Add 'diagnostic_settings' column to azure_key_vault table. Closes tur…

…bot#95 (turbot#96)
ahirreddy · Apr 22, 2021 · 791d4b8 · 791d4b8
1 parent 8e6eebd
commit 791d4b8
Show file tree

Hide file tree

Showing 5 changed files with 122 additions and 1 deletion.
diff --git a/azure-test/tests/azure_key_vault/test-logging-expected.json b/azure-test/tests/azure_key_vault/test-logging-expected.json
@@ -0,0 +1,8 @@
+[
+	{
+		"category": "AuditEvent",
+		"log_retention_days": 30,
+		"name": "{{ resourceName }}",
+		"storage_account_id": "{{ output.storage_account_id.value }}"
+	}
+]
diff --git a/azure-test/tests/azure_key_vault/test-logging-query.sql b/azure-test/tests/azure_key_vault/test-logging-query.sql
@@ -0,0 +1,15 @@
+select
+  name,
+  setting -> 'properties' ->> 'storageAccountId' storage_account_id,
+  log ->> 'category' category,
+  (log -> 'retentionPolicy' ->> 'days')::integer log_retention_days
+from
+  azure_key_vault,
+  jsonb_array_elements(diagnostic_settings) setting,
+  jsonb_array_elements(setting -> 'properties' -> 'logs') log
+where
+  diagnostic_settings is not null
+  and setting -> 'properties' ->> 'storageAccountId' <> ''
+  and (log ->> 'enabled')::boolean
+  and log ->> 'category' = 'AuditEvent'
+  and (log -> 'retentionPolicy' ->> 'days')::integer > 0;
diff --git a/azure-test/tests/azure_key_vault/variables.tf b/azure-test/tests/azure_key_vault/variables.tf
@@ -13,7 +13,7 @@ variable "azure_environment" {
 
 variable "azure_subscription" {
   type        = string
-  default     = "3510ae4d-530b-497d-8f30-53b9616fc6c1"
+  default     = "3510ae4d-530b-497d-8f30-53c0616fc6c1"
   description = "Azure subscription used for the test."
 }
 
@@ -61,6 +61,30 @@ resource "azurerm_key_vault_access_policy" "named_test_resource" {
   ]
 }
 
+resource "azurerm_storage_account" "named_test_resource" {
+  name                     = var.resource_name
+  location                 = azurerm_resource_group.named_test_resource.location
+  resource_group_name      = azurerm_resource_group.named_test_resource.name
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "named_test_resource" {
+  name               = var.resource_name
+  target_resource_id = azurerm_key_vault.named_test_resource.id
+  storage_account_id = azurerm_storage_account.named_test_resource.id
+
+  log {
+    category = "AuditEvent"
+    enabled  = true
+
+    retention_policy {
+      enabled = true
+      days    = 30
+    }
+  }
+}
+
 output "resource_aka" {
   value = "azure://${azurerm_key_vault.named_test_resource.id}"
 }
@@ -88,3 +112,7 @@ output "tenant_id" {
 output "object_id" {
   value = data.azurerm_client_config.current.object_id
 }
+
+output "storage_account_id" {
+  value = azurerm_storage_account.named_test_resource.id
+}
diff --git a/azure/table_azure_key_vault.go b/azure/table_azure_key_vault.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/profiles/2020-09-01/monitor/mgmt/insights"
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	"github.com/turbot/steampipe-plugin-sdk/grpc/proto"
 	"github.com/turbot/steampipe-plugin-sdk/plugin/transform"
@@ -131,6 +132,13 @@ func tableAzureKeyVault(_ context.Context) *plugin.Table {
 				Hydrate:     getKeyVault,
 				Transform:   transform.FromField("Properties.AccessPolicies"),
 			},
+			{
+				Name:        "diagnostic_settings",
+				Description: "A list of active diagnostic settings for the vault.",
+				Type:        proto.ColumnType_JSON,
+				Hydrate:     listKmsKeyVaultDiagnosticSettings,
+				Transform:   transform.FromValue(),
+			},
 
 			// Steampipe standard columns
 			{
@@ -238,3 +246,44 @@ func getKeyVault(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData
 
 	return nil, nil
 }
+
+func listKmsKeyVaultDiagnosticSettings(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
+	plugin.Logger(ctx).Trace("listKmsKeyVaultDiagnosticSettings")
+	data := h.Item.(keyvault.Vault)
+
+	// Create session
+	session, err := GetNewSession(ctx, d, "MANAGEMENT")
+	if err != nil {
+		return nil, err
+	}
+	subscriptionID := session.SubscriptionID
+
+	client := insights.NewDiagnosticSettingsClient(subscriptionID)
+	client.Authorizer = session.Authorizer
+
+	op, err := client.List(ctx, *data.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	// If we return the API response directly, the output only gives
+	// the contents of DiagnosticSettings
+	var diagnosticSettings []map[string]interface{}
+	for _, i := range *op.Value {
+		objectMap := make(map[string]interface{})
+		if i.ID != nil {
+			objectMap["id"] = i.ID
+		}
+		if i.Name != nil {
+			objectMap["name"] = i.Name
+		}
+		if i.Type != nil {
+			objectMap["type"] = i.Type
+		}
+		if i.DiagnosticSettings != nil {
+			objectMap["properties"] = i.DiagnosticSettings
+		}
+		diagnosticSettings = append(diagnosticSettings, objectMap)
+	}
+	return diagnosticSettings, nil
+}
diff --git a/docs/tables/azure_key_vault.md b/docs/tables/azure_key_vault.md
@@ -75,3 +75,24 @@ from
   azure_key_vault,
   jsonb_array_elements(access_policies) as policy;
 ```
+
+
+### List vaults with logging enabled
+
+```sql
+select
+  name,
+  setting -> 'properties' ->> 'storageAccountId' storage_account_id,
+  log ->> 'category' category,
+  log -> 'retentionPolicy' ->> 'days' log_retention_days
+from
+  azure_key_vault,
+  jsonb_array_elements(diagnostic_settings) setting,
+  jsonb_array_elements(setting -> 'properties' -> 'logs') log
+where
+  diagnostic_settings is not null
+  and setting -> 'properties' ->> 'storageAccountId' <> ''
+  and (log ->> 'enabled')::boolean
+  and log ->> 'category' = 'AuditEvent'
+  and (log -> 'retentionPolicy' ->> 'days')::integer > 0;
+```