azurerm_key_vault_secrets

Use the azurerm_key_vault_secrets InSpec audit resource to test properties and configuration of Azure Secrets within Vaults.

Azure REST API version

This resource interacts with version 2016-10-01 of the Azure Management API. For more information see the Official Azure Documentation.

At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.

Availability

Installation

This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

depends:
  -name: inspec-azure
    git: https://github.com/inspec/inspec-azure.git

You’ll also need to setup your Azure credentials; see the resource pack README.

Version

This resource first became available in 1.3.0 of the inspec-azure resource pack.

Syntax

An azurerm_key_vault_secrets resource block returns all Secrets within a Vault.

describe azurerm_key_vault_secrets('my-vault') do
  ...
end


Examples

The following examples show how to use this InSpec audit resource.

Check Keys within a Vault

azurerm_key_vault_secrets('my-vault').entries.each do |secret|
   describe secret do
     its('id')                { should_not be nil }
     its('attributes.exp')    { should_not be_nil  }
   end
end


Filter Criteria

All fields described in Attributes can be used to filter. Below is an example using managed.

managed

Filters the results to include only those Secrets which are not managed by the Vault. This is a boolean value.

describe azurerm_key_vault_secrets('my-vault').where{ managed.eql?(false) } do
  it { should_not exist }
end

Attributes

  • id
  • attributes
  • contentType
  • managed
  • tags

id

Secret identifier.

attributes

The secret management attributes.

contentType

Type of the secret value such as a password.

managed

True if the secret’s lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true.

tags

Resource tags applied to the Key.

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

describe azurerm_key_vault_secrets('my-vault') do
  it { should exist }
end

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test. Your Azure Key Vault should also have this Service Principal listed in it’s Access Policy with secrets/list permissions.