Skip to content

Commit

Permalink
postgresqlServerCMKencrypted
Browse files Browse the repository at this point in the history
  • Loading branch information
fatima99s committed Nov 23, 2023
1 parent e107f72 commit 6e16236
Show file tree
Hide file tree
Showing 3 changed files with 181 additions and 0 deletions.
1 change: 1 addition & 0 deletions exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -806,6 +806,7 @@ module.exports = {
'logRetentionDays' : require(__dirname + '/plugins/azure/postgresqlserver/logRetentionDays.js'),
'connectionThrottlingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/connectionThrottlingEnabled.js'),
'logDurationEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDurationEnabled.js'),
'postgresqlCMKEncrypted' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlEncryptionAtRestWithCMK.js'),
'logDisconnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logDisconnectionsEnabled.js'),
'logConnectionsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logConnectionsEnabled.js'),
'logCheckpointsEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/logCheckpointsEnabled.js'),
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
const async = require('async');
const helpers = require('../../../helpers/azure');

module.exports = {
title: 'PostgreSQL Encryption At Rest with BYOK',
category: 'PostgreSQL Server',
domain: 'Databases',
description: 'Ensure that Azure PostgreSQL Database Servers data is encrypted with CMK.',
more_info: 'Data at rest encryption with BYOK ensures that your PostgreSQL server data is protected using a key that you manage. Enabling BYOK adds an extra layer of security by allowing you to control access to the encryption keys.',
recommended_action: 'Enable CMK encryotion for PostgreSQL database servers.',
link: 'https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-data-encryption-postgresql',
apis: ['servers:listPostgres'],

run: function(cache, settings, callback) {
const results = [];
const source = {};
const locations = helpers.locations(settings.govcloud);

async.each(locations.servers, (location, rcb) => {
const servers = helpers.addSource(cache, source,
['servers', 'listPostgres', location]);

if (!servers) return rcb();

if (servers.err || !servers.data) {
helpers.addResult(results, 3,
'Unable to query for PostgreSQL Servers:' + helpers.addError(servers), location);
return rcb();
}

if (!servers.data.length) {
helpers.addResult(results, 0, 'No existing PostgreSQL Servers found', location);
return rcb();
}

for (let server of servers.data) {
if (!server.id) continue;
if (server.byokEnforcement && server.byokEnforcement == 'Enabled') {
helpers.addResult(results, 0, 'PostgreSQL server is encrypted using CMK', location, server.id);
} else {
helpers.addResult(results, 2, 'PostgreSQL server is not encrypted using CMK', location, server.id);
}
}

rcb();
}, function() {
// Global checking goes here
callback(null, results, source);
});
}
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
var expect = require('chai').expect;
var postgresqlEncryptionAtRestWithCMK = require('./postgresqlEncryptionAtRestWithCMK');

const listPostgres = [
{
'sku': {
'name': 'B_Gen5_1',
'tier': 'Basic',
'family': 'Gen5',
'capacity': 1
},
'location': 'eastus',
'tags': { "key": "value" },
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
'name': 'server1',
'type': 'Microsoft.DBforPostgreSQL/servers',
'administratorLogin': 'Aquaadmin',
'storageProfile': {
'storageMB': 5120,
'backupRetentionDays': 7,
'geoRedundantBackup': 'Disabled',
'storageAutogrow': 'Enabled'
},
'version': '11',
'sslEnforcement': 'Enabled',
'minimalTlsVersion': 'TLSEnforcementDisabled',
'userVisibleState': 'Ready',
'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
'replicationRole': '',
'masterServerId': '',
'byokEnforcement': 'Disabled',
'privateEndpointConnections': [],
'infrastructureEncryption': 'Disabled',
'publicNetworkAccess': 'Enabled'
},
{
'sku': {
'name': 'B_Gen5_1',
'tier': 'Basic',
'family': 'Gen5',
'capacity': 1
},
'location': 'eastus',
'tags': {},
'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1',
'name': 'server1',
'type': 'Microsoft.DBforPostgreSQL/servers',
'administratorLogin': 'Aquaadmin',
'storageProfile': {
'storageMB': 5120,
'backupRetentionDays': 7,
'geoRedundantBackup': 'Disabled',
'storageAutogrow': 'Disabled'
},
'version': '11',
'sslEnforcement': 'Enabled',
'minimalTlsVersion': 'TLSEnforcementDisabled',
'userVisibleState': 'Ready',
'fullyQualifiedDomainName': 'server1.postgres.database.azure.com',
'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00',
'replicationRole': '',
'masterServerId': '',
'byokEnforcement': 'Enabled',
'privateEndpointConnections': [],
'infrastructureEncryption': 'Enabled',
'publicNetworkAccess': 'Enabled'
}
];

const createCache = (listPostgres) => {
return {
servers: {
listPostgres: {
'eastus': {
data: listPostgres
}
}
}
};
};

describe('postgresqlEncryptionAtRestWithCMK', function() {
describe('run', function() {
it('should give passing result if no servers', function(done) {
const cache = createCache({});
postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No existing PostgreSQL Servers found');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give failing result if PostgreSQL Server is not encrypted using CMK', function(done) {
const cache = createCache([listPostgres[0]]);
postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('PostgreSQL server is not encrypted using CMK');
expect(results[0].region).to.equal('eastus');
done();
});
});

it('should give passing result if PostgreSQL Server is encrypted using CMK', function(done) {
const cache = createCache([listPostgres[1]]);
postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('PostgreSQL server is encrypted using CMK');
expect(results[0].region).to.equal('eastus');
done();
});
});
it('should give UnKnown result if unable to query postgreSQL Server', function(done) {
const cache = createCache(null);
postgresqlEncryptionAtRestWithCMK.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for PostgreSQL Servers:');
expect(results[0].region).to.equal('eastus');
done();
});
});

});
});

0 comments on commit 6e16236

Please sign in to comment.