✨ Add direction to network security rules. Ensure destination port ra…

…nges are always populated (#3086) * ✨ Add direction to network security rules. Ensure destination port ranges are always populated. Signed-off-by: Preslav <[email protected]> * Update network test. Signed-off-by: Preslav <[email protected]> --------- Signed-off-by: Preslav <[email protected]>
mondoohq · Jan 23, 2024 · 4a66f67 · 4a66f67
1 parent 8fbae79
commit 4a66f67
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 6 deletions.
diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr
@@ -757,6 +757,8 @@ private azure.subscription.networkService.securityrule @defaults("id name") {
   properties dict
   // Security rule destination port range
   destinationPortRange []dict
+  // Security rule direction (outbound or inbound)
+  direction string
 }
 
 // Azure Network Watcher

diff --git a/providers/azure/resources/azure.lr.go b/providers/azure/resources/azure.lr.go
diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml
@@ -1433,6 +1433,7 @@ resources:
   azure.subscription.networkService.securityrule:
     fields:
       destinationPortRange: {}
+      direction: {}
       etag: {}
       id: {}
       name: {}

diff --git a/providers/azure/resources/network.go b/providers/azure/resources/network.go
@@ -2050,11 +2050,24 @@ func azureSecurityRuleToMql(runtime *plugin.Runtime, secRule network.SecurityRul
 		}
 	}
 
+	if secRule.Properties != nil && secRule.Properties.DestinationPortRanges != nil {
+		for _, r := range secRule.Properties.DestinationPortRanges {
+			dPortRange := parseAzureSecurityRulePortRange(*r)
+			for i := range dPortRange {
+				destinationPortRange = append(destinationPortRange, map[string]interface{}{
+					"fromPort": dPortRange[i].FromPort,
+					"toPort":   dPortRange[i].ToPort,
+				})
+			}
+		}
+	}
+
 	res, err := CreateResource(runtime, "azure.subscription.networkService.securityrule",
 		map[string]*llx.RawData{
 			"id":                   llx.StringData(convert.ToString(secRule.ID)),
 			"name":                 llx.StringData(convert.ToString(secRule.Name)),
 			"etag":                 llx.StringData(convert.ToString(secRule.Etag)),
+			"direction":            llx.StringDataPtr((*string)(secRule.Properties.Direction)),
 			"properties":           llx.DictData(properties),
 			"destinationPortRange": llx.ArrayData(destinationPortRange, types.String),
 		})

diff --git a/providers/azure/resources/network_test.go b/providers/azure/resources/network_test.go
@@ -10,11 +10,13 @@ import (
 )
 
 func TestParseAzurePortRange(t *testing.T) {
-	entry := "80,1024-65535"
+	entry := "*,80,1024-65535"
 	ranges := parseAzureSecurityRulePortRange(entry)
-	assert.Equal(t, 2, len(ranges))
-	assert.Equal(t, "80", ranges[0].FromPort)
-	assert.Equal(t, "80", ranges[0].ToPort)
-	assert.Equal(t, "1024", ranges[1].FromPort)
-	assert.Equal(t, "65535", ranges[1].ToPort)
+	assert.Equal(t, 3, len(ranges))
+	assert.Equal(t, "*", ranges[0].FromPort)
+	assert.Equal(t, "*", ranges[0].ToPort)
+	assert.Equal(t, "80", ranges[1].FromPort)
+	assert.Equal(t, "80", ranges[1].ToPort)
+	assert.Equal(t, "1024", ranges[2].FromPort)
+	assert.Equal(t, "65535", ranges[2].ToPort)
 }