Support cache for storage accounts

CHANGELOG.md

@@ -1,10 +1,15 @@
 # Changelog
-<!-- latest_release 1.84.3 -->
+<!-- latest_release 1.84.4 -->
+## [v1.84.4](https://github.com/inspec/inspec-azure/tree/v1.84.4) (2022-01-24)
+
+#### Merged Pull Requests
+- Fix yaml in resource docs [#625](https://github.com/inspec/inspec-azure/pull/625) ([IanMadd](https://github.com/IanMadd))
+<!-- latest_release -->
+
 ## [v1.84.3](https://github.com/inspec/inspec-azure/tree/v1.84.3) (2022-01-07)
 
 #### Merged Pull Requests
 - Publish latest release notes 2022-01-07 [#604](https://github.com/inspec/inspec-azure/pull/604) ([IanMadd](https://github.com/IanMadd))
-<!-- latest_release -->
 
 ## [v1.84.2](https://github.com/inspec/inspec-azure/tree/v1.84.2) (2022-01-07)
 

VERSION

@@ -1 +1 @@
-1.84.3
+1.84.4

docs/resources/azure_network_security_group.md

@@ -21,7 +21,7 @@ For more information, refer to the resource pack [README](../../README.md).
 
 ### Installation
 
-This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure). 
+This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
 For an example `inspec.yml` file and how to set up your Azure credentials, refer to resource pack [README](../../README.md#Service-Principal).
 
 ## Syntax
@@ -44,10 +44,10 @@ end
 | resource_group                 | Azure resource group that the targeted resource resides in.`MyResourceGroup`     |
 | name                           | Name of the Azure resource to test. `MyNSG`                                      |
 | resource_id                    | The unique resource ID. `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}` |
-| resource_data                  | In-Memory cached Azure Network Security Group Data. This is an optional parameter and can be provided to increase performance since it avoids multiple network calls to the same resource. When provided it binds the values directly to the resource. | 
-[Warning] when `resource_data` parameter is in use, the resource state itself could be stale and it is the user's responsibility to refresh the data.
+| resource_data                  | In-memory cached Azure Network security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the `resource_data` parameter could be stale. It is the user's responsibility to refresh the data. |
+
+Provide one of the following parameter sets for a valid query:
 
-Either one of the parameter sets can be provided for a valid query:
 - `resource_id`
 - `resource_group` and `name`
 - `resource_data`
@@ -75,13 +75,13 @@ Therefore, it is recommended to use `allow`, `allow_in` or `allow_out` propertie
 <superscript>**</superscript> These properties do not compare criteria defined by explicit ip ranges with the security rules defined by [Azure service tags](https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview) and vice versa.
 For example, providing that a network security group has a single security rule allowing all traffics from internet by using `Internet` service tag in the source will fail the `allow_in(ip_range: '64.233.160.0')` test due to incompatible source definitions.
 This is because InSpec Azure resource pack has no control over which ip ranges are defined in Azure service tags.
-Therefore, tests using these methods should be written explicitly for service tags and ip ranges. 
+Therefore, tests using these methods should be written explicitly for service tags and ip ranges.
 For more information about network security groups and security rules refer to [here](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
-`*ip_range` used in these methods support IPv4 and IPv6. The ip range criteriaom should be written in CIDR notation.   
+`*ip_range` used in these methods support IPv4 and IPv6. The ip range criteriaom should be written in CIDR notation.
 
 For properties applicable to all resources, such as `type`, `name`, `id`, `properties`, refer to [`azure_generic_resource`](azure_generic_resource.md#properties).
 
-Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/networksecuritygroups/get#networksecuritygroup) for other properties available. 
+Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/virtualnetwork/networksecuritygroups/get#networksecuritygroup) for other properties available.
 Any property in the response may be accessed with the key names separated by dots (`.`).
 
