🧹 Improving the keyVault resources to cover automatic key rotation po…

…licy (#4624) * 🧹 Improving the keyVault resources to cover automatic key rotation policy Signed-off-by: Hossein Rouhani <[email protected]> * Improved Signed-off-by: Hossein Rouhani <[email protected]> * further improvements Signed-off-by: Hossein Rouhani <[email protected]> * further improvements Signed-off-by: Hossein Rouhani <[email protected]> --------- Signed-off-by: Hossein Rouhani <[email protected]>
mondoohq · Sep 9, 2024 · 6faf374 · 6faf374
1 parent 342ea94
commit 6faf374
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/providers/azure/resources/azure.lr b/providers/azure/resources/azure.lr
@@ -1514,6 +1514,16 @@ private azure.subscription.keyVaultService.vault @defaults("vaultName type vault
   secrets() []azure.subscription.keyVaultService.secret
   // Vault diagnostic settings
   diagnosticSettings() []azure.subscription.monitorService.diagnosticsetting
+  // Auto-rotation enabled status for all keys
+  autorotation() []azure.subscription.keyVaultService.key.autorotation
+}
+
+// Azure Key Vault key auto-rotation
+private azure.subscription.keyVaultService.key.autorotation @defaults("enabled") {
+  // Key ID (Key Identifier)
+  kid string
+  // Auto-rotation enabled status
+  enabled bool
 }
 
 // Azure Key Vault key

diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml
@@ -787,6 +787,8 @@ resources:
       url: https://learn.microsoft.com/en-us/azure/key-vault/
   azure.subscription.keyVaultService.vault:
     fields:
+      autorotation:
+        min_mondoo_version: 9.0.0
       certificates: {}
       diagnosticSettings: {}
       id: {}

diff --git a/providers/azure/resources/keyvault.go b/providers/azure/resources/keyvault.go
@@ -211,6 +211,71 @@ func (a *mqlAzureSubscriptionKeyVaultServiceVault) keys() ([]interface{}, error)
 	return res, nil
 }
 
+func (a *mqlAzureSubscriptionKeyVaultServiceKeyAutorotation) id() (string, error) {
+	id := a.Kid.Data
+	kvid, err := parseKeyVaultId(id)
+	if err != nil {
+		return "", err
+	}
+
+	return kvid.Name, nil
+}
+
+func (a *mqlAzureSubscriptionKeyVaultServiceVault) autorotation() ([]interface{}, error) {
+	conn := a.MqlRuntime.Connection.(*connection.AzureConnection)
+	ctx := context.Background()
+	token := conn.Token()
+	vaultUri := a.GetVaultUri()
+	client, err := azkeys.NewClient(vaultUri.Data, token, &azkeys.ClientOptions{
+		ClientOptions: conn.ClientOptions(),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	pager := client.NewListKeyPropertiesPager(&azkeys.ListKeyPropertiesOptions{})
+	res := []interface{}{}
+
+	for pager.More() {
+		page, err := pager.NextPage(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, entry := range page.Value {
+			autoRotationEnabled := false
+
+			if entry.KID != nil {
+				keyID := string(*entry.KID)
+				kvid, err := parseKeyVaultId(keyID)
+				if err == nil && kvid.Type == "keys" {
+					policyResp, err := client.GetKeyRotationPolicy(ctx, kvid.Name, nil)
+					if err == nil && policyResp.LifetimeActions != nil {
+						for _, action := range policyResp.LifetimeActions {
+							if action.Action != nil && string(*action.Action.Type) == "Rotate" {
+								autoRotationEnabled = true
+								break
+							}
+						}
+					}
+				}
+			}
+
+			mqlAzure, err := CreateResource(a.MqlRuntime, "azure.subscription.keyVaultService.key.autorotation",
+				map[string]*llx.RawData{
+					"kid":     llx.StringDataPtr((*string)(entry.KID)),
+					"enabled": llx.BoolData(autoRotationEnabled),
+				})
+			if err != nil {
+				return nil, err
+			}
+			res = append(res, mqlAzure)
+		}
+	}
+
+	return res, nil
+}
+
 func (a *mqlAzureSubscriptionKeyVaultServiceVault) secrets() ([]interface{}, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AzureConnection)
 	ctx := context.Background()