Chef InSpec and Azure
Chef InSpec has resources for auditing Azure.
Initialize an InSpec profile for auditing Azure
With Chef InSpec 4 or greater, you can create a profile for testing AWS resources with inspec init profile
:
$ inspec init profile --platform azure <PROFILE_NAME>
Create new profile at /Users/me/<PROFILE_NAME>
* Creating directory libraries
* Creating file README.md
* Creating directory controls
* Creating file controls/example.rb
* Creating file inspec.yml
* Creating file inputs.yml
* Creating file libraries/.gitkeep
Assuming the inputs.yml
file contains your Azure project ID, you can execute this sample profile using the following command:
inspec exec <PROFILE_NAME> --input-file=<PROFILE_NAME>/inputs.yml -t gcp://
Set Azure credentials
To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
This can be done on the command line or from the Azure Portal:
The information from the SPN can be specified either in the file ~/.azure/credentials
, as environment variables, or by using Chef InSpec target URIs.
Set the Azure credentials file
By default, Chef InSpec is configured to look at ~/.azure/credentials
, and it should contain:
[<SUBSCRIPTION_ID>]
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"
tenant_id = "<TENANT_ID>"
Note
In the Azure web portal, these values are labeled differently:
- The client_id is referred to as the ‘Application ID’
- The client_secret is referred to as the ‘Key (Password Type)’
- The tenant_id is referred to as the ‘Directory ID’
With the credentials in place, you can now execute Chef InSpec.
inspec exec <PROFILE_NAME> -t azure://
Provide credentials using environment variables
You may also set the Azure credentials via environment variables:
AZURE_SUBSCRIPTION_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
For example:
AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
Provide credentials using Chef InSpec target option
If you have created a ~/.azure/credentials
file as above, you may also use the Chef InSpec command line --target
/ -t
option to select a subscription ID. For example:
inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
Azure resources
- azure_active_directory_domain_service Resource
- azure_active_directory_domain_services Resource
- azure_active_directory_object Resource
- azure_active_directory_objects Resource
- azure_aks_cluster Resource
- azure_aks_clusters Resource
- azure_api_management Resource
- azure_api_managements Resource
- azure_application_gateway Resource
- azure_application_gateways Resource
- azure_bastion_hosts_resource Resource
- azure_bastion_hosts_resources Resource
- azure_container_group Resource
- azure_container_groups Resource
- azure_container_registries Resource
- azure_container_registry Resource
- azure_cosmosdb_database_account Resource
- azure_data_factories Resource
- azure_data_factory Resource
- azure_data_factory_dataset Resource
- azure_data_factory_datasets Resource
- azure_data_factory_linked_service Resource
- azure_data_factory_linked_services Resource
- azure_data_factory_pipeline Resource
- azure_data_factory_pipeline_run_resource Resource
- azure_data_factory_pipeline_run_resources Resource
- azure_data_factory_pipelines Resource
- azure_data_lake_storage_gen2_filesystem Resource
- azure_data_lake_storage_gen2_filesystems Resource
- azure_data_lake_storage_gen2_path Resource
- azure_data_lake_storage_gen2_paths Resource
- azure_db_migration_service Resource
- azure_db_migration_services Resource
- azure_ddos_protection_resource Resource
- azure_ddos_protection_resources Resource
- azure_dns_zones_resource Resource
- azure_dns_zones_resources Resource
- azure_event_hub_authorization_rule Resource
- azure_event_hub_event_hub Resource
- azure_event_hub_namespace Resource
- azure_express_route_circuit Resource
- azure_express_route_circuits Resource
- azure_express_route_providers Resource
