Add table azure_key_vault_key. Closes #72

[Subhajit97]

Integration test logs

Logs

No env file present for the current environment:  staging 
 Falling back to .env config
No env file present for the current environment:  staging
customEnv TURBOT_TEST_EXPECTED_TIMEOUT 300

SETUP: tests/azure_key_vault_key []

PRETEST: tests/azure_key_vault_key

TEST: tests/azure_key_vault_key
Running terraform
data.azurerm_client_config.current: Refreshing state...
data.null_data_source.resource: Refreshing state...
azurerm_resource_group.named_test_resource: Creating...
azurerm_resource_group.named_test_resource: Creation complete after 2s [id=/subscriptions/********-****-****-****-************/resourceGroups/turbottest36584]
azurerm_key_vault.named_test_resource: Creating...
azurerm_key_vault.named_test_resource: Still creating... [10s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [20s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [30s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [40s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [50s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m0s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m10s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m20s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m30s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m40s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [1m50s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [2m0s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [2m10s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [2m20s elapsed]
azurerm_key_vault.named_test_resource: Still creating... [2m30s elapsed]
azurerm_key_vault.named_test_resource: Creation complete after 2m31s [id=/subscriptions/********-****-****-****-************/resourceGroups/turbottest36584/providers/Microsoft.KeyVault/vaults/turbottest36584]
azurerm_key_vault_key.named_test_resource: Creating...
azurerm_key_vault_key.named_test_resource: Creation complete after 8s [id=https://turbottest36584.vault.azure.net/keys/turbottest36584/e19d1fab06a74d27a84cbe96491b6e5e]

Warning: Deprecated Resource

The null_data_source was historically used to construct intermediate values to
re-use elsewhere in configuration, the same can now be achieved using locals


Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Outputs:

key_uri_without_version = https://turbottest36584.vault.azure.net/keys/turbottest36584
key_version = e19d1fab06a74d27a84cbe96491b6e5e
location = westus
location_lower = westus
resource_aka = azure://https://turbottest36584.vault.azure.net/keys/turbottest36584/e19d1fab06a74d27a84cbe96491b6e5e
resource_aka_lower = azure://https://turbottest36584.vault.azure.net/keys/turbottest36584/e19d1fab06a74d27a84cbe96491b6e5e
resource_id = https://turbottest36584.vault.azure.net/keys/turbottest36584/e19d1fab06a74d27a84cbe96491b6e5e
resource_name = turbottest36584
subscription_id = ********-****-****-****-************

Running SQL query: test-get-query.sql
[
  {
    "curve_name": "",
    "enabled": true,
    "id": "/subscriptions/********-****-****-****-************/resourceGroups/turbottest36584/providers/Microsoft.KeyVault/vaults/turbottest36584/keys/turbottest36584",
    "key_ops": [
      "decrypt",
      "encrypt",
      "sign",
      "unwrapKey",
      "verify",
      "wrapKey"
    ],
    "key_size": 2048,
    "key_type": "RSA",
    "key_uri": "https://turbottest36584.vault.azure.net/keys/turbottest36584",
    "key_uri_with_version": "https://turbottest36584.vault.azure.net/keys/turbottest36584/e19d1fab06a74d27a84cbe96491b6e5e",
    "location": "westus",
    "name": "turbottest36584",
    "region": "westus",
    "resource_group": "turbottest36584",
    "subscription_id": "********-****-****-****-************",
    "type": "Microsoft.KeyVault/vaults/keys",
    "vault_name": "turbottest36584"
  }
]
✔ PASSED

Running SQL query: test-list-query.sql
[
  {
    "id": "/subscriptions/********-****-****-****-************/resourceGroups/turbottest36584/providers/Microsoft.KeyVault/vaults/turbottest36584/keys/turbottest36584",
    "name": "turbottest36584"
  }
]
✔ PASSED

Running SQL query: test-not-found-query.sql
null
✔ PASSED

Running SQL query: test-turbot-query.sql
[
  {
    "akas": [
      "azure:///subscriptions/********-****-****-****-************/resourceGroups/turbottest36584/providers/Microsoft.KeyVault/vaults/turbottest36584/keys/turbottest36584",
      "azure:///subscriptions/********-****-****-****-************/resourcegroups/turbottest36584/providers/microsoft.keyvault/vaults/turbottest36584/keys/turbottest36584"
    ],
    "name": "turbottest36584",
    "tags": {
      "name": "turbottest36584"
    },
    "title": "turbottest36584"
  }
]
✔ PASSED

POSTTEST: tests/azure_key_vault_key

TEARDOWN: tests/azure_key_vault_key

SUMMARY:

1/1 passed.

Example query results

Results

Basic info

select
  name,
  vault_name,
  enabled,
  created_at,
  updated_at,
  key_type,
  location
from
  azure_key_vault_key;

+----------+-------------------+---------+---------------------+---------------------+----------+----------+
| name     | vault_name        | enabled | created_at          | updated_at          | key_type | location |
+----------+-------------------+---------+---------------------+---------------------+----------+----------+
| testkey2 | testvault31032021 | false   | 2021-03-31 12:15:59 | 2021-03-31 12:16:07 | RSA      | eastus   |
| testkey3 | testvault31032021 | true    | 2021-03-31 12:29:26 | 2021-03-31 12:29:26 | RSA      | eastus   |
| testkey5 | testvault31032021 | true    | 2021-03-31 12:30:42 | 2021-03-31 12:30:42 | RSA      | eastus   |
| testkey1 | testvault31032021 | false   | 2021-03-31 11:33:19 | 2021-03-31 12:15:05 | RSA      | eastus   |
+----------+-------------------+---------+---------------------+---------------------+----------+----------+

List keys which are not enabled

select
  name,
  vault_name,
  enabled
from
  azure_key_vault_key
where
  not enabled;

+----------+-------------------+---------+
| name     | vault_name        | enabled |
+----------+-------------------+---------+
| testkey2 | testvault31032021 | false   |
| testkey1 | testvault31032021 | false   |
+----------+-------------------+---------+

List keys for which expiration time is not set

select
  name,
  enabled,
  expired_at
from
  azure_key_vault_key
where
  expired_at is null;

+----------+---------+------------+
| name     | enabled | expired_at |
+----------+---------+------------+
| testkey2 | false   | <null>     |
+----------+---------+------------+

List keys which have never updated

select
  name,
  enabled,
  created_at,
  updated_at
from
  azure_key_vault_key
where
  enabled
  and age(updated_at, created_at) = '00:00:00';

+----------+---------+---------------------+---------------------+
| name     | enabled | created_at          | updated_at          |
+----------+---------+---------------------+---------------------+
| testkey5 | true    | 2021-03-31 12:30:42 | 2021-03-31 12:30:42 |
| testkey3 | true    | 2021-03-31 12:29:26 | 2021-03-31 12:29:26 |
+----------+---------+---------------------+---------------------+

Count of keys by Key Vault

select
  vault_name,
  count(vault_name) as count
from
  azure_key_vault_key
group by
  vault_name;

+-------------------+-------+
| vault_name        | count |
+-------------------+-------+
| testvault31032021 | 2     |
+-------------------+-------+

[khushboo9024]

LGTM

[rajlearner17]

LGTM

[rajlearner17]

@Subhajit97 can we pls add one example to ensure the key vault is recoverable ?

[rajlearner17]

Also can we ensure this CIS > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'