-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🧹 Improving the keyVault resources to cover automatic key rotation policy #4624
Conversation
HRouhani
commented
Sep 2, 2024
- Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
providers/azure/resources/azure.lr
Outdated
@@ -1538,6 +1538,8 @@ private azure.subscription.keyVaultService.key @defaults("kid keyName") { | |||
version() string | |||
// List of key versions | |||
versions() []azure.subscription.keyVaultService.key | |||
// Auto-rotation enabled status |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we make this an optional field and only call the api if needed? (add the parens here and move the call to a function)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you do keep it like it is, please change the description to:
// Auto-rotation enabled status | |
// Whether auto-rotation is enabled |
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vjeffrey I did as you requested, however I still could not solve the uniqueness of the keys:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, is there maybe an id function missing? i haven't re-checked the code, i'll look when i get online in a while, but usually that's an id thing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks VJ, I already added id function as here:
func (a *mqlAzureSubscriptionKeyVaultServiceKeyAutorotation) keyName() (string, error) {
id := a.Kid.Data
kvid, err := parseKeyVaultId(id)
if err != nil {
return "", err
}
return kvid.Name, nil
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the function should be named id()
for this to work. alternatively you can just pass in the id directly in the args as __id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@preslavgerchev awesome, Thanks. It works now. Appreciate you help.
53e91ea
to
52d69ab
Compare
return "", err | ||
} | ||
|
||
return kvid.Name, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the name guaranteed unique? if not, could just use the id itself here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it is always unique!
@@ -1510,6 +1510,16 @@ private azure.subscription.keyVaultService.vault @defaults("vaultName type vault | |||
secrets() []azure.subscription.keyVaultService.secret | |||
// Vault diagnostic settings | |||
diagnosticSettings() []azure.subscription.monitorService.diagnosticsetting | |||
// Auto-rotation enabled status for all keys | |||
autorotation() []azure.subscription.keyVaultService.key.autorotation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this be under the key resource and not the vault resource?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy you raised that, it was our plan, but in this way we get following error:
# go.mondoo.com/cnquery/v11/providers/azure/resources
resources/azure.lr.go:14246:12: c.autorotation undefined (type *mqlAzureSubscriptionKeyVaultServiceKey has no field or method autorotation, but does have field Autorotation)
make[1]: *** [Makefile:339: providers/build/azure] Error 1
if we do:
// Azure Key Vault key
private azure.subscription.keyVaultService.key @defaults("kid keyName") {
// Key ID
kid string
// Key tags
tags map[string]string
// Whether the key is managed
managed bool
// Whether the key is enabled
enabled bool
// Date the key begins to be usable
notBefore time
// Date the key expires
expires time
// Key creation time
created time
// Key last update time
updated time
// Key recovery level
recoveryLevel string
// Key name
keyName() string
// Key version
version() string
// List of key versions
versions() []azure.subscription.keyVaultService.key
// Auto-rotation enabled status for all keys
autorotation() []azure.subscription.keyVaultService.key.autorotation
}
``
…licy Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
52d69ab
to
1ae7e0d
Compare
Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>