-
Notifications
You must be signed in to change notification settings - Fork 668
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1682 from abdullahaslam306/feature/SAAS-18217-azu…
…re-acr-log-analytics-enabled Feature/saas 18217 azure acr log analytics enabled
- Loading branch information
Showing
4 changed files
with
222 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
const async = require('async'); | ||
const helpers = require('../../../helpers/azure'); | ||
|
||
module.exports = { | ||
title: 'ACR Log Analytics Enabled', | ||
category: 'Container Registry', | ||
domain: 'Containers', | ||
description: 'Ensure that Azure container registry logs are sent to the Log Analytics workspace.', | ||
more_info: 'Enabling Log Analytics for Azure container registry ensures that logs are shipped to a central repository that can be queried and audited.', | ||
recommended_action: 'Modify container registry and enable Send to Log Analytics from diagnostic settings.', | ||
link: 'https://learn.microsoft.com/en-us/azure/container-registry/monitor-service', | ||
apis: ['registries:list', 'diagnosticSettings:listByContainerRegistries'], | ||
|
||
run: function(cache, settings, callback) { | ||
const results = []; | ||
const source = {}; | ||
const locations = helpers.locations(settings.govcloud); | ||
|
||
async.each(locations.registries, (location, rcb) => { | ||
const registries = helpers.addSource(cache, source, | ||
['registries', 'list', location]); | ||
|
||
if (!registries) return rcb(); | ||
|
||
if (registries.err || !registries.data) { | ||
helpers.addResult(results, 3, | ||
'Unable to query for container registries: ' + helpers.addError(registries), location); | ||
return rcb(); | ||
} | ||
|
||
if (!registries.data.length) { | ||
helpers.addResult(results, 0, 'No existing container registries found', location); | ||
return rcb(); | ||
} | ||
|
||
for (let registry of registries.data) { | ||
const diagnosticSettings = helpers.addSource(cache, source, | ||
['diagnosticSettings', 'listByContainerRegistries', location, registry.id]); | ||
|
||
if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) { | ||
helpers.addResult(results, 3, | ||
'Unable to query diagnostics settings: ' + helpers.addError(diagnosticSettings), location, registry.id); | ||
} else if (!diagnosticSettings.data.length) { | ||
helpers.addResult(results, 2, 'No existing diagnostics settings', location, registry.id); | ||
} else { | ||
let found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length); | ||
|
||
if (found) { | ||
helpers.addResult(results, 0, 'Logging is enabled for container registry', location, registry.id); | ||
} else { | ||
helpers.addResult(results, 2, 'Logging is not enabled for container registry', location, registry.id); | ||
} | ||
} | ||
} | ||
|
||
rcb(); | ||
}, function() { | ||
callback(null, results, source); | ||
}); | ||
} | ||
}; |
155 changes: 155 additions & 0 deletions
155
plugins/azure/containerregistry/acrLogAnalyticsEnabled.spec.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
var expect = require('chai').expect; | ||
var acrLogAnalyticsEnabled = require('./acrLogAnalyticsEnabled'); | ||
|
||
const containerRegistries = [ | ||
{ | ||
"id": "/subscriptions/ade0e01e-f9cd-49d3-bba7-d5a5362a3414/resourceGroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/testregistry12543", | ||
"name": "testregistry12543", | ||
"type": "Microsoft.ContainerRegistry/registries", | ||
"location": "eastus", | ||
"tags": {}, | ||
"sku": { | ||
"name": "Basic", | ||
"tier": "Basic" | ||
}, | ||
"loginServer": "testregistry12543.azurecr.io", | ||
"creationDate": "2019-10-18T21:16:01.347Z", | ||
"provisioningState": "Succeeded", | ||
"adminUserEnabled": true, | ||
"publicNetworkAccess": "Enabled" | ||
} | ||
]; | ||
|
||
const diagnosticSettings = [ | ||
{ | ||
id: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/devresourcegroup/providers/Microsoft.ContainerRegistry/registries/gio-test-events-1-nsg/providers/microsoft.insights/diagnosticSettings/gio-test-setting', | ||
