azurerm_resource_groups

Use the azurerm_resource_groups InSpec audit resource to test properties of some or all Azure Resource Groups

A Resource Group is a grouping of Azure resources. This allows you to issue a common command on a group of resources.


Azure REST API version

This resource interacts with version 2018-02-01 of the Azure Management API. For more information see the official Azure documentation.

At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.

Availability

Installation

This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

depends:
  - name: inspec-azure
    git: https://github.com/inspec/inspec-azure.git

You’ll also need to setup your Azure credentials; see the resource pack README.

Version

This resource first became available in 1.0.0 of the inspec-azure resource pack.

Syntax

An azurerm_resource_groups resource block uses an optional filter to select a group of Resource Groups and then tests that group.

describe azurerm_resource_groups do
  ...
end


Examples

The following examples show how to use this InSpec audit resource.

Check for a Resource Group

describe azurerm_resource_groups do
  its('names') { should include 'MyResourceGroup' }
end

Insist that your resource group exists

describe azurerm_resource_groups.where(name: 'MyResourceGroup')
  it { should exist }
end

Use names to get all Virtual Machines in Azure

azurerm_resource_groups.names.each do |resource_group|
  describe azurerm_virtual_machines(resource_group: resource_group, name: 'MyVmName') do
    its('monitoring_agent_installed') { should be true }
  end
end


Filter Criteria

  • names

names

Filters the results to include only those resource groups that match the given name. This is a string value.

describe azurerm_resource_groups.where { name.start_with?('InSpec') } do
  it { should exist }
end

Attributes

  • ids
  • names
  • tags

names

The ids property provides a list of all the Resource Group ids.

its('ids') { should include 'MyResourceGroupID' }

The names property provides a list of all the Resource Group names.

its('names') { should include 'MyResourceGroup' }

The tags property provides a list of all the Resource Group tags.

its('tags') { should include '{MyResourceGroupTag=""}' }

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

describe azurerm_resource_groups do
  it { should exist }
end

Azure Permissions

Your Service Principal must be setup with a contributor role on the subscription you wish to test.