After having created a new resource for data disks I have tried to use it with a control such as:

  describe azure_vm_datadisks(host: 'AutomateServer-VM', resource_group: 'rjs-automate-09').where { (disk == 1 and size >= 10) } do
    it { should be true }
  end

However there is an error from Inspec when trying to use this:

 ×  azure-vm-datadisks-1.0: Ensure that the machine has 1 data disk of greater than or equal to 10gb (
     expected true
          got #<#<Class:0x007fa8c6a50db8>:70181433717000> => azure_vm_datadisks with disk == 1 size >= 10
     )
     ×  azure_vm_datadisks with disk == 1 size >= 10 should equal true

     expected true
          got #<#<Class:0x007fa8c6a50db8>:70181433717000> => azure_vm_datadisks with disk == 1 size >= 10

I am not sure where the #<#<Class... is coming from and I do not know how to inspect the result for the test.

I have created a FilterTable for this and connected it to the parameters for the hashtable for the data disks. https://github.com/chef/inspec-azure/blob/russellseymour/data-disks/libraries/azure_vm_datadisks.rb#L33-L44

I run into this issue passing Azure SPN credential via environment variables. I don't have any credential file into ~/.azure folder as did set up the following env variables:

export AZURE_SUBSCRIPTION_ID="<value>" 
export AZURE_CLIENT_ID="<value>" 
export AZURE_CLIENT_SECRET="<value>" 
export AZURE_TENANT_ID="<value>"

I am on Ubuntu 16.04, Inspec 1.26.0, Ruby 2.4.1p111.

Error:

Please report a bug if this causes problems.
/home/vagrant/.azure/credentials was not found or not accessible
libraries/azure_backend.rb:59:in `spn': undefined method `sections' for nil:NilClass (NoMethodError)
	from libraries/azure_backend.rb:43:in `connection'
	from libraries/azure_backend.rb:217:in `initialize'
	from libraries/azure_backend.rb:121:in `new'
	from libraries/azure_backend.rb:121:in `initialize'
	from libraries/azure_resource_group.rb:35:in `new'
	from libraries/azure_resource_group.rb:35:in `initialize'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/plugins/resource.rb:47:in `initialize'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/resource.rb:48:in `new'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/resource.rb:48:in `block (3 levels) in create_dsl'
	from startup-compliance/controls/resource_groups.rb:12:in `block in load_with_context'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/rule.rb:50:in `instance_eval'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/rule.rb:50:in `initialize'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/control_eval_context.rb:71:in `new'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/control_eval_context.rb:71:in `block (2 levels) in create'
	from startup-compliance/controls/resource_groups.rb:7:in `load_with_context'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile_context.rb:146:in `instance_eval'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile_context.rb:146:in `load_with_context'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile_context.rb:130:in `load_control_file'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile.rb:151:in `block in collect_tests'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile.rb:148:in `each'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/profile.rb:148:in `collect_tests'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/runner.rb:90:in `block in load'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/runner.rb:79:in `each'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/runner.rb:79:in `load'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/runner.rb:100:in `run'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/base_cli.rb:83:in `run_tests'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/lib/inspec/cli.rb:159:in `exec'
	from /home/vagrant/.gem/ruby/2.4.0/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
	from /home/vagrant/.gem/ruby/2.4.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
	from /home/vagrant/.gem/ruby/2.4.0/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
	from /home/vagrant/.gem/ruby/2.4.0/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
	from /usr/local/lib/ruby/gems/2.4.0/gems/inspec-1.26.0/bin/inspec:12:in `<top (required)>'
	from /home/vagrant/.gem/ruby/2.4.0/bin/inspec:22:in `load'
	from /home/vagrant/.gem/ruby/2.4.0/bin/inspec:22:in `<main>'

What am I doing wrong?

It looks like our build checks still are not running. Let's get them fixed so we will run lint checks on internal pull requests.

Each domain name that is assigned to a Public IP Address in Azure must be unique within the region.

The current string is linux-external-1 which is a fairly common string and can lead to clashes when the address is provisioned.

To resolve this a suffix should be added to the end of the domain name, e.g. linux-external-1-xxxx.

As this project moves from a development project to a user-facing repository of resources, we need to make sure the README makes sense to multiple audiences. One confusing point to me was the matter of Terraform and Direnv; if I were a user with an existing Azure infra I wanted to test, would I need to setup Terraform, manage workspaces, remote state, etc?

