Skip to content

Commit

Permalink
Merge pull request #416 from inspec/f/azure_dns
Browse files Browse the repository at this point in the history 
F/azure dns
  • Loading branch information
@sa-progress
sa-progress authored Aug 13, 2021
2 parents ebe2497 + b776af8 commit e457985
Show file tree
Hide file tree
Showing 11 changed files with 450 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,8 @@ The following is a list of static resources.
- [azure_cosmosdb_database_account](docs/resources/azure_cosmosdb_database_account.md)
- [azure_db_migration_service](docs/resources/azure_db_migration_service.md)
- [azure_db_migration_services](docs/resources/azure_db_migration_services.md)
- [azure_dns_zones_resource](docs/resources/azure_dns_zones_resource.md)
- [azure_dns_zones_resources](docs/resources/azure_dns_zones_resources.md)
- [azure_event_hub_authorization_rule](docs/resources/azure_event_hub_authorization_rule.md)
- [azure_event_hub_event_hub](docs/resources/azure_event_hub_event_hub.md)
- [azure_event_hub_namespace](docs/resources/azure_event_hub_namespace.md)
Expand Down
108 changes: 108 additions & 0 deletions docs/resources/azure_dns_zones_resource.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
title: About the azure_dns_zones_resource Resource
platform: azure
---

# azure_dns_zones_resource

Use the `azure_dns_zones_resource` InSpec audit resource to test properties of an Azure DNS zone.

## Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with api versions supported by the resource provider.
The `api_version` can be defined as a resource parameter.
If not provided, the latest version will be used.
For more information, refer to [`azure_generic_resource`](azure_generic_resource.md).

Unless defined, `azure_cloud` global endpoint, and default values for the HTTP client will be used.
For more information, refer to the resource pack [README](../../README.md).

## Availability

### Installation

This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
For an example `inspec.yml` file and how to set up your Azure credentials,
refer to resource pack [README](../../README.md#Service-Principal).

## Syntax

This resource requires either the `resource_group` and DNS zone resource `name`, or the `resource_id`.

```ruby
describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do
it { should exist }
end
```

or

```ruby
describe azure_dns_zones_resource(resource_id: 'DNS_ZONE_RESOURCE_ID') do
it { should exist }
end
```

## Parameters

| Name | Description |
|--------------------------------|----------------------------------------------------------------------------------|
| resource_group | Azure resource group that the targeted resource resides in. |
| name | Name of the DNS zone to test. |
Both resource_group and name is mandatory parameters.
## Properties

| Name | Description |
|--------------------------------|----------------------------------------------------------------------------------|
| name | Name of the Azure resource to test. |
| type | The type of DNS zone. |
| max_number_of_recordsets | The maximum number of record sets that can be created in this DNS zone. |
| number_of_record_sets | The current number of record sets in this DNS zone. |
| name_servers | The name servers for this DNS zone. |
| properties | The properties of the Azure DNS zone resource. |
| location | The DNS zone resource location. |


Also, refer to the [Azure documentation](https://docs.microsoft.com/en-us/rest/api/dns/zones/get)
for other available properties.
Any attribute in the response may be accessed with the key names separated by dots (`.`).


## Examples

### Test that the Azure DNS zone resource has the correct resource type

```ruby
describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do
its('type') { should eq 'Microsoft.Network/dnszones' }
end
```

### Test that the location of the Azure DNS zone resource is `global`

```ruby
describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do
its('location') { should eq 'global' }
end
```
## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).

### exists

```ruby
# If a DNS Zone resource is found it will exist
describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do
it { should exist }
end
# DNS Zone resources that aren't found will not exist
describe azure_dns_zones_resource(resource_group: 'RESOURCE_GROUP_NAME', name: 'DNS_ZONE_NAME') do
it { should_not exist }
end
```

## Azure Permissions

Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
108 changes: 108 additions & 0 deletions docs/resources/azure_dns_zones_resources.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
---
title: About the azure_dns_zones_resources Resource
platform: azure
---

# azure_dns_zones_resources

Use the `azure_dns_zones_resources` InSpec audit resource to test properties related to all Azure DNS zones for a resource group or an entire subscription.

## Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider.
The `api_version` can be defined as a resource parameter.
If not provided, the latest version will be used.
For more information, refer to [`azure_generic_resource`](azure_generic_resource.md).

Unless defined, the `azure_cloud` global endpoint, and default values for the HTTP client will be used.
For more information, refer to the resource pack [README](../../README.md).

## Availability

### Installation

This resource is available in the [InSpec Azure resource pack](https://github.com/inspec/inspec-azure).
For an example `inspec.yml` file and how to set up your Azure credentials, refer to resource pack [README](../../README.md#Service-Principal).


Also, refer to [Azure documentation](https://docs.microsoft.com/en-us/rest/api/dns/zones/list) for properties available.
Any attribute in the response may be accessed with the key names separated by dots (`.`).

## Syntax

An `azure_dns_zones_resources` resource block returns all Azure DNS Zones within within a resource group.

```ruby
describe azure_dns_zones_resources do
#...
end
```

## Parameters

This resource does not accept any parameters.

## Properties

|Property | Description | Filter Criteria<superscript>*</superscript> |
|---------------|-------------------------------------------------------------------------------------|-------------------|
| name | A list of the unique resource names. | `name` |
| ids | A list of DNS zone IDs. | `id` |
| tags | A list of `tag:value` pairs defined on the resources. | `tags` |
| types | A list of the types of all DNS zones. | `type` |
| properties | A list of the properties of the Azure DNS zone resources. | `properties` |
| max_number_of_recordsets | A list of the maximum number of records per record set that can be created in the DNS zones. | `max_number_of_recordsets` |
| number_of_record_sets | A list of the current number of record sets in the DNS zones. | `number_of_record_sets` |
| name_servers | A list of the name servers for the DNS zones. | `name_servers` |

<superscript>*</superscript> For information on how to use filter criteria on plural resources refer to [FilterTable usage](https://github.com/inspec/inspec/blob/master/dev-docs/filtertable-usage.md).

## Examples

### Test that a DNS zone has has the correct type

```ruby
describe azure_dns_zones_resources do
its('type') { should include 'Microsoft.Network/dnszones' }
end
```
### Test that a DNS zone resource has a `Succeeded` provisioning state

```ruby
describe azure_dns_zones_resources do
its('provisioning_states') { should include 'Succeeded' }
end
```

### Test that a DNS zone has the `global` location

```ruby
describe azure_dns_zones_resources do
its('location') { should include 'global' }
end
```
### Test if any Azure DNS zone exists in the resource group

```ruby
describe azure_dns_zones_resources do
it { should exist }
end
```

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).

### exists

Test that there aren't any Azure DNS zones in the resource group.

```ruby
describe azure_dns_zones_resources do
it { should_not exist }
end
```

## Azure Permissions

Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.
65 changes: 65 additions & 0 deletions libraries/azure_dns_zones_resource.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
require 'azure_generic_resource'

class AzureDNSZonesResource < AzureGenericResource
name 'azure_dns_zones_resource'
desc 'Verifies settings for an Azure DNS Zones'
example <<-EXAMPLE
describe azure_dns_zones_resource(resource_group: 'example', name: 'dns-zones-name') do
it { should exist }
end
EXAMPLE

def initialize(opts = {})
# Options should be Hash type. Otherwise Ruby will raise an error when we try to access the keys.
raise ArgumentError, 'Parameters must be provided in an Hash object.' unless opts.is_a?(Hash)

# Azure REST API endpoint URL format for the resource:
# GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
# /providers/Microsoft.Network/dnsZones/{zoneName}?api-version=2018-05-01
#
# The dynamic part that has to be created in this resource:
# Microsoft.Network/dnsZones/{zoneName}?api-version=2018-05-01
#
# Parameters acquired from environment variables:
# - {subscriptionId} => Required parameter. It will be acquired by the backend from environment variables.
#
# User supplied parameters:
# - resource_group => Required parameter unless `resource_id` is provided. {resourceGroupName}
# - name => Required parameter unless `resource_id` is provided. DNS Zones name. {vmName}
# - resource_id => Optional parameter. If exists, `resource_group` and `name` must not be provided.
# In the following format:
# /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/
# Microsoft.Network/dnsZones/{zoneName}
# - api_version => Optional parameter. The latest version will be used unless provided. api-version
#
# **`resource_group` and (resource) `name` or `resource_id` will be validated in the backend appropriately.
# We don't have to do anything here.
#
# Following resource parameters have to be defined here.
# - resource_provider => Microsoft.Network/dnsZones
# The `specific_resource_constraint` method will validate the user input
# not to accept a different `resource_provider`.
#
opts[:resource_provider] = specific_resource_constraint('Microsoft.Network/dnsZones', opts)
opts[:required_parameters] = %i(name)

