Skip to main content

azure_key_vault_secret Resource

[edit on GitHub]

Use the azure_key_vault_secret InSpec audit resource to test properties and configuration of an Azure secret within a vault.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.

Installation

This resource is available in the Chef InSpec Azure resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.

Syntax

An azure_key_vault_secret resource block identifies an Azure secret by vault_name and secret_name or the secret_id. You may also specify a secret_version - if no version is specified, the most recent version of the secret will be used.

describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret') do
  it { should exist }
end
describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret', secret_version: '78deebed173b48e48f55abf87ed4cf71') do
  it { should exist }
end
describe azure_key_vault_secret(secret_id: 'https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350') do
  it { should exist }
end

Parameters

vault_name
The name of the key vault that the targeted secret resides in. my_vault.
secret_name
The name of the secret to interrogate. my_secret.
name
Alias for the secret_name parameter. my_secret.
secret_version
(Optional) - The version of a secret, e.g. 7df9bf2c3b4347bab213ebe233f0e350.
secret_id
The unique id of the secret, e.g. https://example_vault.vault.azure.net/secrets/secret_name/7df9bf2c3b4347bab213ebe233f0e350.

Either one of the parameter sets can be provided for a valid query:

  • vault_name and secret_name
  • vault_name and name
  • secret_id

Properties

id
The secret id. https://example_vault.vault.azure.net/secrets/secret_name.
kid
If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate.
attributes
The secret management attributes in this format.
contentType
The content type of the secret.
content_type
Alias for the contentType.
managed
true if the secret’s lifetime is managed by key vault. If this is a secret backing a certificate, then managed will be true.
tags
Application specific metadata in the form of key-value pairs.
value
The secret’s value.

Also, refer to Azure documentation for more details. Any attribute in the response may be accessed with the key names separated by dots (.).

Examples

Test the Secret Identifier.

describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret') do
  its('id') { should cmp 'https://example_vault.vault.azure.net/secrets/example_secret' }
end

Test if the Secret is Enabled.

describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret') do
  its('attributes.enabled') { should eq true }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

# If we expect the secret to always exist

describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret') do
  it { should exist }
end

# If we expect the secret to never exist

describe azure_key_vault_secret(vault_name: 'example_vault', secret_name: 'example_secret') do
  it { should_not exist }
end

Azure Permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Was this page helpful?

×









Search Results