The azure_rg resource could possibly be less than obvious as to what it does.

It is responsible for checking that the correct resources are in Azure after deployment. It is not necessarily to do with Resource Groups.

The two options for the name are:

1. azure_resources
2. azure_resource_group

The resource pack allows a subscription to be selected from the credentials file using the AZURE_SUBSCRIPTION_ID.

This is to allow an index to be specified instead of the actual ID. This will be AZURE_SUBSCRIPTION_INDEX.

Add the docs/resources directory and create MD files for each resource which describes what each one does.

As there are no controls provided by this resource pack, the integration tests can be used to ensure that all the libraries are working correctly.

We use various environment variables in our examples like

resource_group_name = ENV['AZURE_RESOURCE_GROUP_NAME']

This is not recommended since it can bring in unintended side-effects. Instead we should use InSpec attributes as documented here:

• http://inspec.io/docs/reference/profiles/
• https://github.com/chef/inspec/tree/master/examples/profile-attribute

require_relative is being used to load files that are required by the Helpers class. However when used in an Inspec test this is resolving to the current project and not the files within the Azure resource pack.

Test to see if a machine has been allocated a public ip address

We should document what we learned from connecting our resource pack to the Graph API for contributors that wish to connect to other services, such as key vault.

When a machine has Managed Disks attached the structure of the VM object from Azure is different to that when not using Managed Disks.

A check needs to be added to pull the correct attribute from the object.

Gather the resources in a Resource Group and allow checks on them.

For example an RG should contain 4 Nics, 4 VMs and a Public IP Address

When running the following for example:

  describe azure_vm(host: 'Linux-Internal-VM', resource_group: 'Inspec-Azure') do
    its('sku') { should eq '16.04.0-LTS' }
    its('publisher') { should eq 'Canonical' }
    its('offer') { should eq 'UbuntuServer' }
    its('size') { should eq 'Standard_DS2_v2' }
    its('location') { should eq 'westeurope' }
    its('boot_diagnostics?') { should be false }
    its('nic_count') { should eq 1 }
    its('username') { should eq 'azure' }
    its('password_authentication?') { should be true }
    its('ssh_key_count') { should eq 0 }
    its('os_type') { should eq 'Linux' }  
  end

The output is:

 azure_vm sku
     ✔  should eq "16.04.0-LTS"
     ✔  should eq "Canonical"
     ✔  should eq "UbuntuServer"
     ✔  should eq "Standard_DS2_v2"
     ✔  should eq "westeurope"
     ✔  should equal false
     ✔  should eq 1
     ✔  should eq "azure"
     ✔  should equal true
     ✔  should eq 0
     ✔  should eq "Linux"

Although each of the tests are passing, there is no indication as to what it was. For example, what does this mean?

✔ should eq 1

By elimination it is checking that the username is azure but this was when interpreted with the tests as well. The name of what is being tested should be displayed as well.

I have set up my inspec profile as you recommended:

name: acceptance-tests
...
depends:
  - name: azure
    url: https://github.com/chef/inspec-azure/archive/master.tar.gz

However when I execute the tests inspec exec . I get the error below:

/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- ms_rest_azure (LoadError)
  from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
  from /var/lib/gems/2.3.0/gems/inspec-1.33.1/lib/inspec/dsl_shared.rb:14:in `require'
  from libraries/azure_backend.rb:1:in `load_with_context'
  ...
  from /usr/local/bin/inspec:23:in `load'
  from /usr/local/bin/inspec:23:in `<main>'

That's because Inspec can't find the required file ms_rest_azure on your azure_backend.rb. Indeed, I searched your git repo and there's no file with that name.

It seems you include some dependencies on your Gemfile, but what am I supposed to do? On your readme you only mention adding the depends/url to the inspec profile... what am I missing?

Update the azure_vm resource so that the following checks can be performed:

• vm size
• location
• boot diagnostics enabled?
• nic count
• username

Hello Dear,

I was able to use the resource pack and could connect to azure vm's and tests there resources before recent updates & new commits.

However the moment I pulled the new code, my profile is failing with below errors. I have tried setting up credentials file at ~/.azure/credentials, also have tried adding required credentials as environment variables in my mac. Not sure what's going wrong it keep's throwing below error:
Is there a problem with recent check-ins ?