 ## Examples
@@ -97,28 +97,28 @@ end
 describe azure_network_security_group(resource_group: 'example', name: 'GroupName') do
   it { should allow_ssh_from_internet }
 end
-```    
+```
 ### Test that a Network Security Group Allows Inbound Traffics from a Certain Ip Range in Any Port and Any Protocol
 ```ruby
 describe azure_network_security_group(resource_group: 'example', name: 'GroupName') do
   it { should allow(source_ip_range: '10.0.0.0/24', direction: 'inbound') }
   it { should allow_in(ip_range: '10.0.0.0/24') }    # same test with the specific inbound rule check
 end
-```    
+```
 ### Test that a Network Security Group Allows Inbound Traffics from Internet Service Tag in Port `80` and `TCP` Protocol
 ```ruby
 describe azure_network_security_group(resource_group: 'example', name: 'GroupName') do
   it { should allow(source_service_tag: 'Internet', destination_port: '22', protocol: 'TCP', direction: 'inbound') }
   it { should allow_in(service_tag: 'Internet', port: '22', protocol: 'TCP') }    # same test with the specific inbound rule check
 end
-```        
+```
 ### Test that a Network Security Group Allows Inbound Traffics from Virtual Network Service Tag in a Range of Ports and Any Protocol
 ```ruby
 describe azure_network_security_group(resource_group: 'example', name: 'GroupName') do
   it { should allow(source_service_tag: 'VirtualNetwork', destination_port: %w{22 8080 56-78}, direction: 'inbound') }
   it { should allow_in(service_tag: 'VirtualNetwork', port: %w{22 8080 56-78}) }    # same test with the specific inbound rule check
 end
-```            
+```
 ### Test that a Network Security Group Allows Outbound Traffics to a Certain Ip Range in any Port and Any Protocol
 ```ruby
 describe azure_network_security_group(resource_group: 'example', name: 'GroupName') do
@@ -127,17 +127,20 @@ describe azure_network_security_group(resource_group: 'example', name: 'GroupNam
 end
 ```
 
-### Test that a Network Security Group does not allow inbound traffic from already cached data 
+### Loop through multiple network security groups and verify that each does not allow inbound traffic from already cached data
+
 ```ruby
 azure_network_security_groups.entries.each do |azure_network_security_group_data|
-    describe azure_network_security_group(resource_data: azure_network_security_group_data) do
-      it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') }
-      it { should_not allow_in(ip_range: '10.0.0.0/24') }   # same test with the specific outbound rule check
-    end
+  describe azure_network_security_group(resource_data: azure_network_security_group_data) do
+    it { should_not allow(destination_ip_range: '10.0.0.0/24', direction: 'inbound') }
+    it { should_not allow_in(ip_range: '10.0.0.0/24') }   # same test with the specific outbound rule check
+  end
 end
 ```
-Please note that `allow` requires `direction` parameter is set to either `inbound` or `outbound` and prefix the `ip_range`, `service_tag` and `port` with either `source_` or `destination_` identifiers.     
-
+
+Please note that `allow` requires the `direction` parameter be set to either `inbound` or `outbound`
+and you must prefix the `ip_range`, `service_tag`, and `port` with either `source_` or `destination_` identifiers.
+
 ## Matchers
 
 This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).

docs/resources/azure_sentinel_alert_rule_template.md

@@ -1,7 +1,7 @@
 ---
 title: About the azure_sentinel_alert_rule_template Resource
 platform: azure
-   ---
+---
 
 # azure_sentinel_alert_rule_template
 

docs/resources/azure_sentinel_alert_rule_templates.md

@@ -1,7 +1,7 @@
 ---
 title: About the azure_sentinel_alert_rule_templates Resource
 platform: azure
-   ---
+---
 
 # azure_sentinel_alert_rule_templates
 

docs/resources/azure_storage_account.md

@@ -21,7 +21,7 @@ For more information, refer to the resource pack [README](../../README.md).
 
 ### Installation
 
-This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure). 
+This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
 For an example `inspec.yml` file and how to set up your Azure credentials, refer to resource pack [README](../../README.md#Service-Principal).
 
 ## Syntax
@@ -46,10 +46,14 @@ end
 | resource_id                    | The unique resource ID. `/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}` |
 | activity_log_alert_api_version | The activity log alerts endpoint api version used in `have_recently_generated_access_key` matcher. The latest version will be used unless provided. |
 | storage_service_endpoint_api_version | The storage service endpoint api version. `2019-12-12` wil be used unless provided. |
+| resource_data                  | In-memory cached Azure Network security group data. Passing data to this parameter can increase performance since it avoids multiple network calls to the same Azure resource. When provided, it binds the values directly to the resource. Data passed to the `resource_data` parameter could be stale. It is the user's responsibility to refresh the data. |
+
+
+Pass one of the following parameter sets for a valid query:
 
-Either one of the parameter sets can be provided for a valid query:
 - `resource_id`
 - `resource_group` and `name`
+- `resource_data`
 
 ## Properties
 
@@ -68,7 +72,7 @@ The property names will be in snake case, `propety_name`. Therefore, `<Enumerati
 
 For properties applicable to all resources, such as `type`, `name`, `id`, `properties`, refer to [`azure_generic_resource`](azure_generic_resource.md#properties).
 
-Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties#storageaccount) for other properties available. 
+Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties#storageaccount) for other properties available.
 Any attribute in the response may be accessed with the key names separated by dots (`.`).
 
 ## Examples
@@ -118,6 +122,17 @@ describe azure_storage_account(resource_group: 'rg', name: 'mysa') do
   its('table_properties.logging.version') { should cmp '1.0' }
 end
 ```
+
+### Loop through all storage accounts and test a blob service endpoint exists from already cached data
+
+```ruby
+azure_storage_accounts.entries.each do |azure_storage_account_data|
+    describe azure_storage_account(resource_data: azure_storage_account_data) do
+      its('blobs.enumeration_results.service_endpoint') { should cmp 'https://mysa.blob.core.windows.net/' }
+    end
+end
+```
+
 ## Matchers
 
