Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jodyford added graph query for G02.08 #881

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

jodyford added graph query for G02.08 #881

wants to merge 1 commit into from

Conversation

jodyford-msft
Copy link

@jodyford-msft jodyford-msft commented Sep 17, 2024
edited
Loading

Description

addedAzure Resource Graph query that checks for key vaults with firewalls and virtual network service endpoints or private endpoints enabled, you can use the following query:

Related Issue

N/A

Checklist

  • I've tested my changes to ensure they are ready for review.
  • I've read the CONTRIBUTING.md guide.
  • I've updated the documentation (if applicable).
  • Resource Graph queries have been included (and tested) for recommendations where ever possible1.
  • Resource Graph queries have NOT been included (please explain below).

Additional Information

Is there any additional context, screenshots, or considerations that might help in the review process? Please include them here.

Reviewer Notes

Is there a specific area you’d like feedback on? Please highlight it here. We're here to help and learn together! 💡

Footnotes

  1. Details on how to add Azure Resource Graph queries to recommendations can be found here.

@jodyford-msft jodyford-msft requested review from a team as code owners September 17, 2024 00:25
@jodyford-msft jodyford-msft changed the title added graph query to G02.08 added graph query for G02.08 Sep 17, 2024
@jodyford-msft jodyford-msft changed the title added graph query for G02.08 jodyford added graph query for G02.08 Sep 17, 2024
@jodyford-msft
Copy link
Author

Screenshot 2024-09-16 at 8 27 55 PM

brsteph
brsteph reviewed Sep 17, 2024
View reviewed changes
checklists/alz_checklist.en.json
@@ -2422,6 +2422,7 @@
"guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
"id": "G02.07",
"severity": "Medium",
"graph" : "Resources | where type =~ 'microsoft.keyvault/vaults' | extend properties = parse_json(properties) | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0) | where compliant == 1 | project id, compliant",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jodyford-msft - So this query is only going to show the ones that are compliant, but not the non-compliant ones, from my understanding. I think we want to take out the "where compliant" to show all.

I was liking the output of:

Resources | where type =~ 'microsoft.keyvault/vaults' | extend properties = parse_json(properties) | project id, name, location, firewallEnabled = properties.networkAcls.defaultAction, privateEndpointConnections = properties.privateEndpointConnections | extend compliant = iff(firewallEnabled == 'Deny' or array_length(privateEndpointConnections) > 0, 1, 0) | project id, compliant, name, location

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brsteph brsteph brsteph left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
hackathon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jodyford-msft @brsteph @sdolgin