WARN: Unresolved specs during Gem::Specification.reset:
rake (>= 0)
WARN: Clearing out unresolved specs.
Please report a bug if this causes problems.
libraries/azure_backend.rb:63:in client': uninitialized constant Azure::Resources (NameError) from libraries/azure_backend.rb:201:in initialize'
from libraries/azure_generic_resource.rb:16:in initialize' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/plugins/resource.rb:47:in initialize'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/resource.rb:47:in new' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/resource.rb:47:in block (3 levels) in create_dsl'
from inspec-azure-vm/controls/resources-check.rb:5:in block in load_with_context' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/rule.rb:49:in instance_eval'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/rule.rb:49:in initialize' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/control_eval_context.rb:73:in new'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/control_eval_context.rb:73:in block (2 levels) in create' from inspec-azure-vm/controls/resources-check.rb:1:in load_with_context'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile_context.rb:148:in instance_eval' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile_context.rb:148:in load_with_context'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile_context.rb:132:in load_control_file' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile.rb:160:in block in collect_tests'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile.rb:157:in each' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/profile.rb:157:in collect_tests'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/runner.rb:89:in block in load' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/runner.rb:78:in each'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/runner.rb:78:in load' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/runner.rb:99:in run'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/base_cli.rb:83:in run_tests' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/lib/inspec/cli.rb:159:in exec'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/thor-0.20.0/lib/thor/command.rb:27:in run' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/thor-0.20.0/lib/thor/invocation.rb:126:in invoke_command'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/thor-0.20.0/lib/thor.rb:387:in dispatch' from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/thor-0.20.0/lib/thor/base.rb:466:in start'
from /Users/tushard/.rvm/gems/ruby-2.4.1/gems/inspec-1.43.8/bin/inspec:12:in <top (required)>' from /Users/tushard/.rvm/gems/ruby-2.4.1/bin/inspec:23:in load'
from /Users/tushard/.rvm/gems/ruby-2.4.1/bin/inspec:23:in <main>' from /Users/tushard/.rvm/gems/ruby-2.4.1/bin/ruby_executable_hooks:15:in eval'
from /Users/tushard/.rvm/gems/ruby-2.4.1/bin/ruby_executable_hooks:15:in `

Description of Issue

If you attempt to start a Terraform environment without having permissions to the Graph API your Terraform task will fail with an error "Insufficient Permissions". We should make Graph an optional configuration item so someone is not blocked if they don't have permissions while developing new resources.

At the moment we have optional features in Terraform:

• msi_vm
• network_watcher

What would be a good interface to allow someone to opt into additional components depending on what they are testing without needing a huge rake command.

If we were to follow the existing pattern we would have something like:

$ rake network_watcher graph tf:apply test:integration

Proposals

Consolidated rake task

$ rake with[network_watcher,graph,msi_vm,etc] # modifies .envrc
$ source .envrc # or direnv allow
$ rake tf:apply
$ rake test:integration
$ rake with[] # modifies .envrc to remove all optional components
$ source .envrc # or direnv allow

This task could modify your .envrc file to add any optional components to your configuration. We could then output something on other rake tasks to output which optional components you are using. As well as noting that tests will be skipped for any optional components you aren't using.

By default all optional components would be disabled.

Other ideas

Are there other ideas that would be a better user experience and provide clarity around what components you have enabled/disabled?

Although the credentials file can contain more than one subscription, the subscription cannot currently be chosen

Add resources that will allow the testing of Virtual Networks and Subnets for the environment

When using this resource the name of the Virtual Machine as it is seen in Azure, and not the computer name, is specified as host.

This is confusing and should be renamed to name.

Helper methods have been created for the certain Azure classes.

However as more are being added, these will become too numerous to manage effectively.

So methods will exist that will return the client for each class so it can be used directly

We introduces the method username in https://github.com/chef/inspec-azure/blob/master/libraries/azure_virtual_machine.rb#L104-L106. The maps to the admin_username from Azure. Should we use admin_username instead?

A section should be added indicating that the resource is available via a resource pack, how to install, and what version the resource was first available.

🎛 Description

Choose one: 🙋 feature request?

Let's pull Graph#get into the service module to reduce duplication.

