Merge pull request #20 from cloudgraphdev/feature/CG-1208

feat(services): Updated Disk and StorageAccount services needed for CIS 3.3 and 7.7 rules

Author: tyler-dunkel

package.json

@@ -58,8 +58,8 @@
     "@azure/arm-privatedns": "^3.0.0",
     "@azure/arm-recoveryservices": "^5.0.0",
     "@azure/arm-recoveryservices-siterecovery": "^4.0.0",
-    "@azure/arm-rediscache": "^6.1.0",
     "@azure/arm-recoveryservicesbackup": "^8.1.0",
+    "@azure/arm-rediscache": "^6.1.0",
     "@azure/arm-resources": "^5.0.0",
     "@azure/arm-security": "^4.0.0",
     "@azure/arm-servicebus": "^5.0.0",
@@ -72,6 +72,7 @@
     "@azure/core-http": "^2.2.4",
     "@azure/identity": "^2.0.4",
     "@azure/storage-blob": "^12.8.0",
+    "@azure/storage-queue": "^12.9.0",
     "@cloudgraph/sdk": "0.14.2",
     "@graphql-tools/load-files": "^6.5.3",
     "@graphql-tools/merge": "^8.2.3",

src/services/disk/format.ts

@@ -33,6 +33,7 @@ export default ({
     networkAccessPolicy,
     tier,
     encryption: { type: encryptionSettings = null } = {},
+    encryptionSettingsCollection: { enabled: encryptionEnabled } = {},
     resourceGroupId,
     Tags,
   } = service
@@ -61,6 +62,7 @@ export default ({
     networkAccessPolicy,
     tier,
     encryptionSettings,
+    azureDiskEncryptionEnabled: encryptionEnabled ?? false,
     resourceGroupId,
     tags: formatTagsFromMap(Tags),
   }

src/services/disk/schema.graphql

@@ -20,6 +20,7 @@ type azureDisk implements azureResource
   networkAccessPolicy: String @search(by: [hash, regexp])
   tier: String @search(by: [hash, regexp])
   encryptionSettings: String @search(by: [hash, regexp])
+  azureDiskEncryptionEnabled: Boolean @search
   resourceGroup: [azureResourceGroup] @hasInverse(field: disks)
   virtualMachine: [azureVirtualMachine] @hasInverse(field: disks)
 }

src/services/storageAccount/data.ts

@@ -5,6 +5,11 @@ import {
   StorageAccountKey,
   StorageManagementClient,
 } from '@azure/arm-storage'
+import {
+  QueueServiceClient,
+  StorageSharedKeyCredential,
+  QueueServiceProperties,
+} from '@azure/storage-queue'
 import { isEmpty } from 'lodash'
 import azureLoggerText from '../../properties/logger'
 
@@ -21,12 +26,35 @@ export interface RawAzureStorageAccount
   keys: StorageAccountKey[]
   Tags: TagMap
   blobServiceProperties: BlobServiceProperties
+  queueServiceProperties: QueueServiceProperties
 }
 
 const { logger } = CloudGraph
 const lt = { ...azureLoggerText }
 const serviceName = 'StorageAccount'
 
+const getQueueServiceProperties = async (
+  accountName: string,
+  accountKey: string
+): Promise<QueueServiceProperties> => {
+  try {
+    const sharedKeyCredential = new StorageSharedKeyCredential(
+      accountName,
+      accountKey
+    )
+
+    const queueClient = new QueueServiceClient(
+      `https://${accountName}.queue.core.windows.net`,
+      sharedKeyCredential
+    )
+
+    return await queueClient.getProperties()
+  } catch (e) {
+    logger.error(e)
+    return {}
+  }
+}
+
 export default async ({
   regions,
   config,
@@ -88,6 +116,13 @@ export default async ({
               rest.name
             )
 
+          // Fetch Storage Account Queue Service Properties
+          const [mainKey] = keys
+          const queueServiceProperties = await getQueueServiceProperties(
+            rest.name,
+            mainKey.value
+          )
+
           result[region].push({
             id,
             ...rest,
@@ -96,13 +131,14 @@ export default async ({
             keys,
             Tags: tags || {},
             blobServiceProperties,
+            queueServiceProperties,
           })
           numOfAccounts += 1
         }
       }
 
       logger.debug(lt.foundStorageAccounts(numOfAccounts))
-
+      
       return result
     }
     return existingData

src/services/storageAccount/format.ts

@@ -111,6 +111,7 @@ export default ({
     resourceGroupId,
     Tags,
     blobServiceProperties,
+    queueServiceProperties = {},
   } = service
 
