From 7b9dca7650a5674bc605f375f04037c941d46e34 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Wed, 22 Nov 2023 16:10:21 +0500 Subject: [PATCH 1/5] privateAccessEnabled --- exports.js | 1 + .../postgresqlserver/privateAccessEnabled.js | 50 +++++++ .../privateAccessEnabled.spec.js | 136 ++++++++++++++++++ 3 files changed, 187 insertions(+) create mode 100644 plugins/azure/postgresqlserver/privateAccessEnabled.js create mode 100644 plugins/azure/postgresqlserver/privateAccessEnabled.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..6dcc08a55b 100644 --- a/exports.js +++ b/exports.js @@ -815,6 +815,7 @@ module.exports = { 'geoRedundantBackupEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/geoRedundantBackupEnabled.js'), 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), + 'privateAccessEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/privateAccessEnabled.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.js b/plugins/azure/postgresqlserver/privateAccessEnabled.js new file mode 100644 index 0000000000..2df3ed15f8 --- /dev/null +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.js @@ -0,0 +1,50 @@ +var async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'PostgreSQL Server Private Endpoints Configured', + category: 'PostgreSQL Server', + domain: 'Databases', + description: 'Ensures that PostgreSQL Servers are accessible only through private endpoints', + more_info: 'Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service such as Azure SQL Server into your VNet.', + recommended_action: 'Ensure that Private Endpoints are configured properly and Public Network Access is disabled for PostgreSQL Server', + link: 'https://learn.microsoft.com/en-us/azure/private-link/private-link-overview', + apis: ['servers:listPostgres'], + + run: function(cache, settings, callback) { + var results = []; + var source = {}; + var locations = helpers.locations(settings.govcloud); + + async.each(locations.servers, function(location, rcb) { + + var servers = helpers.addSource(cache, source, + ['servers', 'listPostgres', location]); + + if (!servers) return rcb(); + + if (servers.err || !servers.data) { + helpers.addResult(results, 3, + 'Unable to query for PostgreSQL servers: ' + helpers.addError(servers), location); + return rcb(); + } + + if (!servers.data.length) { + helpers.addResult(results, 0, 'No PostgreSQL servers found', location); + return rcb(); + } + + for (const server of servers.data) { + if (server.privateEndpointConnections && server.privateEndpointConnections.length) { + helpers.addResult(results, 0, 'Private Endpoints are configured for the PostgreSQL Server', location, server.id); + } else { + helpers.addResult(results, 2, 'Private Endpoints are not configured for the PostgreSQL Server', location, server.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js new file mode 100644 index 0000000000..e980f0bb78 --- /dev/null +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js @@ -0,0 +1,136 @@ +var expect = require('chai').expect; +var privateAccessEnabled = require('./privateAccessEnabled'); + +const listPostgres = [ + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_0', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + }, + { + 'sku': { + 'name': 'B_Gen5_1', + 'tier': 'Basic', + 'family': 'Gen5', + 'capacity': 1 + }, + 'location': 'eastus', + 'tags': { "key": "value" }, + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', + 'name': 'server1', + 'type': 'Microsoft.DBforPostgreSQL/servers', + 'administratorLogin': 'Aquaadmin', + 'storageProfile': { + 'storageMB': 5120, + 'backupRetentionDays': 7, + 'geoRedundantBackup': 'Disabled', + 'storageAutogrow': 'Enabled' + }, + 'version': '11', + 'sslEnforcement': 'Enabled', + 'minimalTlsVersion': 'TLS1_2', + 'userVisibleState': 'Ready', + 'fullyQualifiedDomainName': 'server1.postgres.database.azure.com', + 'earliestRestoreDate': '2021-03-10T12:45:13.233+00:00', + 'replicationRole': '', + 'masterServerId': '', + 'byokEnforcement': 'Disabled', + 'privateEndpointConnections': [ + { + 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Sql/servers/test-server/privateEndpointConnections/test-endpoint', + 'provisioningState': 'Ready' + } + ], + 'infrastructureEncryption': 'Disabled', + 'publicNetworkAccess': 'Enabled' + } + +]; + +const createCache = (listPostgres) => { + return { + servers: { + listPostgres: { + 'eastus': { + data: listPostgres + } + } + } + }; +}; + +describe('privateAccessEnabled', function() { + describe('run', function() { + it('should give passing result if no servers', function(done) { + const cache = createCache({}); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No PostgreSQL servers found'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give failing result if private endpoints are not configured', function(done) { + const cache = createCache([listPostgres[0]]); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Private Endpoints are not configured for the PostgreSQL Server'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give should give passing result if private endpoints are configured', function(done) { + const cache = createCache([listPostgres[1]]); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Private Endpoints are configured for the PostgreSQL Server'); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + it('should give UnKnown result if unable to query postgreSQL Server', function(done) { + const cache = createCache(null); + privateAccessEnabled.