cdbe8c1016
* Rewrite of Inspec Azure Resource pack to allow the testing of _any_ value Azure reosurce. Closes #36 Closes #37 This fixes #56 so that it works with the latest version of the SDK. In fact it will only work to version >= 0.15 Signed-off-by: Russell Seymour <russell.seymour@turtlesystems.co.uk>
6.4 KiB
| title |
|---|
| About the azure_resource_group_resource_counts Resource |
azure_resource_group_resource_counts
Use the azure_resource_group_resource_counts InSpec audit resource to check the number of Azure resources in a resource group
References
Syntax
The name of the resource group is specified as a parameter on the resource:
describe azure_resource_group(name: 'MyResourceGroup') do
its('property') { should eq 'value' }
end
where
- Resource Parameters
MyResourceGroupis the name of the resource group being interrogated
propertyis one ofnamelocationidprovisioning_statesubscription_idtotalnic_countvm_countextension_countvnet_countsa_countpublic_ip_countmanaged_disk_image_countmanaged_disk_counttag_count
valueis the expected output from the matcher
The options that can be passed to the resource are as follows.
| Name | Description | Required | Example |
|---|---|---|---|
| group_name: | Azure Resource Group to be tested | yes | MyResourceGroup |
| name: | Name of the Azure resource to test | no | MyVM |
If both group_name and name is set then name will take priority
These options can also be set using the environment variables:
AZURE_RESOURCE_GROUP_NAMEAZURE_RESOURCE_NAME
When the options have been set as well as the environment variables, the environment variables take priority.
For example:
describe azure_resource_group_resource_counts(name: 'ChefAutomate') do
its('total') { should eq 7}
its('nic_count') { should eq 1 }
its('vm_count') { should eq 1 }
end
'have' Methods
This resource has a number of have_xxxx methods that provide a simple way to test of a specific Azure Resoure Type exists in the resource group.
The following table shows the methods that are currently supported and what their associated Azure Resource Type is.
| Method Name | Azure Resource Type |
|---|---|
| have_nics | Microsoft.Network/networkInterfaces |
| have_vms | Microsoft.Compute/virtualMachines |
| have_extensions | Microsoft.Compute/virtualMachines/extensions |
| have_nsgs | Microsoft.Network/networkSecurityGroups |
| have_vnets | Microsoft.Network/virtualNetworks |
| have_managed_disks | Microsoft.Compute/disks |
| have_managed_disk_images | Microsoft.Compute/images |
| have_sas | Microsoft.Storage/storageAccounts |
| have_public_ips | Microsoft.Network/publicIPAddresses |
With these methods the following tests are possible
it { should have_nics }
it { should_not have_extensions }
Properties
This InSpec audit resource has the following matchers:
name
Returns the name of the resource group.
location
Returns where in Azure the resource group is located.
id
Returns the full qualified ID of the resource group.
This is in the format /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>.
provisioning_state
The provisioning state of the resource group.
subscription_id
Returns the subscription ID which contains the resource group.
This is derived from the id.
total
The total number of resources in the resource group
nic_count
The number of network interface cards in the resource group
vm_count
The number of virtual machines in the resource group
vnet_count
The number of virtual networks in the resource group
sa_count
The number of storage accounts in the resource group
public_ip_count
The number of Public IP Addresses in the resource group
managed_disk_image_count
The number of managed disk images that are in the resource group.
These are the items from which managed disks are created which are attached to machines. Generally the images are created from a base image or a custom image (e.g. Packer)
managed_disk_count
The number of managed disks in the resource group.
If a resource group contains one virtual machine with an OS disk and 2 data disks that are all Managed Disks, then the count would be 3.
Tags
It is possible to test the tags that have been assigned to the resource. There are a number of properties that can be called to check that it has tags, that it has the correct number and that the correct ones are assigned.
have_tags
This is a simple test to see if the machine has tags assigned to it or not.
it { should have_tags }
tag_count
Returns the number of tags that are assigned to the resource
its ('tag_count') { should eq 2 }
tags
It is possible to check if a specific tag has been set on the resource.
its('tags') { should include 'Owner' }
xxx_tag
To get the value of the tag, a number of preoprties have been created from the tags that are set.
For example, if the following tag is set on a resource:
| Tag Name | Value |
|---|---|
| Owner | Russell Seymour |
Then a property is available called Owner_tag.
its('Owner_tag') { should cmp 'Russell Seymour' }
Note: The tag name is case sensitive which makes the test case sensitive. E.g. owner_tag does not equal Owner_tag.
Examples
The following examples show how to use this InSpec audit resource
Please refer the integration tests for more in depth examples:
Test Resource Group has the correct number of resources
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
its('total') { should eq 7}
Ensure that the Resource Group contains the correct resources
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
its('total') { should eq 7 }
its('vm_count') { should eq 2 }
its('nic_count') { should eq 2 }
its('public_ip_count') { should eq 1 }
its('sa_count') { should eq 1 }
its('vnet_count') { should eq 1 }
end