 This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://docs.chef.io/inspec/matchers/).
@@ -152,4 +167,4 @@ end
 ```
 ## Azure Permissions
 
-Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
+Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a minimum of `reader` role on the subscription you wish to test.

docs/resources/azure_storage_accounts.md

@@ -53,6 +53,7 @@ The name of the resource group.
 | names         | A list of names of all the resources being interrogated.                             | `name`          |
 | type          | A list of types of all the resources being interrogated.                             | `type`          |
 | tags          | A list of `tag:value` pairs defined on the resources being interrogated.             | `tags`          |
+| properties    | A list of all properties of all the resources.                                       | `properties`    | 
 
 <superscript>*</superscript> For information on how to use filter criteria on plural resources refer to [FilterTable usage](https://github.com/inspec/inspec/blob/master/dev-docs/filtertable-usage.md).
 
@@ -85,4 +86,4 @@ end
 ```
 ## Azure Permissions
 
-Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
+Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a minimum of `reader` role on the subscription you wish to test.

inspec.yml

@@ -5,7 +5,7 @@ copyright: Chef Software, Inc.
 copyright_email: [email protected]
 license: Apache-2.0
 summary: This resource pack provides compliance resources for Azure.
-version: 1.84.3
+version: 1.84.4
 inspec_version: '>= 4.18.39'
 supports:
   - platform: azure

libraries/azure_storage_account.rb

@@ -145,6 +145,10 @@ def table_properties
 
   private
 
+  def get_resource(opts = {})
+    opts[:resource_data].presence || super
+  end
+
   # @see AzureKeyVault#diagnostic_settings for how to use #additional_resource_properties method.
   #
   def activity_log_alert_filter(filter)

libraries/azure_storage_accounts.rb

@@ -37,6 +37,8 @@ def initialize(opts = {})
 
     # FilterTable is populated at the very end due to being an expensive operation.
     AzureGenericResources.populate_filter_table(:table, table_schema)
+
+    populate_filter_table_from_response
   end
 
   def to_s