Improved

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
mondoohq · Sep 9, 2024 · 984efa4 · 984efa4
1 parent afe47d4
commit 984efa4
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 14 deletions.
diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr
@@ -1514,6 +1514,16 @@ private azure.subscription.keyVaultService.vault @defaults("vaultName type vault
  secrets() []azure.subscription.keyVaultService.secret
  // Vault diagnostic settings
  diagnosticSettings() []azure.subscription.monitorService.diagnosticsetting
+ // Auto-rotation enabled status for all keys
+ autorotation() []azure.subscription.keyVaultService.key.autorotation
+}
+
+// Azure Key Vault key auto-rotation
+private azure.subscription.keyVaultService.key.autorotation @defaults("enabled") {
+ // Key ID (Key Identifier)
+ kid string
+ // Auto-rotation enabled status
+ enabled bool
 }
 
 // Azure Key Vault key
@@ -1542,8 +1552,6 @@ private azure.subscription.keyVaultService.key @defaults("kid keyName") {
  version() string
  // List of key versions
  versions() []azure.subscription.keyVaultService.key
- // Auto-rotation enabled status
- autoRotationEnabled bool
 }
 
 // Azure Key Vault certificate

diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml
@@ -765,6 +765,15 @@ resources:
  refs:
  - title: Azure Key Vault
  url: https://learn.microsoft.com/en-us/azure/key-vault/
+ azure.subscription.keyVaultService.key.autorotation:
+ fields:
+ enabled: {}
+ kid: {}
+ is_private: true
+ min_mondoo_version: 9.0.0
+ platform:
+ name:
+ - azure
  azure.subscription.keyVaultService.secret:
  fields:
  contentType: {}
@@ -789,6 +798,8 @@ resources:
  url: https://learn.microsoft.com/en-us/azure/key-vault/
  azure.subscription.keyVaultService.vault:
  fields:
+ autorotation:
+ min_mondoo_version: 9.0.0
  certificates: {}
  diagnosticSettings: {}
  id: {}

diff --git a/providers/azure/resources/keyvault.go b/providers/azure/resources/keyvault.go
@@ -182,6 +182,60 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error)
  }
  pager := client.NewListKeyPropertiesPager(&azkeys.ListKeyPropertiesOptions{})
  res := []interface{}{}
+ for pager.More() {
+ page, err := pager.NextPage(ctx)
+ if err != nil {
+ return nil, err
+ }
+
+ for _, entry := range page.Value {
+ mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key",
+ map[string]*llx.RawData{
+ "kid": llx.StringDataPtr((*string)(entry.KID)),
+ "managed": llx.BoolDataPtr(entry.Managed),
+ "tags": llx.MapData(convert.PtrMapStrToInterface(entry.Tags), types.String),
+ "enabled": llx.BoolDataPtr(entry.Attributes.Enabled),
+ "created": llx.TimeDataPtr(entry.Attributes.Created),
+ "updated": llx.TimeDataPtr(entry.Attributes.Updated),
+ "expires": llx.TimeDataPtr(entry.Attributes.Expires),
+ "notBefore": llx.TimeDataPtr(entry.Attributes.NotBefore),
+ "recoveryLevel": llx.StringDataPtr((*string)(entry.Attributes.RecoveryLevel)),
+ })
+ if err != nil {
+ return nil, err
+ }
+ res = append(res, mqlAzure)
+ }
+ }
+
+ return res, nil
+}
+
+func (a *mqlAzureSubscriptionKeyVaultServiceKeyAutorotation) keyName() (string, error) {
+ id := a.Kid.Data
+ kvid, err := parseKeyVaultId(id)
+ if err != nil {
+ return "", err
+ }
+
+ return kvid.Name, nil
+}
+
+func (a *mqlAzureSubscriptionKeyVaultServiceVault) autorotation() ([]interface{}, error) {
+ conn := a.MqlRuntime.Connection.(*connection.AzureConnection)
+ ctx := context.Background()
+ token := conn.Token()
+ vaultUri := a.GetVaultUri()
+ client, err := azkeys.NewClient(vaultUri.Data, token, &azkeys.ClientOptions{
+ ClientOptions: conn.ClientOptions(),
+ })
+ if err != nil {
+ return nil, err
+ }
+
+ pager := client.NewListKeyPropertiesPager(&azkeys.ListKeyPropertiesOptions{})
+ res := []interface{}{}
+
  for pager.More() {
  page, err := pager.NextPage(ctx)
  if err != nil {
@@ -190,7 +244,7 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error)
 
  for _, entry := range page.Value {
  autoRotationEnabled := false
- // Fetch the rotation policy for each key
+
  if entry.KID != nil {
  keyID := string(*entry.KID)
  kvid, err := parseKeyVaultId(keyID)
@@ -207,18 +261,10 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error)
  }
  }
 
- mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key",
+ mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key.autorotation",
  map[string]*llx.RawData{
- "kid": llx.StringDataPtr((*string)(entry.KID)),
- "managed": llx.BoolDataPtr(entry.Managed),
- "tags": llx.MapData(convert.PtrMapStrToInterface(entry.Tags), types.String),
- "enabled": llx.BoolDataPtr(entry.Attributes.Enabled),
- "created": llx.TimeDataPtr(entry.Attributes.Created),
- "updated": llx.TimeDataPtr(entry.Attributes.Updated),
- "expires": llx.TimeDataPtr(entry.Attributes.Expires),
- "notBefore": llx.TimeDataPtr(entry.Attributes.NotBefore),
- "recoveryLevel": llx.StringDataPtr((*string)(entry.Attributes.RecoveryLevel)),
- "autoRotationEnabled": llx.BoolData(autoRotationEnabled),
+ "kid": llx.StringDataPtr((*string)(entry.KID)),
+ "enabled": llx.BoolData(autoRotationEnabled),
  })
  if err != nil {
  return nil, err