About the Chef InSpec Azure resource pack
Chef InSpec provides resources for auditing Azure infrastructure, including virtual machines, storage accounts, databases, and networking components. These resources help you verify that your Azure environment meets security and compliance requirements.
Initialize an InSpec profile for auditing Azure
You can create a profile for testing Azure resources with inspec init profile:
inspec init profile --platform azure <PROFILE_NAME>
If your inputs.yml file contains your Azure project ID, you can execute this sample profile using the following command:
inspec exec <PROFILE_NAME> --input-file=<PROFILE_NAME>/inputs.yml -t azure://
Set Azure credentials
To use Chef InSpec Azure resources, you need to create a service principal Name (SPN) to audit an Azure subscription.
You can create an SPN using the command line or from the Azure Portal:
You can specify the SPN information in one of three ways:
- In the
~/.azure/credentialsfile - As environment variables
- Using Chef InSpec target URIs
Set the Azure credentials file
By default, Chef InSpec looks at ~/.azure/credentials, and it should contain:
[<SUBSCRIPTION_ID>]
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"
tenant_id = "<TENANT_ID>"
Note
In the Azure web portal, these values have different labels:
- The Azure web portal calls the
client_idthe Application ID - The Azure web portal calls the
client_secretthe Key (Password Type) - The Azure web portal calls the
tenant_idthe Directory ID
After you set up the credentials, you can execute Chef InSpec:
inspec exec <PROFILE_NAME> -t azure://
Provide credentials using environment variables
As an alternative to the credentials file, you can set the Azure credentials using environment variables:
AZURE_SUBSCRIPTION_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_ID
For example:
AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
Provide credentials using Chef InSpec target option
If you have several Azure subscriptions configured in your ~/.azure/credentials file, you can use the Chef InSpec command line --target / -t option to select a specific subscription ID. For example:
inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
Azure resources
The following Chef InSpec Azure resources are available in this resource pack.
- azure_active_directory_domain_service resource
- azure_active_directory_domain_services resource
- azure_active_directory_object resource
- azure_active_directory_objects resource
- azure_aks_cluster resource
- azure_aks_clusters resource
- azure_api_management resource
- azure_api_managements resource
- azure_application_gateway resource
- azure_application_gateways resource
- azure_bastion_hosts_resource resource
- azure_bastion_hosts_resources resource
- azure_blob_service resource
- azure_blob_services resource
- azure_cdn_profile resource
- azure_cdn_profiles resource
- azure_container_group resource
- azure_container_groups resource
- azure_container_registries resource
- azure_container_registry resource
- azure_cosmosdb_database_account resource
- azure_data_factories resource
- azure_data_factory resource
- azure_data_factory_dataset resource
- azure_data_factory_datasets resource
- azure_data_factory_linked_service resource
- azure_data_factory_linked_services resource
- azure_data_factory_pipeline resource
- azure_data_factory_pipeline_run_resource resource
- azure_data_factory_pipeline_run_resources resource
- azure_data_factory_pipelines resource
- azure_data_lake_storage_gen2_filesystem resource
- azure_data_lake_storage_gen2_filesystems resource
- azure_data_lake_storage_gen2_path resource
- azure_data_lake_storage_gen2_paths resource
- azure_db_migration_service resource
- azure_db_migration_services resource
- azure_ddos_protection_resource resource
- azure_ddos_protection_resources resource
- azure_dns_zones_resource resource
- azure_dns_zones_resources resource
- azure_event_hub_authorization_rule resource
- azure_event_hub_event_hub resource
- azure_event_hub_namespace resource
- azure_express_route_circuit resource
- azure_express_route_circuits resource
- azure_express_route_providers resource
- azure_generic_resource resource
- azure_generic_resources resource
- azure_graph_generic_resource resource
- azure_graph_generic_resources resource
- azure_graph_user resource
- azure_graph_users resource
- azure_hdinsight_cluster resource
- azure_hpc_asc_operation resource
- azure_hpc_cache resource
- azure_hpc_cache_skus resource
- azure_hpc_caches resource
- azure_hpc_storage_target resource
- azure_hpc_storage_targets resource
- azure_iothub resource
- azure_iothub_event_hub_consumer_group resource
- azure_iothub_event_hub_consumer_groups resource
- azure_key_vault resource
- azure_key_vault_key resource
- azure_key_vault_keys resource
- azure_key_vault_secret resource
- azure_key_vault_secrets resource
- azure_key_vaults resource
- azure_load_balancer resource
- azure_load_balancers resource
- azure_lock resource
- azure_locks resource
- azure_managed_application resource
- azure_managed_applications resource
- azure_management_group resource
- azure_management_groups resource
- azure_mariadb_server resource
- azure_mariadb_servers resource
- azure_microsoft_defender_pricing resource
- azure_microsoft_defender_pricings resource
- azure_microsoft_defender_security_contact resource
- azure_microsoft_defender_setting resource
- azure_microsoft_defender_settings resource
- azure_migrate_assessment resource
- azure_migrate_assessment_group resource
- azure_migrate_assessment_groups resource
- azure_migrate_assessment_machine resource
- azure_migrate_assessment_machines resource
- azure_migrate_assessment_project resource
- azure_migrate_assessment_projects resource
- azure_migrate_assessments resource
