def test_event_grid_mode_creates_advanced_filtered_subscription_with_multiple_events(self):
p = self.load_policy({
'name': 'test-azure-event',
'resource': 'azure.vm',
'mode':
{'type': FUNCTION_EVENT_TRIGGER_MODE,
'events':
['VmWrite',
{
'resourceProvider': 'Microsoft.Resources/subscriptions/resourceGroups',
'event': 'write'
}]},
})
with mock.patch('c7n_azure.azure_events.AzureEventSubscription.create') as mock_create:
storage_account = StorageAccount(id=1, location='westus')
event_mode = AzureEventGridMode(p)
event_mode.target_subscription_ids = [DEFAULT_SUBSCRIPTION_ID]
event_mode._create_event_subscription(storage_account, 'some_queue', None)
name, args, kwargs = mock_create.mock_calls[0]
# verify the advanced filter created
event_filter = args[4].advanced_filters[0]
self.assertEqual(event_filter.key, 'Data.OperationName')
self.assertEqual(event_filter.values,
['Microsoft.Compute/virtualMachines/write',
'Microsoft.Resources/subscriptions/resourceGroups/write'])
self.assertEqual(event_filter.operator_type, 'StringIn')
def create_resource(self, name, **kwargs):
if self.is_live:
self.client = self.create_mgmt_client(StorageManagementClient)
group = self._get_resource_group(**kwargs)
storage_async_operation = self.client.storage_accounts.begin_create(
group.name,
name,
{
"sku": {"name": self.sku},
"location": self.location,
"kind": self.kind,
"enable_https_traffic_only": True,
},
)
self.resource = storage_async_operation.result()
storage_keys = {
v.key_name: v.value
for v in self.client.storage_accounts.list_keys(group.name, name).keys
}
self.storage_key = storage_keys["key1"]
self.test_class_instance.scrubber.register_name_pair(
name, self.resource_moniker
)
else:
self.resource = StorageAccount(
location=self.location,
)
self.resource.name = name
self.resource.id = name
self.resource.primary_endpoints = Endpoints()
self.resource.primary_endpoints.blob = (
"https://{}.{}.core.windows.net".format(name, "blob")
)
self.resource.primary_endpoints.queue = (
"https://{}.{}.core.windows.net".format(name, "queue")
)
self.resource.primary_endpoints.table = (
"https://{}.{}.core.windows.net".format(name, "table")
)
self.resource.primary_endpoints.file = (
"https://{}.{}.core.windows.net".format(name, "file")
)
self.storage_key = "ZmFrZV9hY29jdW50X2tleQ=="
return {
self.parameter_name: self.resource,
"{}_key".format(self.parameter_name): self.storage_key,
"{}_cs".format(self.parameter_name): ";".join(
[
"DefaultEndpointsProtocol=https",
"AccountName={}".format(name),
"AccountKey={}".format(self.storage_key),
"BlobEndpoint={}".format(self.resource.primary_endpoints.blob),
"TableEndpoint={}".format(self.resource.primary_endpoints.table),
"QueueEndpoint={}".format(self.resource.primary_endpoints.queue),
"FileEndpoint={}".format(self.resource.primary_endpoints.file),
]
),
}
def create_resource(self, name, **kwargs):
if self.is_live:
self.client = self.create_mgmt_client(StorageManagementClient)
group = self._get_resource_group(**kwargs)
storage_async_operation = self.client.storage_accounts.create(
group.name, name, {
'sku': {
'name': self.sku
},
'location': self.location,
'kind': self.kind,
'enable_https_traffic_only': True,
})
self.resource = storage_async_operation.result()
storage_keys = {
v.key_name: v.value
for v in self.client.storage_accounts.list_keys(
group.name, name).keys
}
self.storage_key = storage_keys['key1']
self.test_class_instance.scrubber.register_name_pair(
name, self.resource_moniker)
else:
self.resource = StorageAccount(location=self.location, )
self.resource.name = name
self.resource.id = name
self.resource.primary_endpoints = Endpoints()
self.resource.primary_endpoints.blob = 'https://{}.{}.core.windows.net'.format(
name, 'blob')
self.resource.primary_endpoints.queue = 'https://{}.{}.core.windows.net'.format(
