added plugin for vm cmk auto key rotation, updated collector file to handle nested properties for api calls

muzzamilinovaqo · muzzamilinovaqo · commit bb589255969a · 2024-01-25T13:39:06.000+05:00
diff --git a/collectors/azure/collector.js b/collectors/azure/collector.js
@@ -210,6 +210,9 @@ let collect = function(AzureConfig, settings, callback) {
                                     // Check and replace properties
                                     if (subCallObj.properties && subCallObj.properties.length) {
                                         subCallObj.properties.forEach(function(propToReplace) {
+                                            if (propToReplace.includes('.')) {
+                                                regionData[propToReplace] = parseCollection(propToReplace, regionData);
+                                            }
                                             if (regionData[propToReplace]) {
                                                 var re = new RegExp(`{${propToReplace}}`, 'g');
                                                 localReq.url = subCallObj.url.replace(re, regionData[propToReplace]);
diff --git a/exports.js b/exports.js
@@ -753,6 +753,7 @@ module.exports = {
         'vmSecureBootEnabled'           : require(__dirname + '/plugins/azure/virtualmachines/vmSecureBootEnabled.js'),
         'vmDiskDeleteConfig'            : require(__dirname + '/plugins/azure/virtualmachines/vmDiskDeleteConfig.js'),
         'vmEncryptionAtHost'            : require(__dirname + '/plugins/azure/virtualmachines/vmEncryptionAtHost.js'),
+        'vmDiskCMKRotation'             : require(__dirname + '/plugins/azure/virtualmachines/vmDiskCMKRotation.js'),
 
         'bastionHostExists'              : require(__dirname + '/plugins/azure/bastion/bastionHostExists.js'),
 
diff --git a/helpers/azure/api.js b/helpers/azure/api.js
@@ -228,7 +228,7 @@ var calls = {
     },
     disks: {
         list: {
-            url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/disks?api-version=2019-07-01'
+            url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/disks?api-version=2023-04-02'
         }
     },
     networkSecurityGroups: {
@@ -977,7 +977,14 @@ var postcalls = {
             url: 'https://management.azure.com/subscriptions/{id}/securityPolicies?api-version=2023-05-01'
 
         }
-    }
+    },
+    diskEncryptionSet: {
+        get: {
+            reliesOnPath: 'disks.list',
+            properties: ['encryption.diskEncryptionSetId'],
+            url: 'https://management.azure.com/{encryption.diskEncryptionSetId}?api-version=2023-04-02',
+        }
+    },
     
 };
 
