From 52d69ab5733ac499e55e66ff303c33f4d5ae2b20 Mon Sep 17 00:00:00 2001 From: Hossein Rouhani Date: Wed, 4 Sep 2024 14:28:03 +0200 Subject: [PATCH] Improved Signed-off-by: Hossein Rouhani --- providers/azure/resources/azure.lr | 12 +++- .../azure/resources/azure.lr.manifest.yaml | 11 +++ providers/azure/resources/keyvault.go | 70 +++++++++++++++---- 3 files changed, 79 insertions(+), 14 deletions(-) diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr index 5422d4362c..20aba46b00 100644 --- a/providers/azure/resources/azure.lr +++ b/providers/azure/resources/azure.lr @@ -1510,6 +1510,16 @@ private azure.subscription.keyVaultService.vault @defaults("vaultName type vault secrets() []azure.subscription.keyVaultService.secret // Vault diagnostic settings diagnosticSettings() []azure.subscription.monitorService.diagnosticsetting + // Auto-rotation enabled status for all keys + autorotation() []azure.subscription.keyVaultService.key.autorotation +} + +// Azure Key Vault key auto-rotation +private azure.subscription.keyVaultService.key.autorotation @defaults("enabled") { + // Key ID (Key Identifier) + kid string + // Auto-rotation enabled status + enabled bool } // Azure Key Vault key @@ -1538,8 +1548,6 @@ private azure.subscription.keyVaultService.key @defaults("kid keyName") { version() string // List of key versions versions() []azure.subscription.keyVaultService.key - // Auto-rotation enabled status - autoRotationEnabled bool } // Azure Key Vault certificate diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml index e6b25f3974..81cbb7c73a 100644 --- a/providers/azure/resources/azure.lr.manifest.yaml +++ b/providers/azure/resources/azure.lr.manifest.yaml @@ -754,6 +754,15 @@ resources: refs: - title: Azure Key Vault url: https://learn.microsoft.com/en-us/azure/key-vault/ + azure.subscription.keyVaultService.key.autorotation: + fields: + enabled: {} + kid: {} + is_private: true + min_mondoo_version: 9.0.0 + platform: + name: + - azure azure.subscription.keyVaultService.secret: fields: contentType: {} @@ -778,6 +787,8 @@ resources: url: https://learn.microsoft.com/en-us/azure/key-vault/ azure.subscription.keyVaultService.vault: fields: + autorotation: + min_mondoo_version: 9.0.0 certificates: {} diagnosticSettings: {} id: {} diff --git a/providers/azure/resources/keyvault.go b/providers/azure/resources/keyvault.go index bc53afe43b..3fa52db22f 100644 --- a/providers/azure/resources/keyvault.go +++ b/providers/azure/resources/keyvault.go @@ -182,6 +182,60 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error) } pager := client.NewListKeyPropertiesPager(&azkeys.ListKeyPropertiesOptions{}) res := []interface{}{} + for pager.More() { + page, err := pager.NextPage(ctx) + if err != nil { + return nil, err + } + + for _, entry := range page.Value { + mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key", + map[string]*llx.RawData{ + "kid": llx.StringDataPtr((*string)(entry.KID)), + "managed": llx.BoolDataPtr(entry.Managed), + "tags": llx.MapData(convert.PtrMapStrToInterface(entry.Tags), types.String), + "enabled": llx.BoolDataPtr(entry.Attributes.Enabled), + "created": llx.TimeDataPtr(entry.Attributes.Created), + "updated": llx.TimeDataPtr(entry.Attributes.Updated), + "expires": llx.TimeDataPtr(entry.Attributes.Expires), + "notBefore": llx.TimeDataPtr(entry.Attributes.NotBefore), + "recoveryLevel": llx.StringDataPtr((*string)(entry.Attributes.RecoveryLevel)), + }) + if err != nil { + return nil, err + } + res = append(res, mqlAzure) + } + } + + return res, nil +} + +func (a *mqlAzureSubscriptionKeyVaultServiceKeyAutorotation) keyName() (string, error) { + id := a.Kid.Data + kvid, err := parseKeyVaultId(id) + if err != nil { + return "", err + } + + return kvid.Name, nil +} + +func (a *mqlAzureSubscriptionKeyVaultServiceVault) autorotation() ([]interface{}, error) { + conn := a.MqlRuntime.Connection.(*connection.AzureConnection) + ctx := context.Background() + token := conn.Token() + vaultUri := a.GetVaultUri() + client, err := azkeys.NewClient(vaultUri.Data, token, &azkeys.ClientOptions{ + ClientOptions: conn.ClientOptions(), + }) + if err != nil { + return nil, err + } + + pager := client.NewListKeyPropertiesPager(&azkeys.ListKeyPropertiesOptions{}) + res := []interface{}{} + for pager.More() { page, err := pager.NextPage(ctx) if err != nil { @@ -190,7 +244,7 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error) for _, entry := range page.Value { autoRotationEnabled := false - // Fetch the rotation policy for each key + if entry.KID != nil { keyID := string(*entry.KID) kvid, err := parseKeyVaultId(keyID) @@ -207,18 +261,10 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error) } } - mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key", + mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key.autorotation", map[string]*llx.RawData{ - "kid": llx.StringDataPtr((*string)(entry.KID)), - "managed": llx.BoolDataPtr(entry.Managed), - "tags": llx.MapData(convert.PtrMapStrToInterface(entry.Tags), types.String), - "enabled": llx.BoolDataPtr(entry.Attributes.Enabled), - "created": llx.TimeDataPtr(entry.Attributes.Created), - "updated": llx.TimeDataPtr(entry.Attributes.Updated), - "expires": llx.TimeDataPtr(entry.Attributes.Expires), - "notBefore": llx.TimeDataPtr(entry.Attributes.NotBefore), - "recoveryLevel": llx.StringDataPtr((*string)(entry.Attributes.RecoveryLevel)), - "autoRotationEnabled": llx.BoolData(autoRotationEnabled), + "kid": llx.StringDataPtr((*string)(entry.KID)), + "enabled": llx.BoolData(autoRotationEnabled), }) if err != nil { return nil, err