Skip to content
This repository has been archived by the owner on Jan 23, 2025. It is now read-only.

Commit

Permalink
Merge pull request #88 from vanesasejdiu/azure-keyvault
Browse files Browse the repository at this point in the history 
Azure keyvault add check for soft delete retention days
  • Loading branch information
@liamg
liamg authored Jan 19, 2022
2 parents b6eb390 + 046dab9 commit 7273bad
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 12 deletions.
9 changes: 5 additions & 4 deletions provider/azure/keyvault/keyvault.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ type KeyVault struct {
}

type Vault struct {
Secrets []Secret
Keys []Key
EnablePurgeProtection types.BoolValue
NetworkACLs NetworkACLs
Secrets []Secret
Keys []Key
EnablePurgeProtection types.BoolValue
SoftDeleteRetentionDays types.IntValue
NetworkACLs NetworkACLs
}

type NetworkACLs struct {
Expand Down
20 changes: 13 additions & 7 deletions rules/azure/keyvault/no_purge.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ Purge protection can only be enabled once soft-delete is enabled. It can be turn
Links: []string{
"https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection",
},
Terraform: &rules.EngineMetadata{
GoodExamples: terraformNoPurgeGoodExamples,
BadExamples: terraformNoPurgeBadExamples,
Links: terraformNoPurgeLinks,
RemediationMarkdown: terraformNoPurgeRemediationMarkdown,
},
Severity: severity.Medium,
Terraform: &rules.EngineMetadata{
GoodExamples: terraformNoPurgeGoodExamples,
BadExamples: terraformNoPurgeBadExamples,
Links: terraformNoPurgeLinks,
RemediationMarkdown: terraformNoPurgeRemediationMarkdown,
},
Severity: severity.Medium,
},
func(s *state.State) (results rules.Results) {
for _, vault := range s.Azure.KeyVault.Vaults {
Expand All @@ -38,6 +38,12 @@ Purge protection can only be enabled once soft-delete is enabled. It can be turn
vault.EnablePurgeProtection,
)
}
if vault.EnablePurgeProtection.IsTrue() && (vault.SoftDeleteRetentionDays.LessThan(7) || vault.SoftDeleteRetentionDays.GreaterThan(90)) {
results.Add(
"Resource should have soft_delete_retention_days set between 7 and 90 days in order to enable purge protection.",
vault.EnablePurgeProtection, vault.SoftDeleteRetentionDays,
)
}
}
return
},
Expand Down
2 changes: 1 addition & 1 deletion types/time_value.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func (b *timeValue) GetRawValue() interface{} {
}

func (b *timeValue) IsNever() bool {
return b.value == nil
return b.value.IsZero()
}

func (b *timeValue) LessThan(i time.Time) bool {
Expand Down

0 comments on commit 7273bad

Please sign in to comment.