- azure_generic_resource Resource
- azure_generic_resources Resource
- azure_graph_generic_resource Resource
- azure_graph_generic_resources Resource
- azure_graph_user Resource
- azure_graph_users Resource
- azure_hdinsight_cluster Resource
- azure_iothub Resource
- azure_iothub_event_hub_consumer_group Resource
- azure_iothub_event_hub_consumer_groups Resource
- azure_key_vault Resource
- azure_key_vault_key Resource
- azure_key_vault_keys Resource
- azure_key_vault_secret Resource
- azure_key_vault_secrets Resource
- azure_key_vaults Resource
- azure_load_balancer Resource
- azure_load_balancers Resource
- azure_lock Resource
- azure_locks Resource
- azure_management_group Resource
- azure_management_groups Resource
- azure_mariadb_server Resource
- azure_mariadb_servers Resource
- azure_migrate_assessment Resource
- azure_migrate_assessment_group Resource
- azure_migrate_assessment_groups Resource
- azure_migrate_assessment_machine Resource
- azure_migrate_assessment_machines Resource
- azure_migrate_assessment_project Resource
- azure_migrate_assessment_projects Resource
- azure_migrate_assessments Resource
- azure_migrate_project Resource
- azure_migrate_project_database Resource
- azure_migrate_project_database_instance Resource
- azure_migrate_project_database_instances Resource
- azure_migrate_project_databases Resource
- azure_migrate_project_event Resource
- azure_migrate_project_events Resource
- azure_migrate_project_machine Resource
- azure_migrate_project_machines Resource
- azure_migrate_project_solution Resource
- azure_migrate_project_solutions Resource
- azure_monitor_activity_log_alert Resource
- azure_monitor_activity_log_alerts Resource
- azure_monitor_log_profile Resource
- azure_monitor_log_profiles Resource
- azure_mysql_database Resource
- azure_mysql_databases Resource
- azure_mysql_server Resource
- azure_mysql_servers Resource
- azure_network_interface Resource
- azure_network_interfaces Resource
- azure_network_security_group Resource
- azure_network_security_groups Resource
- azure_network_watcher Resource
- azure_network_watchers Resource
- azure_policy_assignments Resource
- azure_policy_definition Resource
- azure_policy_definitions Resource
- azure_policy_exemption Resource
- azure_policy_exemptions Resource
- azure_policy_insights_query_result Resource
- azure_policy_insights_query_results Resource
- azure_postgresql_database Resource
- azure_postgresql_databases Resource
- azure_postgresql_server Resource
- azure_postgresql_servers Resource
- azure_power_bi_app Resource
- azure_power_bi_app_capacities Resource
- azure_power_bi_app_dashboard_tile Resource
- azure_power_bi_app_dashboard_tiles Resource
- azure_power_bi_apps Resource
- azure_power_bi_capacity_refreshable Resource
- azure_power_bi_capacity_refreshables Resource
- azure_power_bi_dashboard Resource
- azure_power_bi_dashboard_tile Resource
- azure_power_bi_dashboard_tiles Resource
- azure_power_bi_dashboards Resource
- azure_power_bi_dataflow Resource
- azure_power_bi_dataflows Resource
- azure_power_bi_dataset Resource
- azure_power_bi_dataset_datasources Resource
- azure_power_bi_datasets Resource
- azure_power_bi_gateway Resource
- azure_power_bi_gateways Resource
- azure_public_ip Resource
- azure_redis_cache Resource
- azure_redis_caches Resource
- azure_resource_group Resource
- azure_resource_groups Resource
- azure_resource_health_availability_status Resource
- azure_resource_health_availability_statuses Resource
- azure_resource_health_emerging_issue Resource
- azure_resource_health_emerging_issues Resource
- azure_resource_health_events Resource
- azure_role_definition Resource
- azure_role_definitions Resource
- azure_security_center_policies Resource
- azure_security_center_policy Resource
- azure_sentinel_alert_rule_template Resource
- azure_sentinel_alert_rule_templates Resource
- azure_sentinel_incidents_resource Resource