type: 'Microsoft.Insights/diagnosticSettings', | ||
name: 'gio-test-setting', | ||
location: 'eastus', | ||
kind: null, | ||
tags: null, | ||
identity: null, | ||
storageAccountId: null, | ||
serviceBusRuleId: null, | ||
workspaceId: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-dce7d0ad-ebf6-437f-a3b0-28fc0d22117e-eus', | ||
eventHubAuthorizationRuleId: null, | ||
eventHubName: null, | ||
metrics: [], | ||
logs: [ | ||
{ | ||
category: 'NetworkSecurityGroupEvent', | ||
categoryGroup: null, | ||
enabled: true, | ||
retentionPolicy: [Object] | ||
}, | ||
{ | ||
category: 'NetworkSecurityGroupRuleCounter', | ||
categoryGroup: null, | ||
enabled: true, | ||
retentionPolicy: [Object] | ||
} | ||
], | ||
logAnalyticsDestinationType: null | ||
}, | ||
{ | ||
id: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/deleteasap/providers/microsoft.network/networksecuritygroups/gio-test-events-1-nsg/providers/microsoft.insights/diagnosticSettings/gio-test-setting', | ||
type: 'Microsoft.Insights/diagnosticSettings', | ||
name: 'gio-test-setting', | ||
location: 'eastus', | ||
kind: null, | ||
tags: null, | ||
identity: null, | ||
storageAccountId: null, | ||
serviceBusRuleId: null, | ||
workspaceId: '/subscriptions/dce7d0ad-ebf6-437f-a3b0-28fc0d22117e/resourcegroups/defaultresourcegroup-eus/providers/microsoft.operationalinsights/workspaces/defaultworkspace-dce7d0ad-ebf6-437f-a3b0-28fc0d22117e-eus', | ||
eventHubAuthorizationRuleId: null, | ||
eventHubName: null, | ||
metrics: [], | ||
logs: [], | ||
logAnalyticsDestinationType: null | ||
} | ||
]; | ||
|
||
|
||
const createCache = (listRegistries, diagnosticSetting) => { | ||
let logs = {}; | ||
if (listRegistries && listRegistries.length > 0) { | ||
logs[listRegistries[0].id] = { | ||
data: diagnosticSetting | ||
}; | ||
} | ||
|
||
return { | ||
registries: { | ||
list: { | ||
'eastus': { | ||
data: listRegistries | ||
} | ||
} | ||
}, | ||
diagnosticSettings: { | ||
listByContainerRegistries: { | ||
'eastus': logs | ||
} | ||
} | ||
}; | ||
}; | ||
|
||
describe('acrLogAnalyticsEnabled', function() { | ||
describe('run', function() { | ||
it('should give passing result if No existing container registry found', function(done) { | ||
const cache = createCache([], []); | ||
acrLogAnalyticsEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].message).to.include('No existing container registries found'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give Failing result if No existing diagnostics settings', function(done) { | ||
const cache = createCache([containerRegistries[0]],[]); | ||
acrLogAnalyticsEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(2); | ||
expect(results[0].message).to.include('No existing diagnostics settings'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give unknown result if Unable to query for container registry Groups', function(done) { | ||
const cache = createCache(null); | ||
acrLogAnalyticsEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(3); | ||
expect(results[0].message).to.include('Unable to query for container registries:'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give passing result if Log Analytics is enabled for ACR', function(done) { | ||
const cache = createCache([containerRegistries[0]], [diagnosticSettings[0]]); | ||
acrLogAnalyticsEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(0); | ||
expect(results[0].message).to.include('Logging is enabled for container registry'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
|
||
it('should give failing result if Log Analytics is not enabled for ACR', function(done) { | ||
const cache = createCache([containerRegistries[0]], [diagnosticSettings[1]]); | ||
acrLogAnalyticsEnabled.run(cache, {}, (err, results) => { | ||
expect(results.length).to.equal(1); | ||
expect(results[0].status).to.equal(2); | ||
expect(results[0].message).to.include('Logging is not enabled for container registry'); | ||
expect(results[0].region).to.equal('eastus'); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
}); |