Skip to content

Latest commit

 

History

History

azure_key_vault_logging_for_keyvault_enabled

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

__init__.py

__init__.py

 
 

azure_key_vault_logging_for_keyvault_enabled.py

azure_key_vault_logging_for_keyvault_enabled.py

 
 

constraints.txt

constraints.txt

 
 

minimum_permissions.json

minimum_permissions.json

 
 

requirements-dev.txt

requirements-dev.txt

 
 

requirements.txt

requirements.txt

 
 

README.md

Enable Logging For Keyvault

This job enables Logging for Key Vault. It checks for the existence of Storage Account created by CHSS in the given resource group and region, if the Storage Account exists then it stores the Key Vault Logs in it. Else it creates a new Storage Account to store the Key Vault logs. The Storage Account created by CHSS is prefixed with "chss" and contains tag {"Created By" : "CHSS"}.

Applicable Rule

Rule ID:

5c8c26687a550e1fb6560c72

Rule Name:

Logging For Keyvault Enabled

Getting Started

Prerequisites

The provided Azure service principal must have the following permissions: Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/blobServices/write Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Insights/DiagnosticSettings/Write Microsoft.KeyVault/vaults/read Microsoft.KeyVault/vaults/write Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/write Microsoft.KeyVault/vaults/accessPolicies/write

A sample role with requisite permissions can be found here

More information about already builtin roles and permissions can be found here

Running the script

You may run this script using following commands:

  pip install -r requirements.txt
  python3 azure_key_vault_logging_for_keyvault_enabled.py

Running the tests

You may run test using following command under vss-remediation-worker-job-code-python directory:

    pip install -r requirements-dev.txt
    python3 -m pytest test

Deployment

Provision an instance by creating an Azure Virtual Machine to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU. Setup Docker on newly provisioned Azure Virtual Machine instance.You can refer to the docs here for more information. Deploy the worker docker image by SSH into the Azure Virtual Machine instance and run the following commands:

docker run --rm -it --name {worker_name}\
-e VSS_CLIENT_ID={ENTER CLIENT ID}\
-e VSS_CLIENT_SECRET={ENTER CLIENT SECRET}\
-e AZURE_CLIENT_ID={ENTER AZURE_CLIENT_ID} \
-e AZURE_CLIENT_SECRET={ENTER AZURE_CLIENT_SECRET} \
-e AZURE_TENANT_ID={ENTER AZURE_TENANT_ID} \
vmware/vss-remediation-worker:latest-python

Contributing

The VMware Aria Automation for Secure Clouds team welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our FAQ.

All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.

For more detailed information, refer to CONTRIBUTING.md.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Authors

  • VMware VMware Aria Automation for Secure Clouds - Initial work See also the list of contributors who participated in this project.

License

This project is licensed under the Apache License - see the LICENSE file for details