## Syntax
Expand All @@ -46,10 +46,14 @@ end
| resource_id | The unique resource ID. `/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}` |
| activity_log_alert_api_version | The activity log alerts endpoint api version used in `have_recently_generated_access_key` matcher. The latest version will be used unless provided. |
| storage_service_endpoint_api_version | The storage service endpoint api version. `2019-12-12` wil be used unless provided. |
| resource_data | In-memory cached Azure Network security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the `resource_data` parameter could be stale. It is the user's responsibility to refresh the data. |


Pass one of the following parameter sets for a valid query:

Either one of the parameter sets can be provided for a valid query:
- `resource_id`
- `resource_group` and `name`
- `resource_data`

## Properties

Expand All @@ -68,7 +72,7 @@ The property names will be in snake case, `propety_name`. Therefore, `<Enumerati

For properties applicable to all resources, such as `type`, `name`, `id`, `properties`, refer to [`azure_generic_resource`](azure_generic_resource.md#properties).

Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties#storageaccount) for other properties available.
Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties#storageaccount) for other properties available.
Any attribute in the response may be accessed with the key names separated by dots (`.`).

## Examples
Expand Down Expand Up @@ -118,6 +122,17 @@ describe azure_storage_account(resource_group: 'rg', name: 'mysa') do
its('table_properties.logging.version') { should cmp '1.0' }
end
```

### Loop through all storage accounts and test a blob service endpoint exists from already cached data

```ruby
azure_storage_accounts.entries.each do |azure_storage_account_data|
describe azure_storage_account(resource_data: azure_storage_account_data) do
its('blobs.enumeration_results.service_endpoint') { should cmp 'https://mysa.blob.core.windows.net/' }
end
end
```

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/).
Expand Down Expand Up @@ -152,4 +167,4 @@ end
```
## Azure Permissions

Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a minimum of `reader` role on the subscription you wish to test.
3 changes: 2 additions & 1 deletion docs/resources/azure_storage_accounts.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ The name of the resource group.
| names | A list of names of all the resources being interrogated. | `name` |
| type | A list of types of all the resources being interrogated. | `type` |
| tags | A list of `tag:value` pairs defined on the resources being interrogated. | `tags` |
| properties | A list of all properties of all the resources. | `properties` |

<superscript>*</superscript> For information on how to use filter criteria on plural resources refer to [FilterTable usage](https://github.com/inspec/inspec/blob/master/dev-docs/filtertable-usage.md).

Expand Down Expand Up @@ -85,4 +86,4 @@ end
```
## Azure Permissions

Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a minimum of `reader` role on the subscription you wish to test.
4 changes: 4 additions & 0 deletions libraries/azure_storage_account.rb
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@ def table_properties

private

def get_resource(opts = {})
opts[:resource_data].presence || super
end

# @see AzureKeyVault#diagnostic_settings for how to use #additional_resource_properties method.
#
def activity_log_alert_filter(filter)
Expand Down
2 changes: 2 additions & 0 deletions libraries/azure_storage_accounts.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ def initialize(opts = {})

# FilterTable is populated at the very end due to being an expensive operation.
AzureGenericResources.populate_filter_table(:table, table_schema)

populate_filter_table_from_response
end

def to_s
Expand Down