name, 'queue')
self.resource.primary_endpoints.table = 'https://{}.{}.core.windows.net'.format(
name, 'table')
self.resource.primary_endpoints.file = 'https://{}.{}.core.windows.net'.format(
name, 'file')
self.storage_key = 'ZmFrZV9hY29jdW50X2tleQ=='
return {
self.parameter_name:
self.resource,
'{}_key'.format(self.parameter_name):
self.storage_key,
'{}_cs'.format(self.parameter_name):
";".join([
"DefaultEndpointsProtocol=https",
"AccountName={}".format(name),
"AccountKey={}".format(self.storage_key),
"BlobEndpoint={}".format(self.resource.primary_endpoints.blob),
"TableEndpoint={}".format(
self.resource.primary_endpoints.table),
"QueueEndpoint={}".format(
self.resource.primary_endpoints.queue),
"FileEndpoint={}".format(self.resource.primary_endpoints.file),
])
}
def test_remediate_bypass_not_none(self):
client = Mock()
action = EnableTrustedMicrosoftServices()
client.storage_accounts.get_properties.return_value = StorageAccount(
id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/accelerators-team-resources/providers/Microsoft.Sql/servers/remserver5",
name="remstg5",
type="Microsoft.Storage/storageAccounts",
location="eastus",
network_rule_set=NetworkRuleSet(default_action="Deny",
bypass="******"),
)
assert action.remediate(client, "resource_group", "account_name") == 0
def create_resource(self, name, **kwargs):
if self.is_live:
capabilities = Capability(name='EnableTable')
db_params = DatabaseAccountCreateUpdateParameters(
capabilities=[capabilities],
locations=[{'location_name': self.location}],
location=self.location,
)
self.client = self.create_mgmt_client(CosmosDBManagementClient)
group = self._get_resource_group(**kwargs)
cosmos_async_operation = self.client.database_accounts.begin_create_or_update(
group.name,
name,
db_params
)
self.resource = cosmos_async_operation.result()
cosmos_keys = self.client.database_accounts.list_keys(
group.name,
name
)
self.cosmos_key = cosmos_keys.primary_master_key
self.cosmos_account_name = name
self.test_class_instance.scrubber.register_name_pair(
name,
self.resource_moniker
)
self.primary_endpoint = 'https://{}.table.cosmos.azure.com:443/'.format(name)
else:
self.resource = StorageAccount(
location=self.location
)
self.resource.name = name
self.resource.id = name
self.primary_endpoint = 'https://{}.table.cosmos.azure.com:443/'.format(name)
self.cosmos_key = 'ZmFrZV9hY29jdW50X2tleQ=='
self.cosmos_account_name = name
return {
self.parameter_name: self.resource,
'{}_key'.format(self.parameter_name): self.cosmos_key,
'{}_cs'.format(self.parameter_name): ";".join([
"DefaultEndpointsProtocol=https",
"AccountName={}".format(self.cosmos_account_name),
"AccountKey={}".format(self.cosmos_key),
"TableEndpoint={}".format(self.primary_endpoint)
])
}
def test_remediate_success_with_stg(self):
client_id = Mock()
tenant_id = Mock()
storage_client = Mock()
keyvault_client = Mock()
monitor_client = Mock()
graph_client = Mock()
credentials = Mock()
log = LogSettings(
category="AuditEvent",
enabled=True,
retention_policy=RetentionPolicy(enabled=True, days=180),
)
action = EnableKeyVaultLogging()
action.check_stg_account = Mock()
action.create_diagnostic_setting = Mock()
"""
StorageAccountListResult = Mock()
storage_accounts_list = []
storage_accounts_list.append(StorageAccountListResult)
action.check_stg_account.return_value = storage_accounts_list
"""
action.check_stg_account.return_value = StorageAccount(
id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.Storage/storageAccounts/chss538f633keyvaultlogs",
name="chss538f633keyvaultlogs",
location="eastus",
)
action.create_diagnostic_setting.return_value = DiagnosticSettingsResource(
storage_account_id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.Storage/storageAccounts/chss538f633keyvaultlogs",
logs=[log],
)
