W3cubDocs

/Chef 18

azurerm_network_security_group resource

[edit on GitHub]

Use the azurerm_network_security_group InSpec audit resource to test properties of an Azure Network Security Group.

Azure REST API version

This resource interacts with version 2018-02-01 of the Azure Management API. For more information see the official Azure documentation.

At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.

Availability

Installation

This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

depends:
  - name: inspec-azure
    git: https://github.com/inspec/inspec-azure.git

You’ll also need to setup your Azure credentials; see the resource pack README.

Syntax

An azurerm_network_security_group resource block identifies a Network Security Group by name and Resource Group.

describe azurerm_network_security_group(resource_group: 'example', name: 'GroupName') do
  ...
end

Examples

Test that an example Resource Group has the specified Network Security Group

describe azurerm_network_security_group(resource_group: 'example', name: 'GroupName') do
  it { should exist }
end

Test that an example Resource Group has a Network Security Group that allows SSH from the internet

describe azurerm_network_security_group(resource_group: 'example', name: 'GroupName') do
  it { should allow_ssh_from_internet }
end

Parameters

  • name
  • resource_group

Parameter Examples

The Resource Group as well as the Network Security Group name.

describe azurerm_network_security_group(resource_group: 'example', name: 'GroupName') do
  it { should allow_rdp_from_internet }
end

Attributes

  • security_rules
  • default_security_rules
  • allow_ssh_from_internet
  • allow_rdp_from_internet
  • properties

security_rules

The security_rules property contains the set of Security Rules.

its('security_rules') { should_not be_empty }

default_security_rules

The default_security_rules property contains the set of Default Security Rules.

its('default_security_rules') { should_not be_empty }

allow_ssh_from_internet

The allow_ssh_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted SSH access.

it { should_not allow_ssh_from_internet }

allow_rdp_from_internet

The allow_rdp_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted RDP access.

it { should_not allow_rdp_from_internet }

allow\port_from_internet

The allow_port_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted access to a specified port.

it { should_not allow_port_from_internet('443') }

Other Attributes

There are additional attributes that may be accessed that we have not documented. Please take a look at the Azure documentation. Any attribute in the response may be accessed with the key names separated by dots (.).

The API may not always return keys that do not have any associated data. There may be cases where the deeply nested property may not have the desired attribute along your call chain. If you find yourself writing tests against properties that may be nil, fork this resource pack and add an accessor to the resource. Within that accessor you’ll be able to guard against nil keys. Pull requests are always welcome.

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

The control will pass if the resource returns a result. Use should_not if you expect zero matches.

# If we expect 'GroupName' to always exist
describe azurerm_network_security_group(resource_group: 'example', name: 'GroupName') do
  it { should exist }
end

# If we expect 'EmptyGroupName' to never exist
describe azurerm_network_security_group(resource_group: 'example', name: 'EmptyGroupName') do
  it { should_not exist }
end

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/azurerm_network_security_group/