azurerm_security_center_policies
Use the azurerm_security_center_policies
InSpec audit resource to test
properties of some or all Azure Security Center Policies.
Security Center Policies are defined for each Resource Group. A Security Center Policy
called default
also exists for every subscription.
Azure REST API version
This resource interacts with version 2015-06-01-Preview
of the Azure
Management API. For more information see the official Azure documentation.
At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.
Availability
Installation
This resource is available in the inspec-azure
resource
pack. To use it, add the
following to your inspec.yml
in your top-level profile:
depends:
- name: inspec-azure
git: https://github.com/inspec/inspec-azure.git
You’ll also need to setup your Azure credentials; see the resource pack README.
Version
This resource first became available in 1.0.0 of the inspec-azure resource pack.
Syntax
An azurerm_security_center_policies
resource block uses an optional filter to
select a group of Security Center Policies and confirm that the expected groups
exist.
describe azurerm_security_center_policies do
...
end
Examples
Check for a Security Center Policy
describe azurerm_security_center_policies do
its('names') { should include 'default' }
end
Assert default Security Center Policy exists
describe azurerm_security_center_policies.where(name: 'default')
it { should exist }
end
Filter Criteria
names
names
Filters the results to include only those Security Center Policies that match the given name. This is a string value.
# default should always exist
describe azurerm_security_center_policies.where(name: 'default')
it { should exist }
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exists
The control will pass if the filter returns at least one result. Use should_not
if you
expect zero matches.
# default should always exist
describe azurerm_security_center_policies.where(name: 'default')
it { should exist }
end
# this security center policy should not exist
describe azurerm_security_center_policies.where(name: 'DoesNotExist')
it { should_not exist }
end
Azure Permissions
Your Service
Principal
must be setup with a contributor
role on the subscription you wish to test.