   return {
@@ -270,5 +271,15 @@ export default ({
       skuName: blobServiceProperties?.sku?.name,
       skuTier: blobServiceProperties?.sku?.tier,
     },
+    queueServiceProperties: {
+      logging: queueServiceProperties ? {
+        version: queueServiceProperties.queueAnalyticsLogging?.version,
+        read : queueServiceProperties.queueAnalyticsLogging?.read ?? false,
+        write : queueServiceProperties.queueAnalyticsLogging?.write ?? false,
+        delete : queueServiceProperties.queueAnalyticsLogging?.deleteProperty ?? false,
+        retentionPolicyEnabled : queueServiceProperties.queueAnalyticsLogging?.retentionPolicy?.enabled ?? false,
+        retentionPolicyDays: queueServiceProperties.queueAnalyticsLogging?.retentionPolicy?.days
+      } : {},
+    },
   }
 }

src/services/storageAccount/schema.graphql

@@ -147,6 +147,29 @@ type azureStorageAccountServiceProperties
   skuTier: String @search(by: [hash, regexp])
 }
 
+type azureStorageAccountQueueServicePropertiesLogging
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+  version: String @search(by: [hash, regexp])
+  read: Boolean @search
+  write: Boolean @search
+  delete: Boolean @search
+  retentionPolicyEnabled: Boolean @search
+  retentionPolicyDays: Int @search
+}
+
+type azureStorageAccountQueueServiceProperties
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+  logging: azureStorageAccountQueueServicePropertiesLogging
+}
+
 type azureStorageAccount implements azureResource
   @generate(
     query: { get: true, query: true, aggregate: true }
@@ -209,6 +232,7 @@ type azureStorageAccount implements azureResource
   allowSharedKeyAccess: String @search(by: [hash, regexp])
   enableNfsV3: String @search(by: [hash, regexp])
   blobServiceProperties: azureStorageAccountServiceProperties
+  queueServiceProperties: azureStorageAccountQueueServiceProperties
   resourceGroup: [azureResourceGroup] @hasInverse(field: storageAccounts)
   storageContainers: [azureStorageContainer] @hasInverse(field: storageAccount)
   appServiceWebApp: [azureAppServiceWebApp] @hasInverse(field: storageAccounts)

src/types/generated.ts

@@ -2338,6 +2338,7 @@ export type AzureDiagnosticSettingMetricSettings = {
 };
 
 export type AzureDisk = AzureResource & {
+  azureDiskEncryptionEnabled?: Maybe<Scalars['Boolean']>;
   createOption?: Maybe<Scalars['String']>;
   diskIopsReadWrite?: Maybe<Scalars['Int']>;
   diskMbpsReadWrite?: Maybe<Scalars['Int']>;
@@ -4416,6 +4417,7 @@ export type AzureStorageAccount = AzureResource & {
   primaryMicrosoftEndpoints?: Maybe<AzureStorageAccountPrimaryMicrosoftEndpoints>;
   privateEndpointConnections?: Maybe<Array<Maybe<AzureStorageAccountPrivateEndpointConnection>>>;
   provisioningState?: Maybe<Scalars['String']>;
+  queueServiceProperties?: Maybe<AzureStorageAccountQueueServiceProperties>;
   resourceGroup?: Maybe<Array<Maybe<AzureResourceGroup>>>;
   routingPreferenceChoice?: Maybe<Scalars['String']>;
   routingPreferencePublishInternetEndpoints?: Maybe<Scalars['String']>;
@@ -4473,6 +4475,19 @@ export type AzureStorageAccountPrivateEndpointConnection = {
   provisioningState?: Maybe<Scalars['String']>;
 };
 
+export type AzureStorageAccountQueueServiceProperties = {
+  logging?: Maybe<AzureStorageAccountQueueServicePropertiesLogging>;
+};
+
+export type AzureStorageAccountQueueServicePropertiesLogging = {
+  delete?: Maybe<Scalars['Boolean']>;
+  read?: Maybe<Scalars['Boolean']>;
+  retentionPolicyDays?: Maybe<Scalars['Int']>;
+  retentionPolicyEnabled?: Maybe<Scalars['Boolean']>;
+  version?: Maybe<Scalars['String']>;
+  write?: Maybe<Scalars['Boolean']>;
+};
+
 export type AzureStorageAccountResourceAccessRule = {
   id: Scalars['String'];
   resourceId?: Maybe<Scalars['String']>;