🎛 I believe this resource is evaluating properties of the resource group and returning a false positive when your trying to evaluate a resource within that group.

is this a 🐛 bug report

Briefly describe the issue and the expected behavior

🌍 InSpec and Platform Version

inspec version 2.1.83 on OSX 10.13.4

🤔 Replication Case

control 'foobar' do
  title 'foobar'
  describe azure_generic_resource(group_name: '<existing resource group>, name: 'foobar') do
    it { should exist }
    its('location') { should cmp 'eastus' }
    its('provisioning_state') { should cmp 'Succeeded' }

    its('properties.addressSpace.addressPrefixes') { should cmp '10.6.8.0/22' }
    its('properties.dhcpOptions.dnsServers') { should cmp ["10.6.8.4", "168.63.129.16"] }
    it { should have_tags }
    its ('Environment_tag') { should cmp 'prod'}
    its ('ManagedBy_tag') { should cmp 'Terraform'}
    its ('Project_tag') { should cmp 'infra'}
  end
end

foobar: foobar (2 failed)
✔ azure_generic_resource should exist
✔ azure_generic_resource should have tags
✔ azure_generic_resource location should cmp == "eastus"
✔ azure_generic_resource provisioning_state should cmp == "Succeeded"
× azure_generic_resource properties.addressSpace.addressPrefixes
undefined method addressSpace' for []:Array × azure_generic_resource properties.dhcpOptions.dnsServers undefined method dhcpOptions' for []:Array
✔ azure_generic_resource Environment_tag should cmp == "prod"
✔ azure_generic_resource ManagedBy_tag should cmp == "Terraform"
✔ azure_generic_resource Project_tag should cmp == "infra"

Since the resource foobar doesn't exist in the resource group, all of those tests should fail, but only the two referencing the specific properties fail.

The documentation here: https://www.inspec.io/docs/reference/resources/azure_generic_resource/ at says that the tag and location tests should at least be usable but both return as successful even when the resource doesn't exist.

💁 Possible Solutions

I currently don't know of a solution other then to no use those tests, but in that case this becomes a lot more restrictive, and prone to false positives, and the documentation should be updated to reflect this.

💻 Stacktrace

• Check that a policy is active
• Check that resources adhere to the policy (in the case of somebody turning off the policy, making a change, then turning it back on again)

We need some documentation on the different ways we handle the needed Azure properties in order to connect. I'd like to see documentation for the following methods:

1. Credentials file
2. Environment variables
3. MSI Port

When we spin up a test environment we automatically get a network watcher in Azure, but due to Azure limitations we may only have one per a resource group per subscription. Let's figure out a way to make that something you need to opt in to start up so we can work concurrently.

Description

When using azure_generic_resource with a name: that does not exist, the user is presented with a least one false positive and several Ruby undefined_method error messages.

Example control:

control 'azure_vm_example' do
  title 'Ensure the example VM matches expectations'
  impact 1.0

  describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'NOT-VALID') do
    # Ensure the VM is located in the correct region
    its('location') { should cmp 'westeurope' }

    # Ensure the VM has tags
    it { should_not have_tags }

    # Ensure the VM has the correct image
    its('properties.storageProfile.imageReference.publisher') { should cmp 'MicrosoftWindowsServer' }
    its('properties.storageProfile.imageReference.offer') { should cmp 'WindowsServer' }
    its('properties.storageProfile.imageReference.sku') { should cmp '2016-Datacenter' }

    # Ensure the VM has the correct size
    its('properties.hardwareProfile.vmSize') { should cmp 'Standard_DS2_v2' }

    # Ensure the VM has the correct authentication information
    its('properties.osProfile.computerName') { should eq 'win-internal-1' }
    its('properties.osProfile.adminUsername') { should eq 'azure' }
    its('properties.osProfile.windowsConfiguration.provisionVMAgent') { should be true }
    its('properties.osProfile.windowsConfiguration.enableAutomaticUpdates') { should be false }
  end
end

Example Output:

Profile: Azure Example Profile (profile-azure)
Version: 1.0.0
Target:  azure://REDACTED
�[38;5;9m  ×  azure_vm_example: Ensure the example VM matches expectations (9 failed)�[0m
�[38;5;9m     ×  azure_generic_resource should not have tags
     expected #has_tags? to return false, got true�[0m
�[38;5;41m     ✔  azure_generic_resource location should cmp == "westeurope"�[0m
�[38;5;9m     ×  azure_generic_resource properties.storageProfile.imageReference.publisher 
     undefined method `storageProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.storageProfile.imageReference.offer 
     undefined method `storageProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.storageProfile.imageReference.sku 
     undefined method `storageProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.hardwareProfile.vmSize 
     undefined method `hardwareProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.osProfile.computerName 
     undefined method `osProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.osProfile.adminUsername 
     undefined method `osProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.osProfile.windowsConfiguration.provisionVMAgent 
     undefined method `osProfile' for []:Array�[0m
�[38;5;9m     ×  azure_generic_resource properties.osProfile.windowsConfiguration.enableAutomaticUpdates 
     undefined method `osProfile' for []:Array�[0m


Profile Summary: 0 successful controls, �[38;5;9m1 control failure�[0m, 0 controls skipped
Test Summary: �[38;5;41m1 successful�[0m, �[38;5;9m9 failures�[0m, 0 skipped

InSpec and Platform Version

Platform: Arch Linux
InSpec: 2.0.4

Possible Solutions

Ensure that location fails and add better handling for when resource is not found.