assert (action.remediate(
client_id,
tenant_id,
keyvault_client,
monitor_client,
storage_client,
graph_client,
credentials,
"resource_group",
"key_vault_name",
"region",
"subscription_id",
) == 0)
assert action.create_diagnostic_setting.call_count == 1
def storage_account():
test_case = AzureMgmtTestCase("__init__")
rg_preparer = ResourceGroupPreparer(random_name_enabled=True, name_prefix='pystorage')
storage_preparer = StorageAccountPreparer(random_name_enabled=True, name_prefix='pyacrstorage')
# Create
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID", None)
location = os.environ.get("AZURE_LOCATION", "westus")
existing_rg_name = os.environ.get("AZURE_RESOURCEGROUP_NAME")
existing_storage_name = os.environ.get("AZURE_STORAGE_ACCOUNT_NAME")
existing_storage_key = os.environ.get("AZURE_STORAGE_ACCOUNT_KEY")
storage_connection_string = os.environ.get("AZURE_STORAGE_CONNECTION_STRING")
i_need_to_create_rg = not (existing_rg_name or existing_storage_name or storage_connection_string)
got_storage_info_from_env = existing_storage_name or storage_connection_string
storage_name = None
rg_kwargs = {}
try:
if i_need_to_create_rg:
rg_name, rg_kwargs = rg_preparer._prepare_create_resource(test_case)
rg = rg_kwargs['resource_group']
else:
rg_name = existing_rg_name or "no_rg_needed"
rg = FakeResource(
name=rg_name,
id="/subscriptions/{}/resourceGroups/{}".format(subscription_id, rg_name)
)
TableTestCase._RESOURCE_GROUP = rg
try:
if got_storage_info_from_env:
if storage_connection_string:
storage_connection_string_parts = dict([
part.split('=', 1)
for part in storage_connection_string.split(";")
])
storage_account = None
if existing_storage_name:
storage_name = existing_storage_name
storage_account = StorageAccount(
location=location,
)
storage_account.name = storage_name
storage_account.id = storage_name
storage_account.primary_endpoints=Endpoints()
storage_account.primary_endpoints.table = 'https://{}.{}.core.windows.net'.format(storage_name, 'table')
storage_key = existing_storage_key
if not storage_connection_string:
# It means I have received a storage name from env
storage_connection_string=";".join([
"DefaultEndpointsProtocol=https",
"AccountName={}".format(storage_name),
"AccountKey={}".format(storage_key),
"TableEndpoint={}".format(storage_account.primary_endpoints.table),
])
if not storage_account:
# It means I have received a connection string
storage_name = storage_connection_string_parts["AccountName"]
storage_account = StorageAccount(
location=location,
)
def build_service_endpoint(service):
try:
suffix = storage_connection_string_parts["EndpointSuffix"]
except KeyError:
suffix = "cosmos.azure.com"
return "{}://{}.{}.{}".format(
storage_connection_string_parts.get("DefaultEndpointsProtocol", "https"),
storage_connection_string_parts["AccountName"],
service,
suffix
)
storage_account.name = storage_name
storage_account.id = storage_name
storage_account.primary_endpoints=Endpoints()
storage_account.primary_endpoints.table = storage_connection_string_parts.get("TableEndpoint", build_service_endpoint("table"))
storage_account.secondary_endpoints=Endpoints()
storage_account.secondary_endpoints.table = storage_connection_string_parts.get("TableSecondaryEndpoint", build_service_endpoint("table"))
storage_key = storage_connection_string_parts["AccountKey"]
else:
storage_name, storage_kwargs = storage_preparer._prepare_create_resource(test_case, **rg_kwargs)
storage_account = storage_kwargs['storage_account']
storage_key = storage_kwargs['storage_account_key']
storage_connection_string = storage_kwargs['storage_account_cs']
TableTestCase._STORAGE_ACCOUNT = storage_account
TableTestCase._STORAGE_KEY = storage_key
TableTestCase._STORAGE_CONNECTION_STRING = storage_connection_string
yield
finally:
if storage_name is not None:
