Add policy pack - Check Azure VNets have flow log enabled. Closes #893 #894
Conversation
| resource "turbot_policy_setting" "azure_network_virtual_network_approved" { | ||
| resource = turbot_policy_pack.main.id | ||
| type = "tmod:@turbot/azure-network#/policy/types/virtualNetworkApproved" | ||
| value = "Check: Approved" |
There was a problem hiding this comment.
Do we only want to add the Check option?
In general, we include the Enforce option as well if the policy supports it.
There was a problem hiding this comment.
@SumitPopat I believe that if a Virtual Network does not have Flow Logs enabled, the goal should be to enforce the creation of Flow Logs rather than deleting the VNet. However, since the Azure Flow Log stack (similar to the AWS > VPC > VPC > Flow Logging) is not currently available, we decided to proceed with a Check mode approach in this case.
| resource "turbot_policy_pack" "main" { | ||
| title = "Check Azure Virtual Networks Have Flow Logs Enabled" | ||
| description = "Ensure that logging is enabled for Azure Virtual Networks to monitor traffic and maintain security compliance." | ||
| akas = ["azure_network_check_virtual_networks_have_flowlog_enabled"] |
There was a problem hiding this comment.
I think the aka would be azure_network_enforce_virtual_networks_have_flowlog_enabled if we include the Enforce option too?
| name:get(path:"name") | ||
| flowLogs:get(path:"flowLogs") | ||
| } | ||
| } | ||
| - | | ||
| { | ||
| resource { | ||
| name:get(path:"name") | ||
| flowLogs:get(path:"flowLogs") | ||
| } | ||
| resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}'"){ | ||
| items { | ||
| enabled:get(path:"enabled") | ||
| id:get(path:"id") | ||
| name:get(path:"name") | ||
| } |
There was a problem hiding this comment.
| name:get(path:"name") | |
| flowLogs:get(path:"flowLogs") | |
| } | |
| } | |
| - | | |
| { | |
| resource { | |
| name:get(path:"name") | |
| flowLogs:get(path:"flowLogs") | |
| } | |
| resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}'"){ | |
| items { | |
| enabled:get(path:"enabled") | |
| id:get(path:"id") | |
| name:get(path:"name") | |
| } | |
| name: get(path:"name") | |
| flowLogs: get(path:"flowLogs") | |
| } | |
| } | |
| - | | |
| { | |
| resource { | |
| name: get(path:"name") | |
| flowLogs: get(path:"flowLogs") | |
| } | |
| resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}' resourceTypeLevel:self"){ | |
| items { | |
| enabled:get(path:"enabled") | |
| id:get(path:"id") | |
| name:get(path:"name") | |
| } |
| {%- set matchedFlowLog = subscriptionFlowLog %} | ||
| {%- endif %} | ||
| {%- endfor %} | ||
|
|
There was a problem hiding this comment.
Please use the existing format for setting approved > custom policies. For reference please check: https://github.com/turbot/guardrails-samples/blob/main/policy_packs/aws/ec2/enforce_instances_use_amis_with_approved_tags/policies.tf#L13
| This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for network security groups: | ||
|
|
||
| - Check if flow logs are configured for Azure Virtual Networks | ||
| - Validate that flow logging status is enabled |
There was a problem hiding this comment.
| This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for network security groups: | |
| - Check if flow logs are configured for Azure Virtual Networks | |
| - Validate that flow logging status is enabled | |
| This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for virtual networks: | |
| - Check if flow logs are configured and enabled | |
| - Delete unapproved virtual networks if flow logging is not enabled |
|
|
||
| If this policy pack is attached to a Guardrails folder, its policies will be applied to all accounts and resources in that folder. The policy pack can also be attached to multiple resources. | ||
|
|
||
| For more information, please see [Policy Packs](https://turbot.com/guardrails/docs/concepts/policy-packs). |
There was a problem hiding this comment.
Please add the Enable Enforcement block if the Enforce option is added to the Policy Pack.
Policy Pack
Flow Log is not configured
Flow Log is configured but not enabled
Flow Log is configured but the resource is not found in CMDB to determine if it is enabled/disabled
Flow Log is configured and enabled