- azure_migrate_project resource
- azure_migrate_project_database resource
- azure_migrate_project_database_instance resource
- azure_migrate_project_database_instances resource
- azure_migrate_project_databases resource
- azure_migrate_project_event resource
- azure_migrate_project_events resource
- azure_migrate_project_machine resource
- azure_migrate_project_machines resource
- azure_migrate_project_solution resource
- azure_migrate_project_solutions resource
- azure_monitor_activity_log_alert resource
- azure_monitor_activity_log_alerts resource
- azure_monitor_log_profile resource
- azure_monitor_log_profiles resource
- azure_mysql_database resource
- azure_mysql_database_configuration resource
- azure_mysql_database_configurations resource
- azure_mysql_databases resource
- azure_mysql_server resource
- azure_mysql_servers resource
- azure_network_interface resource
- azure_network_interfaces resource
- azure_network_security_group resource
- azure_network_security_groups resource
- azure_network_watcher resource
- azure_network_watchers resource
- azure_policy_assignments resource
- azure_policy_definition resource
- azure_policy_definitions resource
- azure_policy_exemption resource
- azure_policy_exemptions resource
- azure_policy_insights_query_result resource
- azure_policy_insights_query_results resource
- azure_postgresql_database resource
- azure_postgresql_databases resource
- azure_postgresql_server resource
- azure_postgresql_servers resource
- azure_power_bi_app resource
- azure_power_bi_app_capacities resource
- azure_power_bi_app_dashboard resource
- azure_power_bi_app_dashboard_tile resource
- azure_power_bi_app_dashboard_tiles resource
- azure_power_bi_app_dashboards resource
- azure_power_bi_app_report resource
- azure_power_bi_app_reports resource
- azure_power_bi_apps resource
- azure_power_bi_capacity_refreshable resource
- azure_power_bi_capacity_refreshables resource
- azure_power_bi_capacity_workload resource
- azure_power_bi_capacity_workloads resource
- azure_power_bi_dashboard resource
- azure_power_bi_dashboard_tile resource
- azure_power_bi_dashboard_tiles resource
- azure_power_bi_dashboards resource
- azure_power_bi_dataflow resource
- azure_power_bi_dataflow_storage_accounts resource
- azure_power_bi_dataflows resource
- azure_power_bi_dataset resource
- azure_power_bi_dataset_datasources resource
- azure_power_bi_datasets resource
- azure_power_bi_embedded_capacities resource
- azure_power_bi_embedded_capacity resource
- azure_power_bi_gateway resource
- azure_power_bi_gateways resource
- azure_public_ip resource
- azure_redis_cache resource
- azure_redis_caches resource
- azure_resource_group resource
- azure_resource_groups resource
- azure_resource_health_availability_status resource
- azure_resource_health_availability_statuses resource
- azure_resource_health_emerging_issue resource
- azure_resource_health_emerging_issues resource
- azure_resource_health_events resource
- azure_role_definition resource
- azure_role_definitions resource
- azure_security_center_policies resource
- azure_security_center_policy resource
- azure_service_bus_namespace resource
- azure_service_bus_namespaces resource
- azure_service_bus_regions resource
- azure_service_bus_subscription resource
- azure_service_bus_subscription_rule resource
- azure_service_bus_subscription_rules resource
- azure_service_bus_subscriptions resource
- azure_service_bus_topic resource
- azure_service_bus_topics resource
- azure_service_fabric_mesh_application resource
- azure_service_fabric_mesh_applications resource
- azure_service_fabric_mesh_network resource
- azure_service_fabric_mesh_networks resource
- azure_service_fabric_mesh_replica resource
- azure_service_fabric_mesh_replicas resource
- azure_service_fabric_mesh_service resource
- azure_service_fabric_mesh_services resource
- azure_service_fabric_mesh_volume resource
- azure_service_fabric_mesh_volumes resource
- azure_snapshot resource
- azure_snapshots resource
- azure_sql_database resource
- azure_sql_database_server_vulnerability_assessment resource
- azure_sql_database_server_vulnerability_assessments resource
- azure_sql_databases resource
- azure_sql_managed_instance resource
- azure_sql_managed_instances resource
- azure_sql_server resource
- azure_sql_servers resource
- azure_sql_virtual_machine resource
- azure_sql_virtual_machine_group resource
- azure_sql_virtual_machine_group_availability_listener resource
- azure_sql_virtual_machine_group_availability_listeners resource
- azure_sql_virtual_machine_groups resource
- azure_sql_virtual_machines resource
- azure_storage_account resource
- azure_storage_account_blob_container resource
- azure_storage_account_blob_containers resource
- azure_storage_accounts resource
- azure_streaming_analytics_function resource
- azure_streaming_analytics_functions resource
- azure_subnet resource
- azure_subnets resource
- azure_subscription resource
- azure_subscriptions resource
- azure_synapse_notebook resource
- azure_synapse_notebooks resource
- azure_synapse_workspace resource
- azure_synapse_workspaces resource
- azure_virtual_machine resource
- azure_virtual_machine_disk resource
- azure_virtual_machine_disks resource
- azure_virtual_machines resource
- azure_virtual_network resource
- azure_virtual_network_gateway resource
- azure_virtual_network_gateway_connection resource
- azure_virtual_network_gateway_connections resource
- azure_virtual_network_gateways resource
- azure_virtual_network_peering resource
- azure_virtual_network_peerings resource
- azure_virtual_networks resource
- azure_virtual_wan resource
- azure_virtual_wans resource
- azure_web_app_function resource
- azure_web_app_functions resource
- azure_webapp resource
- azure_webapps resource