if not got_storage_info_from_env:
storage_preparer.remove_resource(
storage_name,
resource_group=rg
)
finally:
if i_need_to_create_rg:
rg_preparer.remove_resource(rg_name)
TableTestCase._RESOURCE_GROUP = None
def test_remediate_without_stg_without_keyvault(self):
client = Mock()
client_authorization = Mock()
client_storage = Mock()
keyvault_client = Mock()
monitor_client = Mock()
graph_client = Mock()
credentials = Mock()
client_id = Mock()
tenant_id = Mock()
action = SqlServerEnableBlobAuditingPolicy()
action.create_key = Mock()
action.create_key_vault = Mock()
action.check_key_vault = Mock()
action.check_stg_account = Mock()
action.update_storage_account_encryption = Mock()
action.create_diagnostic_setting = Mock()
action.create_storage_account = Mock()
action.ensure_identity_assigned = Mock()
action.create_role_assignment = Mock()
action.create_server_blob_auditing_policy = Mock()
identity = Identity(
principal_id="139bcf82-e14e-4773-bcf4-1da136674792",
type="SystemAssigned",
tenant_id="b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0",
)
action.ensure_identity_assigned.return_value = (
"139bcf82-e14e-4773-bcf4-1da136674792")
action.create_key_vault.return_value = Vault(
id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.KeyVault/vaults/stg-keyvault-rem",
name="stg-keyvault-rem",
properties=VaultProperties(
tenant_id=tenant_id,
sku=Sku(family="A", name="standard"),
vault_uri="https://stg-keyvault-rem.vault.azure.net",
),
)
action.create_key.return_value = KeyVaultKey(
key_id=
"https://stg-keyvault-rem.vault.azure.net/keys/rem-key1/0d7a89bd1f8447b4b65ce962212476b0",
name="rem-key1",
)
action.create_storage_account.return_value = StorageAccount(
id=
"/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/accelerators-team-resources/providers/Microsoft.Sql/servers/remserver5",
name="remstg5",
type="Microsoft.Storage/storageAccounts",
location="eastus",
identity=identity,
)
action.check_stg_account.return_value = None
action.check_key_vault.return_value = None
assert (action.remediate(
client_id,
tenant_id,
credentials,
client,
client_storage,
keyvault_client,
graph_client,
monitor_client,
client_authorization,
"resource_group_name",
"sql_server_name",
"region",
"subscription_id",
) == 0)
assert action.ensure_identity_assigned.call_count == 1
assert action.check_key_vault.call_count == 1
assert action.check_stg_account.call_count == 1
assert action.create_key.call_count == 1
assert action.update_storage_account_encryption.call_count == 1
assert action.create_storage_account.call_count == 1
assert action.create_key_vault.call_count == 1
assert action.create_diagnostic_setting.call_count == 1
assert action.create_role_assignment.call_count == 1
assert action.create_server_blob_auditing_policy.call_count == 1
def storage_account():
test_case = AzureMgmtTestCase("__init__")
rg_preparer = ResourceGroupPreparer(random_name_enabled=True,
name_prefix='pystorage')
storage_preparer = StorageAccountPreparer(random_name_enabled=True,
name_prefix='pyacrstorage')
# Create
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID", None)
location = os.environ.get("AZURE_LOCATION", "westus")
existing_rg_name = os.environ.get("AZURE_RESOURCEGROUP_NAME")
existing_storage_name = os.environ.get("AZURE_STORAGE_ACCOUNT_NAME")
existing_storage_key = os.environ.get("AZURE_STORAGE_ACCOUNT_KEY")
storage_connection_string = os.environ.get(
"AZURE_STORAGE_CONNECTION_STRING")
i_need_to_create_rg = not (existing_rg_name or existing_storage_name
or storage_connection_string)
got_storage_info_from_env = existing_storage_name or storage_connection_string
try:
if i_need_to_create_rg:
rg_name, rg_kwargs = rg_preparer._prepare_create_resource(
test_case)
rg = rg_kwargs['resource_group']
else:
rg_name = existing_rg_name or "no_rg_needed"