Add a resource that will allow for the checking of data disks and their size

Refs inspec/inspec#1661
Refs inspec/inspec#2454

Each resource should declare which platform it supports (here, azure) so that mixed profiles can skip resources when running on an incompatible target platform.

Description

Error during execution is 'The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Train and Platform Version

os RHEL7.5
inspec 2.2.20
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]

Replication Case

execute test

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose

inspec profile check

  tag "Default Value": "Generic Resource Test at Azure Gov \n\n\n"
  describe azure_generic_resource(group_name: ENV.fetch('AZURE_RG'), name: 'vm') do
    its('location') { should eq 'usgovvirginia' }
  end

Possible Solutions

according to tcpdump, inspec performs lookups for azure instead of azuregov, verified ip addresses to which connection is made is the same address provided by dns resolution, assumption is made inspec is connecting to azure endpoints instead of azuregov

Stacktrace

https://gist.github.com/yarick/983adc75570948cd30cc4d40c028ee57

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose
InSpec version: 2.2.20
Train version: 1.4.15
Command line configuration:
{"target"=>"azure://", "log_level"=>"debug", "diagnose"=>true}
JSON configuration file:
{}
Merged configuration:
{"reporter"=>{"cli"=>{"stdout"=>true}},
"show_progress"=>false,
"color"=>true,
"create_lockfile"=>true,
"backend_cache"=>true,
"type"=>:exec,
"target"=>"azure://",
"log_level"=>"debug",
"diagnose"=>true}

[2018-06-26T11:18:33-04:00] DEBUG: Option backend_cache is enabled
[2018-06-26T11:18:33-04:00] DEBUG: Resolve ./test/integration/default into cache /root/.inspec/cache
[2018-06-26T11:18:33-04:00] DEBUG: Dependency does not exist in the cache ./test/integration/default
[2018-06-26T11:18:33-04:00] DEBUG: Starting run with targets: ["Inspec::Profile"]
[2018-06-26T11:18:33-04:00] DEBUG: Using existing lockfile ./test/integration/default/inspec.lock
[2018-06-26T11:18:33-04:00] DEBUG: Loading ./test/integration/default/controls/M-2.12.rb into #Inspec::ProfileContext:0x0000000003bb93f8
[DEPRECATED] use a specific azure resources instead of 'azure_generic_resource'. See inspec/inspec#3131
[2018-06-26T11:18:34-04:00] DEBUG: Registering rule M-2.12

Profile: AZURE Inspec Demo based on CIS_Microsoft_Azure_Foundations_Benchmark (azure-inspec-demo)
Version: 0.2
Target: azure://12345678-1234-1234-1234-123456789012

× M-2.12: 2.12 Ensure that 'JIT Network Access' is set to 'On' (Scored) (2 failed)
× azure_generic_resource
The subscription '12345678-1234-1234-1234-123456789012' could not be found.
× azure_resource_group
The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 2 failures, 0 skipped

To make it more explicit this will be renamed to azure_virtual_machine

Microsoft have added some breaking changes to the Azure SDKs 0.15 which means this plugin will not work with that version.

As a quick workaround the SDKs should be pinned to version 0.14 to allow it to keep working in the short term.

