Merge pull request #1816 from alphadev4/Azure/Aks-Diagnostic-Logs

alphadev4 · web-flow · commit 819f2e8145fa · 2024-01-02T13:58:51.000+05:00
Azure/Aks-Diagnostic-Logs
diff --git a/exports.js b/exports.js
@@ -939,6 +939,7 @@ module.exports = {
         'aksClusterHasTags'             : require(__dirname + '/plugins/azure/kubernetesservice/aksClusterHasTags.js'),
         'aksEncryptionAtRestWithCMK'    : require(__dirname + '/plugins/azure/kubernetesservice/aksEncryptionAtRestWithCMK'),
         'aksPrivateCluster'             : require(__dirname + '/plugins/azure/kubernetesservice/aksPrivateCluster.js'),
+        'aksDiagnosticLogsEnabled'      : require(__dirname + '/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js'),
 
         'acrAdminUser'                  : require(__dirname + '/plugins/azure/containerregistry/acrAdminUser.js'),
         'acrHasTags'                    : require(__dirname + '/plugins/azure/containerregistry/acrHasTags.js'),
diff --git a/helpers/azure/api.js b/helpers/azure/api.js
@@ -1055,6 +1055,11 @@ var tertiarycalls = {
             properties: ['id'],
             url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
         },
+        listByAksClusters: {
+            reliesOnPath: 'managedClusters.list',
+            properties: ['id'],
+            url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
+        },
         listByAppConfigurations: {
             reliesOnPath: 'appConfigurations.list',
             properties: ['id'],
diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.js
@@ -0,0 +1,64 @@
+var async = require('async');
+var helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'AKS Cluster Diagnostic Logs',
+    category: 'Kubernetes Service',
+    domain: 'Containers',
+    description: 'Ensures that Azure Kubernetes clusters have diagnostic logs enabled.',
+    more_info: 'Enabling diagnostic logging for AKS clusters helps with performance monitoring, troubleshooting, and security optimization.',
+    recommended_action: 'Enable diagnostic logging for all AKS clusters.',
+    link: 'https://learn.microsoft.com/en-us/azure/aks/monitor-aks#logs',
+    apis: ['managedClusters:list','diagnosticSettings:listByAksClusters'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.managedClusters, function(location, rcb) {
+            var managedClusters = helpers.addSource(cache, source,
+                ['managedClusters', 'list', location]);
+
+            if (!managedClusters) return rcb();
+
+            if (managedClusters.err || !managedClusters.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for Kubernetes clusters: ' + helpers.addError(managedClusters), location);
+                return rcb();
+            }
+
+            if (!managedClusters.data.length) {
+                helpers.addResult(results, 0, 'No existing Kubernetes clusters found', location);
+                return rcb();
+            }
+
+            for (let cluster of managedClusters.data) {
+                if (!cluster.id) continue;
+
+                var diagnosticSettings = helpers.addSource(cache, source, 
+                    ['diagnosticSettings', 'listByAksClusters', location, cluster.id]);
+ 
+                if (!diagnosticSettings || diagnosticSettings.err || !diagnosticSettings.data) {
+                    helpers.addResult(results, 3, `Unable to query for Kubernetes cluster diagnostic settings: ${helpers.addError(diagnosticSettings)}`,
+                        location, cluster.id);
+                    continue;
+                }
+
+                var found = diagnosticSettings.data.find(ds => ds.logs && ds.logs.length);
+
+                if (found) {
+                    helpers.addResult(results, 0, 'AKS cluster has diagnostic logs enabled', location, cluster.id);
+                } else {
+                    helpers.addResult(results, 2, 'AKS cluster does not have diagnostic logs enabled', location, cluster.id);
+                }
+              
+            }
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js b/plugins/azure/kubernetesservice/aksDiagnosticLogsEnabled.spec.js
@@ -0,0 +1,135 @@
+var expect = require('chai').expect;
+var aksDiagnosticLogsEnabled = require('./aksDiagnosticLogsEnabled');
+
+const clusters = [
+    {
+        "id": "/subscriptions/123-test/resourcegroups/ABSBAKS2/providers/Microsoft.ContainerService/managedClusters/absbaks2",
+    },
+];
+   
+    
+const diagnosticSettings = [
+    {
+        id: '/subscriptions/234/myrg/providers/Microsoft.ContainerService/managedClusters/absbaks2/providers/microsoft.insights/diagnosticSettings/test-setting',
+        type: 'Microsoft.Insights/diagnosticSettings',
+        name: 'server-setting',
+        location: 'eastus',
+        kind: null,
+        tags: null,
+        eventHubName: null,
+        metrics: [],
+        logs: [
+            {
+              "category": null,
+              "categoryGroup": "allLogs",
+              "enabled": true,
+              "retentionPolicy": {
+                "enabled": false,
+                "days": 0
+              }
+            },
+            {
+              "category": null,
+              "categoryGroup": "audit",
+              "enabled": false,
+              "retentionPolicy": {
+                "enabled": false,
+                "days": 0
+              }
+            }
+          ],
+        logAnalyticsDestinationType: null
+    }
+];
+
+const createCache = (clusters, ds) => {
+    const id = clusters && clusters.length ? clusters[0].id : null;
+    return {
+        managedClusters: {
+            list: {
+                'eastus': {
+                    data: clusters
+                }
+            }
+        },
+        diagnosticSettings: {
+            listByAksClusters: {
+                'eastus': { 
+                    [id]: { 
+                        data: ds 
+                    }
+                }
+            }
+
+        },
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        managedClusters: {
+            list: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('aksDiagnosticLogsEnabled', function() {
+    describe('run', function() {
+        it('should give passing result if no clusters', function(done) {
+            const cache = createCache([]);
+            aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Kubernetes clusters');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for kubernetes clusters', function(done) {
+            const cache = createErrorCache();
+            aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Kubernetes clusters: ');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for diagnostic settings', function(done) {
+            const cache = createCache([clusters[0]], null);
+            aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Kubernetes cluster diagnostic settings');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if diagnostic logs enabled', function(done) {
+            const cache = createCache([clusters[0]], [diagnosticSettings[0]]);
+            aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('AKS cluster has diagnostic logs enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if diagnostic logs not enabled', function(done) {
+            const cache = createCache([clusters[0]], [[]]);
+            aksDiagnosticLogsEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('AKS cluster does not have diagnostic logs enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});