rg = FakeResource(name=rg_name,
id="/subscriptions/{}/resourceGroups/{}".format(
subscription_id, rg_name))
StorageTestCase._RESOURCE_GROUP = rg
try:
if got_storage_info_from_env:
if storage_connection_string:
storage_connection_string_parts = dict([
part.split('=', 1)
for part in storage_connection_string.split(";")
])
storage_account = None
if existing_storage_name:
storage_name = existing_storage_name
storage_account = StorageAccount(location=location, )
storage_account.name = storage_name
storage_account.id = storage_name
storage_account.primary_endpoints = Endpoints()
storage_account.primary_endpoints.blob = '{}://{}.{}.{}'.format(
PROTOCOL, storage_name, 'blob', ACCOUNT_URL_SUFFIX)
storage_account.primary_endpoints.queue = '{}://{}.{}.{}'.format(
PROTOCOL, storage_name, 'queue', ACCOUNT_URL_SUFFIX)
storage_account.primary_endpoints.table = '{}://{}.{}.{}'.format(
PROTOCOL, storage_name, 'table', ACCOUNT_URL_SUFFIX)
storage_account.primary_endpoints.file = '{}://{}.{}.{}'.format(
PROTOCOL, storage_name, 'file', ACCOUNT_URL_SUFFIX)
storage_key = existing_storage_key
if not storage_connection_string:
# It means I have received a storage name from env
storage_connection_string = ";".join([
"DefaultEndpointsProtocol=https",
"AccountName={}".format(storage_name),
"AccountKey={}".format(storage_key),
"BlobEndpoint={}".format(
storage_account.primary_endpoints.blob),
"TableEndpoint={}".format(
storage_account.primary_endpoints.table),
"QueueEndpoint={}".format(
storage_account.primary_endpoints.queue),
"FileEndpoint={}".format(
storage_account.primary_endpoints.file),
])
if not storage_account:
# It means I have received a connection string
storage_name = storage_connection_string_parts[
"AccountName"]
storage_account = StorageAccount(location=location, )
def build_service_endpoint(service):
return "{}://{}.{}.{}".format(
storage_connection_string_parts.get(
"DefaultEndpointsProtocol", "https"),
storage_connection_string_parts["AccountName"],
service,
storage_connection_string_parts[
"EndpointSuffix"], # Let it fail if we don't even have that
)
storage_account.name = storage_name
storage_account.id = storage_name
storage_account.primary_endpoints = Endpoints()
storage_account.primary_endpoints.blob = storage_connection_string_parts.get(
"BlobEndpoint", build_service_endpoint("blob"))
storage_account.primary_endpoints.queue = storage_connection_string_parts.get(
"QueueEndpoint", build_service_endpoint("queue"))
storage_account.primary_endpoints.file = storage_connection_string_parts.get(
"FileEndpoint", build_service_endpoint("file"))
storage_account.secondary_endpoints = Endpoints()
storage_account.secondary_endpoints.blob = storage_connection_string_parts.get(
"BlobSecondaryEndpoint",
build_service_endpoint("blob"))
storage_account.secondary_endpoints.queue = storage_connection_string_parts.get(
"QueueSecondaryEndpoint",
build_service_endpoint("queue"))
storage_account.secondary_endpoints.file = storage_connection_string_parts.get(
"FileSecondaryEndpoint",
build_service_endpoint("file"))
storage_key = storage_connection_string_parts["AccountKey"]
else:
storage_name, storage_kwargs = storage_preparer._prepare_create_resource(
test_case, **rg_kwargs)
storage_account = storage_kwargs['storage_account']
storage_key = storage_kwargs['storage_account_key']
storage_connection_string = storage_kwargs[
'storage_account_cs']
StorageTestCase._STORAGE_ACCOUNT = storage_account
StorageTestCase._STORAGE_KEY = storage_key
StorageTestCase._STORAGE_CONNECTION_STRING = storage_connection_string
yield
finally:
if not got_storage_info_from_env:
storage_preparer.remove_resource(storage_name,
resource_group=rg)
finally:
if i_need_to_create_rg:
rg_preparer.remove_resource(rg_name)
StorageTestCase._RESOURCE_GROUP = None