Azure/Automation-Account-Public-Access

alphadev4 · alphadev4 · commit 283017873b66 · 2024-01-22T19:39:41.000+05:00
diff --git a/exports.js b/exports.js
@@ -1071,6 +1071,7 @@ module.exports = {
 
         'automationAcctDiagnosticLogs'  : require(__dirname + '/plugins/azure/automationAccounts/automationAcctDiagnosticLogs.js'),
         'automationAcctManagedIdentity' : require(__dirname + '/plugins/azure/automationAccounts/automationAcctManagedIdentity.js'),
+        'automationAcctPublicAccess'    : require(__dirname + '/plugins/azure/automationAccounts/automationAcctPublicAccess.js'),
 
     },
     github: {
diff --git a/package.json b/package.json
@@ -60,7 +60,7 @@
     "tty-table": "^4.1.3"
   },
   "devDependencies": {
-    "chai": "^4.2.0",
+    "chai": "4.2.0",
     "eslint": "^6.8.0",
     "mocha": "^6.1.4",
     "nodemon": "^1.19.4",
diff --git a/plugins/azure/automationAccounts/automationAcctPublicAccess.js b/plugins/azure/automationAccounts/automationAcctPublicAccess.js
@@ -0,0 +1,52 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Automation Account Public Access Disabled',
+    category: 'Automation',
+    domain: 'Management and Governance',
+    description: 'Ensure that Azure Automation accounts have have public access disabled.',
+    more_info: 'Disabling public network access ensures that network traffic between the machines on the VNet and the Automation account traverses over the a private link, eliminating exposure from the public internet.',
+    recommended_action: 'Modify automation account and disable public access.',
+    link: 'https://learn.microsoft.com/en-us/azure/automation/how-to/private-link-security',
+    apis: ['automationAccounts:list'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.automationAccounts, (location, rcb) => {
+            const automationAccounts = helpers.addSource(cache, source,
+                ['automationAccounts', 'list', location]);
+
+            if (!automationAccounts) return rcb();
+
+            if (automationAccounts.err || !automationAccounts.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query Automation accounts: ' + helpers.addError(automationAccounts), location);
+                return rcb();
+            }
+
+            if (!automationAccounts.data.length) {
+                helpers.addResult(results, 0, 'No existing Automation accounts found', location);
+                return rcb();
+            }
+
+            for (var account of automationAccounts.data) {
+                if (!account.id) continue;
+
+                if (!account.publicNetworkAccess) {
+                    helpers.addResult(results, 0, 'Automation account has public network access disabled', location, account.id);
+                } else {
+                    helpers.addResult(results, 2, 'Automation account does not have public network access disabled', location, account.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
+
diff --git a/plugins/azure/automationAccounts/automationAcctPublicAccess.spec.js b/plugins/azure/automationAccounts/automationAcctPublicAccess.spec.js
@@ -0,0 +1,97 @@
+var expect = require('chai').expect;
+var automationAcctPublicAccess = require('./automationAcctPublicAccess.js');
+
+const automationAccounts = [
+    {
+        "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-EUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-EUS2",
+        "location": "EastUS2",
+        "name": "Automate-12345-EUS2",
+        "type": "Microsoft.Automation/AutomationAccounts",
+        "tags": {},
+        "creationTime": "2023-10-27T07:27:02.76+00:00",
+        "lastModifiedTime": "2023-10-27T07:27:02.76+00:00",
+        "identity": {
+            "type": "systemassigned,userassigned",
+            "principalId": "dc03d47d-e6df-491f-aebe-50a93412a890",
+            "tenantId": "d207c7bd-fcb1-4dd3-855a-cfd2f9b651e8",
+            "userAssignedIdentities": {
+              "/subscriptions/12345/resourcegroups/meerab-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmeerab": {
+                "PrincipalId": "123455",
+                "ClientId": "1234554"
+              }
+            }
+        },
+        "publicNetworkAccess": false,
+
+    },
+    {
+        "id": "/subscriptions/12345/resourceGroups/DefaultResourceGroup-CUS/providers/Microsoft.Automation/automationAccounts/Automate-12345-CUS",
+        "location": "centralus",
+        "name": "Automate-12345-CUS",
+        "type": "Microsoft.Automation/AutomationAccounts",
+        "tags": {},
+        "publicNetworkAccess": true,
+    }
+];
+
+const createCache = (automationAccounts,err) => {
+    return {
+        automationAccounts: {
+            list: {
+                'eastus': {
+                    data: automationAccounts,
+                    err: err
+                }
+            }
+        }
+    }
+};
+
+describe('automationAcctPublicAccess', function () {
+    describe('run', function () {
+
+        it('should give pass result if No existing automation accounts found', function (done) {
+            const cache = createCache([]);
+            automationAcctPublicAccess.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Automation accounts found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query automation accounts:', function (done) {
+            const cache = createCache(null, 'Error');
+            automationAcctPublicAccess.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query Automation accounts:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if automation account has public network access disabled', function (done) {
+            const cache = createCache([automationAccounts[0]]);
+            automationAcctPublicAccess.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Automation account has public network access disabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if automation account does not have public network access disabled', function (done) {
+            const cache = createCache([automationAccounts[1]]);
+            automationAcctPublicAccess.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Automation account does not have public network access disabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});