diff --git a/plugins/azure/virtualmachines/vmDiskCMKRotation.js b/plugins/azure/virtualmachines/vmDiskCMKRotation.js
@@ -0,0 +1,64 @@
+var async = require('async');
+
+var helpers = require('../../../helpers/azure/');
+
+module.exports = {
+    title: 'VM Disk Auto key Rotation CMK',
+    category: 'Virtual Machines',
+    domain: 'Compute',
+    description: 'Ensures that auto key rotation for CMK is enabled for disk encryption.',
+    more_info: 'Automatic key rotation helps ensure your keys are secure. A disk references a key via its disk encryption set. When you enable automatic rotation for a disk encryption set, the system will automatically update all managed disks, snapshots, and images referencing the disk encryption set to use the new version of the key within one hour.',
+    recommended_action: 'Enable auto key rotation for CMK for all disks encryption.',
+    link: 'https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#automatic-key-rotation-of-customer-managed-keys',
+    apis: ['disks:list','diskEncryptionSet:get'],
+    realtime_triggers: ['microsoftcompute:disks:write','microsoftcompute:disks:delete','microsoftcompute:diskencryptionsets:write'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.disks, function(location, rcb) {
+
+            var disks = helpers.addSource(cache, source, ['disks', 'list', location]);
+
+            if (!disks) return rcb();
+
+            if (disks.err || !disks.data) {
+                helpers.addResult(results, 3, 'Unable to query for virtual machine disk volumes: ' + helpers.addError(disks), location);
+                return rcb();
+            }
+            if (!disks.data.length) {
+                helpers.addResult(results, 0, 'No existing disk volumes found', location);
+                return rcb();
+            }
+          
+
+            disks.data.forEach((disk) => {
+                if (disk.encryption && disk.encryption.type &&
+                    disk.encryption.type.toLowerCase() === 'encryptionatrestwithplatformkey') {
+                    helpers.addResult(results, 0, 'Disk is using platform managed key for encryption', location, disk.id);
+                   
+                } else {
+                    if (disk.encryption && disk.encryption.diskEncryptionSetId) {
+
+                        var diskEncryptionSet = helpers.addSource(cache, source, ['diskEncryptionSet', 'get', location, disk.id]);
+                        
+                        if (diskEncryptionSet && diskEncryptionSet.data && diskEncryptionSet.data.rotationToLatestKeyVersionEnabled) {
+                            helpers.addResult(results, 0, 'Disk auto key rotation for customer managed key is enabled', location, disk.id);
+                        
+                        } else {
+                            helpers.addResult(results, 2, 'Disk auto key rotation for customer managed key is disabled', location, disk.id);
+                        }
+                    }
+                    
+                        
+                }
+            });
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/virtualmachines/vmDiskCMKRotation.spec.js b/plugins/azure/virtualmachines/vmDiskCMKRotation.spec.js
@@ -0,0 +1,109 @@
+var expect = require('chai').expect;
+var vmDiskAutoKeyRotationCMK = require('./vmDiskCMKRotation');
+
+const disks = [
+    {
+        "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Compute/disks/test-disk",
+        "name": "test-disk",
+        "location": "eastus",
+        "encryption": {
+            "type": "EncryptionAtRestWithPlatformKey"
+        }
+    },
+    {
+        "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Compute/disks/test-disk-cmk",
+        "name": "test-disk-cmk",
+        "location": "eastus",
+        "encryption": {
+            "diskEncryptionSetId": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Compute/diskEncryptionSets/test-disk-es"
+        }
+    }
+];
+
+const diskEncryptionSet = {
+    "id": "/subscriptions/123/resourceGroups/test-rg/providers/Microsoft.Compute/diskEncryptionSets/test-disk-es",
+    "name": "test-disk-es",
+    "location": "eastus",
+    "rotationToLatestKeyVersionEnabled": true
+};
+
+const createCache = (disks, diskEncryptionSet) => {
+    const diskId = (disks && disks.length) ? disks[0].id : null;
+    return {
+        disks: {
+            list: {
+                'eastus': {
+                    data: disks
+                }
+            }
+        },
+        diskEncryptionSet: {
+            get: {
+                'eastus': { 
+                    [diskId]: { 
+                        data: diskEncryptionSet
+                    }
+                }
+            }
+        }
+    };
+};
+
+describe('vmDiskAutoKeyRotationCMK', function() {
+    describe('run', function() {
+        it('should give passing result if no disk volumes found', function(done) {
+            const cache = createCache([], null);
+            vmDiskAutoKeyRotationCMK.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing disk volumes found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for disk volumes', function(done) {
+            const cache = createCache(null, null);
+            vmDiskAutoKeyRotationCMK.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for virtual machine disk volumes:');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if disk is using platform managed key', function(done) {
+            const cache = createCache([disks[0]], null);
+            vmDiskAutoKeyRotationCMK.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Disk is using platform managed key for encryption');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if disk auto key rotation for customer managed key is enabled', function(done) {
+            const cache = createCache([disks[1]], diskEncryptionSet);
+            vmDiskAutoKeyRotationCMK.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Disk auto key rotation for customer managed key is enabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if disk auto key rotation for customer managed key is disabled', function(done) {
+            const cache = createCache([disks[1]], { rotationToLatestKeyVersionEnabled: false });
+            vmDiskAutoKeyRotationCMK.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Disk auto key rotation for customer managed key is disabled');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+    });
+});
