Skip to content

Latest commit

 

History

History
113 lines (89 loc) · 6.19 KB

azure_network_watcher.md

File metadata and controls

113 lines (89 loc) · 6.19 KB
title platform
About the azure_network_watcher Resource
azure

azure_network_watcher

Use the azure_network_watcher InSpec audit resource to test properties of an Azure network watcher.

Azure REST API version, endpoint and http client parameters

This resource interacts with api versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, the latest version will be used. For more information, refer to azure_generic_resource.

Unless defined, azure_cloud global endpoint, and default values for the http client will be used. For more information, refer to the resource pack README.

Availability

Installation

This resource is available in the InSpec Azure resource pack. For an example inspec.yml file and how to set up your Azure credentials, refer to resource pack README.

Syntax

An azure_network_watcher resource block identifies a network watcher by name and resource_group or the resource_id.

describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName') do
  it { should exist }
end
describe azure_network_watcher(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}') do
  it { should exist }
end

Parameters

Name Description
resource_group Azure resource group that the network watcher resides in. resourceGroupName
name Name of the network watcher to test. networkWatcherName
resource_id The unique resource ID. /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}
flow_logs_api_version The flow log status endpoint api version used for creating flow_logs property. The latest version will be used unless provided. A network security group within the same region can be targeted for getting the flow log statuses. For more, see here.
nsg_resource_id The unique resource ID of the network security group being targeted to get the flow log statuses. /{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}
nsg_resource_group The resource group of the network security group being targeted to get the flow log statuses. This requires nsg_name to be provided.
nsg_name The name of the network security group being targeted to get the flow log statuses. This requires nsg_resource_group to be provided.

Either one of the parameter sets can be provided for a valid query:

  • resource_id
  • resource_group and name

Properties

Property Description
provisioning_state The provisioning state of the network watcher resource. For the valid values, see here.
flow_logs Information on the configuration of flow log and traffic analytics (optional) in this format. All properties can be accessed via dot notation, e.g.: flow_logs.properties.enabled. This resource supports targeting network security groups defined at resource creation only.

For properties applicable to all resources, such as type, name, id, properties, refer to azure_generic_resource.

Also, refer to Azure documentation for other properties available. Any attribute in the response may be accessed with the key names separated by dots (.).

Examples

Test the Location of a Network Watcher

describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName') do
  its('location') { should cmp 'eastus' }
end

Test the Flow Log Status of a Network Security Group

describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName', nsg_resource_group: 'nsg_rg', nsg_name: 'nsg_eastus') do
  its('flow_logs.properties.enabled') { should be true }
  its('flow_logs.properties.retentionPolicy.days') { should be >= 90 }
end

Loop through Network Security Groups with the Resource ID

azure_network_security_groups.where(location: 'eastus').ids.each do |nsg_id|
  describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName', nsg_resource_id: nsg_id) do
    its('flow_logs.properties.enabled') { should be true }
    its('flow_logs.properties.retentionPolicy.days') { should be >= 90 }
  end
end

See integration tests for more examples.

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# If we expect 'networkWatcherName' to always exist
describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName') do
  it { should exist }
end

# If we expect 'networkWatcherName' to never exist
describe azure_network_watcher(resource_group: 'resourceGroupName', name: 'networkWatcherName') do
  it { should_not exist }
end

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test.