- azure_sentinel_incidents_resources Resource
- azure_sql_database Resource
- azure_sql_databases Resource
- azure_sql_managed_instance Resource
- azure_sql_managed_instances Resource
- azure_sql_server Resource
- azure_sql_servers Resource
- azure_sql_virtual_machine Resource
- azure_sql_virtual_machine_group Resource
- azure_sql_virtual_machine_group_availability_listener Resource
- azure_sql_virtual_machine_group_availability_listeners Resource
- azure_sql_virtual_machine_groups Resource
- azure_sql_virtual_machines Resource
- azure_storage_account Resource
- azure_storage_account_blob_container Resource
- azure_storage_account_blob_containers Resource
- azure_storage_accounts Resource
- azure_streaming_analytics_function Resource
- azure_streaming_analytics_functions Resource
- azure_subnet Resource
- azure_subnets Resource
- azure_subscription Resource
- azure_subscriptions Resource
- azure_synapse_notebook Resource
- azure_synapse_notebooks Resource
- azure_virtual_machine Resource
- azure_virtual_machine_disk Resource
- azure_virtual_machine_disks Resource
- azure_virtual_machines Resource
- azure_virtual_network Resource
- azure_virtual_network_gateway Resource
- azure_virtual_network_gateway_connection Resource
- azure_virtual_network_gateway_connections Resource
- azure_virtual_network_gateways Resource
- azure_virtual_network_peering Resource
- azure_virtual_network_peerings Resource
- azure_virtual_networks Resource
- azure_virtual_wan Resource
- azure_virtual_wans Resource
- azure_web_app_function Resource
- azure_web_app_functions Resource
- azure_webapp Resource
- azure_webapps Resource
- azurerm_ad_user resource
- azurerm_ad_users resource
- azurerm_aks_cluster resource
- azurerm_aks_clusters resource
- azurerm_cosmosdb_database_account resource
- azurerm_event_hub_authorization_rule resource
- azurerm_event_hub_event_hub resource
- azurerm_event_hub_namespace resource
- azurerm_iothub resource
- azurerm_iothub_event_hub_consumer_group resource
- azurerm_iothub_event_hub_consumer_groups resource
- azurerm_key_vault resource
- azurerm_key_vault_key resource
- azurerm_key_vault_keys resource
- azurerm_key_vault_secret resource
- azurerm_key_vault_secrets resource
- azurerm_key_vaults resource
- azurerm_load_balancer resource
- azurerm_load_balancers resource
- azurerm_locks resource
- azurerm_management_group resource
- azurerm_management_groups resource
- azurerm_monitor_activity_log_alert resource
- azurerm_monitor_activity_log_alerts resource
- azurerm_monitor_log_profile resource
- azurerm_monitor_log_profiles resource
- azurerm_mysql_database resource
- azurerm_mysql_databases resource
- azurerm_mysql_server resource
- azurerm_mysql_servers resource
- azurerm_network_interface resource
- azurerm_network_interfaces resource
- azurerm_network_security_group resource
- azurerm_network_security_groups resource
- azurerm_network_watcher resource
- azurerm_network_watchers resource
- azurerm_postgresql_database resource
- azurerm_postgresql_databases resource
- azurerm_postgresql_server resource
- azurerm_postgresql_servers resource
- azurerm_resource_groups resource
- azurerm_role_definition resource
- azurerm_role_definitions resource
- azurerm_security_center_policies resource
- azurerm_security_center_policy resource
- azurerm_sql_database resource
- azurerm_sql_databases resource
- azurerm_sql_server resource
- azurerm_sql_servers resource
- azurerm_storage_account_blob_container resource
- azurerm_storage_account_blob_containers resource
- azurerm_subnet resource
- azurerm_subnets resource
- azurerm_subscription resource
- azurerm_virtual_machine resource
- azurerm_virtual_machine_disk resource
- azurerm_virtual_machine_disks resource
- azurerm_virtual_machines resource
- azurerm_virtual_network resource
- azurerm_virtual_networks resource
- azurerm_webapp resource
- azurerm_webapps resource