🧹 Improving the keyVault resources to cover automatic key rotation policy #4624
Conversation
HRouhani
commented
Sep 2, 2024
HRouhani
commented
- Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
providers/azure/resources/azure.lr
Outdated
| @@ -1538,6 +1538,8 @@ private azure.subscription.keyVaultService.key @defaults("kid keyName") { | |||
| version() string | |||
| // List of key versions | |||
| versions() []azure.subscription.keyVaultService.key | |||
| // Auto-rotation enabled status | |||
There was a problem hiding this comment.
could we make this an optional field and only call the api if needed? (add the parens here and move the call to a function)
There was a problem hiding this comment.
If you do keep it like it is, please change the description to:
| // Auto-rotation enabled status | |
| // Whether auto-rotation is enabled |
Thanks!
There was a problem hiding this comment.
@vjeffrey I did as you requested, however I still could not solve the uniqueness of the keys:
There was a problem hiding this comment.
oh, is there maybe an id function missing? i haven't re-checked the code, i'll look when i get online in a while, but usually that's an id thing
There was a problem hiding this comment.
Thanks VJ, I already added id function as here:
func (a *mqlAzureSubscriptionKeyVaultServiceKeyAutorotation) keyName() (string, error) {
id := a.Kid.Data
kvid, err := parseKeyVaultId(id)
if err != nil {
return "", err
}
return kvid.Name, nil
}
There was a problem hiding this comment.
the function should be named id() for this to work. alternatively you can just pass in the id directly in the args as __id
There was a problem hiding this comment.
@preslavgerchev awesome, Thanks. It works now. Appreciate you help.
HRouhani
force-pushed
the
hossein/azure-keyvault-keyrotation
branch
from
53e91ea
to
52d69ab
Compare
| return "", err | ||
| } | ||
|
|
||
| return kvid.Name, nil |
There was a problem hiding this comment.
is the name guaranteed unique? if not, could just use the id itself here
There was a problem hiding this comment.
yes, it is always unique!
| @@ -1510,6 +1510,16 @@ private azure.subscription.keyVaultService.vault @defaults("vaultName type vault | |||
| secrets() []azure.subscription.keyVaultService.secret | |||
| // Vault diagnostic settings | |||
| diagnosticSettings() []azure.subscription.monitorService.diagnosticsetting | |||
| // Auto-rotation enabled status for all keys | |||
| autorotation() []azure.subscription.keyVaultService.key.autorotation | |||
There was a problem hiding this comment.
shouldn't this be under the key resource and not the vault resource?
There was a problem hiding this comment.
I am happy you raised that, it was our plan, but in this way we get following error:
# go.mondoo.com/cnquery/v11/providers/azure/resources
resources/azure.lr.go:14246:12: c.autorotation undefined (type *mqlAzureSubscriptionKeyVaultServiceKey has no field or method autorotation, but does have field Autorotation)
make[1]: *** [Makefile:339: providers/build/azure] Error 1
if we do:
// Azure Key Vault key
private azure.subscription.keyVaultService.key @defaults("kid keyName") {
// Key ID
kid string
// Key tags
tags map[string]string
// Whether the key is managed
managed bool
// Whether the key is enabled
enabled bool
// Date the key begins to be usable
notBefore time
// Date the key expires
expires time
// Key creation time
created time
// Key last update time
updated time
// Key recovery level
recoveryLevel string
// Key name
keyName() string
// Key version
version() string
// List of key versions
versions() []azure.subscription.keyVaultService.key
// Auto-rotation enabled status for all keys
autorotation() []azure.subscription.keyVaultService.key.autorotation
}
``
…licy Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
HRouhani
force-pushed
the
hossein/azure-keyvault-keyrotation
branch
from
52d69ab
to
1ae7e0d
Compare
Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>