Description

Error during execution is 'The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Train and Platform Version

os RHEL7.5
inspec 2.2.20
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]

Replication Case

execute test

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose

inspec profile check

  tag "Default Value": "Generic Resource Test at Azure Gov \n\n\n"
  describe azure_generic_resource(group_name: ENV.fetch('AZURE_RG'), name: 'vm') do
    its('location') { should eq 'usgovvirginia' }
  end

Possible Solutions

according to tcpdump, inspec performs lookups for azure instead of azuregov, verified ip addresses to which connection is made is the same address provided by dns resolution, assumption is made inspec is connecting to azure endpoints instead of azuregov

Stacktrace

https://gist.github.com/yarick/983adc75570948cd30cc4d40c028ee57

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose
InSpec version: 2.2.20
Train version: 1.4.15
Command line configuration:
{"target"=>"azure://", "log_level"=>"debug", "diagnose"=>true}
JSON configuration file:
{}
Merged configuration:
{"reporter"=>{"cli"=>{"stdout"=>true}},
"show_progress"=>false,
"color"=>true,
"create_lockfile"=>true,
"backend_cache"=>true,
"type"=>:exec,
"target"=>"azure://",
"log_level"=>"debug",
"diagnose"=>true}

[2018-06-26T11:18:33-04:00] DEBUG: Option backend_cache is enabled
[2018-06-26T11:18:33-04:00] DEBUG: Resolve ./test/integration/default into cache /root/.inspec/cache
[2018-06-26T11:18:33-04:00] DEBUG: Dependency does not exist in the cache ./test/integration/default
[2018-06-26T11:18:33-04:00] DEBUG: Starting run with targets: ["Inspec::Profile"]
[2018-06-26T11:18:33-04:00] DEBUG: Using existing lockfile ./test/integration/default/inspec.lock
[2018-06-26T11:18:33-04:00] DEBUG: Loading ./test/integration/default/controls/M-2.12.rb into #Inspec::ProfileContext:0x0000000003bb93f8
[DEPRECATED] use a specific azure resources instead of 'azure_generic_resource'. See inspec/inspec#3131
[2018-06-26T11:18:34-04:00] DEBUG: Registering rule M-2.12

Profile: AZURE Inspec Demo based on CIS_Microsoft_Azure_Foundations_Benchmark (azure-inspec-demo)
Version: 0.2
Target: azure://12345678-1234-1234-1234-123456789012

× M-2.12: 2.12 Ensure that 'JIT Network Access' is set to 'On' (Scored) (2 failed)
× azure_generic_resource
The subscription '12345678-1234-1234-1234-123456789012' could not be found.
× azure_resource_group
The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 2 failures, 0 skipped

Let's create an issue and pull request template for contributors that follows other conventions with Chef open source projects and follows the recommendations in our CONTRIBUTING doc.

https://help.github.com/articles/manually-creating-a-single-issue-template-for-your-repository/

https://help.github.com/articles/creating-a-pull-request-template-for-your-repository/

🎛 Description

Choose one: 🙋 feature request

Update Graph module to use cache. At the moment it will re-issue requests for the same information.

Managed Disks is a relatively new feature in Azure, but they are already being used.

The resource should contain checks for the following:

• Managed Disk Images
• Managed Disks

Add Powershell environment variables for Windows to the documentation:

to set environment variables:
$env:AZURE_SUBSCRIPTION_ID="43706c4e-b31d-425e-b5f5-e64e6bf63ac4"
$env:AZURE_CLIENT_ID="ecee433c-083a-4293-a579-3eea4286190a"
$env:AZURE_CLIENT_SECRET="MYCLIENTSECRETHERE="
$env:AZURE_TENANT_ID="9c117323-1f20-444d-82a9-9ee430723ba3"

bundle exec inspec exec C:\projects\user\inspec_azure_testing\v2\profile\ -t azure://ID

Test on Windows VM

• Resource locks
• Resource group locks
• Subscription locks

Update the plugin so that it knows how to work with the latest Azure SDK versions.

At the moment (as of 2017-10-26) there appears to be a bug with 0.15 version of the SDK that means that it will only look for environment variables for credentials. Microsoft are aware of this.

Currently resources are mixed between azure and azurerm prefixes. Standardize on azurerm and alias azure with a deprecation warning.
Be sure to update integration tests and documentation.

• azure_monitor_activity_log_alert
• azure_monitor_activity_log_alerts
• azure_monitor_log_profile
• azure_monitor_log_profiles
• azure_network_security_group
• azure_network_security_groups
• azure_network_watcher
• azure_network_watchers
• azure_resource_groups
• azure_security_center_policies
• azure_security_center_policy

To have a method name like has_disks? feels not optimal.

describe azure_virtual_machine(name: 'MyVM', resource_group: 'MyResourceGroup') do
  its('has_disks?') { should be true }
end

Is there any reason why we cannot use:

describe azure_virtual_machine(name: 'MyVM', resource_group: 'MyResourceGroup') do
  its('count') { should cmp >= 0 }
end