# static_resource parameter must be true for setting the resource_provider in the backend.
super(opts, true)
end

def to_s
super(AzureDNSZonesResource)
end

def max_number_of_recordsets
properties.maxNumberOfRecordSets if exists?
end

def number_of_record_sets
properties.numberOfRecordSets if exists?
end

def name_servers
properties.nameServers if exists?
end
end
75 changes: 75 additions & 0 deletions libraries/azure_dns_zones_resources.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
require 'azure_generic_resources'

class AzureDNSZonesResources < AzureGenericResources
name 'azure_dns_zones_resources'
desc 'Verifies settings for Azure DNS ZONES'
example <<-EXAMPLE
describe azure_dns_zones_resources do
it{ should exist }
end
EXAMPLE

attr_reader :table

def initialize(opts = {})
# Options should be Hash type. Otherwise Ruby will raise an error when we try to access the keys.
raise ArgumentError, 'Parameters must be provided in an Hash object.' unless opts.is_a?(Hash)

opts[:resource_provider] = specific_resource_constraint('Microsoft.Network/dnszones', opts)
# static_resource parameter must be true for setting the resource_provider in the backend.
super(opts, false)

# Check if the resource is failed.
# It is recommended to check that after every usage of superclass methods or API calls.
return if failed_resource?

# Define the column and field names for FilterTable.
# - column: It is defined as an instance method, callable on the resource, and present `field` values in a list.
# - field: It has to be identical with the `key` names in @table items that will be presented in the FilterTable.
# @see https://github.com/inspec/inspec/blob/master/docs/dev/filtertable-usage.md
table_schema = [
{ column: :names, field: :name },
{ column: :types, field: :type },
{ column: :ids, field: :id },
{ column: :locations, field: :location },
{ column: :tags, field: :tags },
{ column: :max_number_of_recordsets, field: :max_number_of_recordsets },
{ column: :number_of_record_sets, field: :number_of_record_sets },
{ column: :name_servers, field: :name_servers },
{ column: :properties, field: :properties },
]

# FilterTable is populated at the very end due to being an expensive operation.
AzureGenericResources.populate_filter_table(:table, table_schema)
end

def to_s
super(AzureDNSZonesResources)
end

private

# Populate the @table with the resource attributes.
# @table has been declared in the super class as an empty array.
# Each item in the @table
# - should be a Hash object
# - should have the exact key names defined in the @table_schema as `field`.
def populate_table
# If @resources empty than @table should stay as an empty array as declared in superclass.
# This will ensure constructing resource and passing `should_not exist` test.
return [] if @resources.empty?
@resources.each do |resource|
@table << {
id: resource[:id],
name: resource[:name],
location: resource[:location],
type: resource[:type],
tags: resource[:tags],
max_number_of_recordsets: resource[:properties][:maxNumberOfRecordSets],
number_of_record_sets: resource[:properties][:numberOfRecordSets],
name_servers: resource[:properties][:nameServers],
properties: resource[:properties],
}
end
end
end
10 changes: 10 additions & 0 deletions terraform/azure.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1341,6 +1341,16 @@ resource "azurerm_bastion_host" "abh" {
public_ip_address_id = azurerm_public_ip.public_ip_address.id
}

resource "azurerm_dns_zone" "example-public" {
name = "mydomain_example.com"
resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_private_dns_zone" "example-private" {
name = "mydomain_example.com"
resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_data_factory" "adf" {
name = "adf-eaxmple"
location = azurerm_resource_group.rg.location
Expand Down
Loading

0 comments on commit e457985

Please sign in to comment.