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for PostgreSQL servers: '); + expect(results[0].region).to.equal('eastus'); + done(); + }); + }); + + }) +}) \ No newline at end of file From 459dd6331fcc8a78648d5a9561e6084e5d3c5dd8 Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 23 Nov 2023 11:35:04 +0500 Subject: [PATCH 2/5] privateEndpointcongif --- exports.js | 2 +- ...ccessEnabled.js => postgresqlPrivateEndpoints.js} | 0 .../postgresqlserver/privateAccessEnabled.spec.js | 12 ++++++------ 3 files changed, 7 insertions(+), 7 deletions(-) rename plugins/azure/postgresqlserver/{privateAccessEnabled.js => postgresqlPrivateEndpoints.js} (100%) diff --git a/exports.js b/exports.js index 6dcc08a55b..037b77f0ea 100644 --- a/exports.js +++ b/exports.js @@ -815,7 +815,7 @@ module.exports = { 'geoRedundantBackupEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/geoRedundantBackupEnabled.js'), 'postgresqlServerHasTags' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlServerHasTags.js'), 'postgresqlInfraDoubleEncryption': require(__dirname + '/plugins/azure/postgresqlserver/postgresqlInfraDoubleEncryption.js'), - 'privateAccessEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/privateAccessEnabled.js'), + 'postgresqlPrivateEndpoints' : require(__dirname + '/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js'), 'azureServicesAccessDisabled' : require(__dirname + '/plugins/azure/postgresqlserver/azureServicesAccessDisabled.js'), 'openOracleAutoDataWarehouse' : require(__dirname + '/plugins/azure/networksecuritygroups/openOracleAutoDataWarehouse.js'), diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js similarity index 100% rename from plugins/azure/postgresqlserver/privateAccessEnabled.js rename to plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.js diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js index e980f0bb78..acd140fd9f 100644 --- a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js +++ b/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js @@ -1,5 +1,5 @@ var expect = require('chai').expect; -var privateAccessEnabled = require('./privateAccessEnabled'); +var privateEndpoints = require('./postgresqlPrivateEndpoints'); const listPostgres = [ { @@ -86,11 +86,11 @@ const createCache = (listPostgres) => { }; }; -describe('privateAccessEnabled', function() { +describe('privateEndpoints', function() { describe('run', function() { it('should give passing result if no servers', function(done) { const cache = createCache({}); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('No PostgreSQL servers found'); @@ -101,7 +101,7 @@ describe('privateAccessEnabled', function() { it('should give failing result if private endpoints are not configured', function(done) { const cache = createCache([listPostgres[0]]); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(2); expect(results[0].message).to.include('Private Endpoints are not configured for the PostgreSQL Server'); @@ -112,7 +112,7 @@ describe('privateAccessEnabled', function() { it('should give should give passing result if private endpoints are configured', function(done) { const cache = createCache([listPostgres[1]]); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0); expect(results[0].message).to.include('Private Endpoints are configured for the PostgreSQL Server'); @@ -123,7 +123,7 @@ describe('privateAccessEnabled', function() { it('should give UnKnown result if unable to query postgreSQL Server', function(done) { const cache = createCache(null); - privateAccessEnabled.run(cache, {}, (err, results) => { + privateEndpoints.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(3); expect(results[0].message).to.include('Unable to query for PostgreSQL servers: '); From e9c80f8b951edc2d681d254e5adb1cfe4d70a32c Mon Sep 17 00:00:00 2001 From: fatima99s Date: Thu, 23 Nov 2023 11:36:41 +0500 Subject: [PATCH 3/5] privateEndpointcongif --- ...teAccessEnabled.spec.js => postgresqlPrivateEndpoints.spec.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename plugins/azure/postgresqlserver/{privateAccessEnabled.spec.js => postgresqlPrivateEndpoints.spec.js} (100%) diff --git a/plugins/azure/postgresqlserver/privateAccessEnabled.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js similarity index 100% rename from plugins/azure/postgresqlserver/privateAccessEnabled.spec.js rename to plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js From 1ad0ab8f2858ce2d3cf13a93e205f1221d8e1e42 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:32:03 +0500 Subject: [PATCH 4/5] Update plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js --- .../azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js index acd140fd9f..a9fc448e6f 100644 --- a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js @@ -14,7 +14,7 @@ const listPostgres = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', 'name': 'server1', 'type': 'Microsoft.DBforPostgreSQL/servers', - 'administratorLogin': 'Aquaadmin', + 'administratorLogin': 'test', 'storageProfile': { 'storageMB': 5120, 'backupRetentionDays': 7, From b71f99ba53d487362fb5b92d88f66d11957638e2 Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:32:56 +0500 Subject: [PATCH 5/5] Update plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js --- .../azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js index a9fc448e6f..5eb3b7c0ae 100644 --- a/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js +++ b/plugins/azure/postgresqlserver/postgresqlPrivateEndpoints.spec.js @@ -46,7 +46,7 @@ const listPostgres = [ 'id': '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.DBforPostgreSQL/servers/server1', 'name': 'server1', 'type': 'Microsoft.DBforPostgreSQL/servers', - 'administratorLogin': 'Aquaadmin', + 'administratorLogin': 'test', 'storageProfile': { 'storageMB': 5120, 'backupRetentionDays': 7,