Skip to content

Commit

Permalink
azure - require ssl action (cloud-custodian#4657)
Browse files Browse the repository at this point in the history
  • Loading branch information
@stefangordon
Winston Frick authored and stefangordon committed Aug 26, 2019
1 parent 3105d51 commit cff20ac
Show file tree
Hide file tree
Showing 3 changed files with 171 additions and 0 deletions.
41 changes: 41 additions & 0 deletions tools/c7n_azure/c7n_azure/resources/storage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,3 +465,44 @@ def update_logging(storage_type, storage_account, logging_settings, session=None

return getattr(client, 'set_{}_service_properties'
.format(storage_type))(logging=logging_settings)


@Storage.action_registry.register('require-secure-transfer')
class RequireSecureTransferAction(AzureBaseAction):
"""Action that updates the Secure Transfer setting on Storage Accounts.
Programmatically, this will be seen by updating the EnableHttpsTrafficOnly setting
:example:
Turns on Secure transfer required for all storage accounts. This will reject requests that
use HTTP to your storage accounts.
.. code-block:: yaml
policies:
- name: require-secure-transfer
resource: azure.storage
actions:
- type: require-secure-transfer
value: True
"""

# Default to true assuming user wants secure connection
schema = type_schema(
'require-secure-transfer',
**{
'value': {'type': 'boolean', "default": True},
})

def __init__(self, data, manager=None):
super(RequireSecureTransferAction, self).__init__(data, manager)

def _prepare_processing(self):
self.client = self.manager.get_client()

def _process_resource(self, resource):
self.client.storage_accounts.update(
resource['resourceGroup'],
resource['name'],
StorageAccountUpdateParameters(enable_https_traffic_only=self.data.get('value'))
)
96 changes: 96 additions & 0 deletions .../c7n_azure/tests/cassettes/StorageTest.test_storage_settings_require_secure_transfer.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
{
"version": 1,
"interactions": [
{
"request": {
"method": "GET",
"uri": "https://management.azure.com/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Storage/storageAccounts?api-version=2019-04-01",
"body": null,
"headers": {}
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"headers": {
"content-length": [
"15747"
],
"date": [
"Fri, 23 Aug 2019 16:58:47 GMT"
],
"x-ms-original-request-ids": [
"d28d451c-55c8-45fd-9658-1cb0de1edf47",
"6b218423-441c-4392-a347-2b7eafa0472a",
"1ec4b285-09a8-418b-9d1b-7d7bf04d1993",
"7818b741-1f5a-484e-8815-ede3d9d720c3",
"76a3565a-9749-41df-9ef0-d1cf3c53503e"
],
"content-type": [
"application/json; charset=utf-8"
],
"cache-control": [
"no-cache"
]
},
"body": {
"data": {
"value": [
{
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "Storage",
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/test_storage/providers/Microsoft.Storage/storageAccounts/cctstoragey6akyqpagdt3o",
"name": "cctstoragey6akyqpagdt3o",
"type": "Microsoft.Storage/storageAccounts",
"location": "southcentralus",
"tags": {},
"properties": {
"networkAcls": {
"bypass": "Logging, Metrics",
"virtualNetworkRules": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/test_storage/providers/Microsoft.Network/virtualNetworks/cctstoragevnet2/subnets/testsubnet2",
"action": "Allow",
"state": "Succeeded"
}
],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"enabled": true,
"lastEnabledTime": "2019-08-09T15:31:36.7268124Z"
},
"blob": {
"enabled": true,
"lastEnabledTime": "2019-08-09T15:31:36.7268124Z"
}
},
"keySource": "Microsoft.Storage"
},
"provisioningState": "Succeeded",
"creationTime": "2019-08-09T15:31:36.6799289Z",
"primaryEndpoints": {
"blob": "https://cctstoragey6akyqpagdt3o.blob.core.windows.net/",
"queue": "https://cctstoragey6akyqpagdt3o.queue.core.windows.net/",
"table": "https://cctstoragey6akyqpagdt3o.table.core.windows.net/",
"file": "https://cctstoragey6akyqpagdt3o.file.core.windows.net/"
},
"primaryLocation": "southcentralus",
"statusOfPrimary": "available"
}
}
]
}
}
}
}
]
}
34 changes: 34 additions & 0 deletions tools/c7n_azure/tests/test_storage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@

from c7n.utils import get_annotation_prefix
from c7n.utils import local_session
from c7n_azure.session import Session
from azure.mgmt.storage.models import StorageAccountUpdateParameters


class StorageTest(BaseTest):
Expand Down Expand Up @@ -539,3 +541,35 @@ def test_storage_settings_update_logging_blob(self, mock_set_blob_properties):
BLOB_TYPE, mock_storage_account, log_settings, token=mock_token)

mock_set_blob_properties.assert_called_once()

def test_storage_settings_require_secure_transfer(self):
with patch('azure.mgmt.storage.v%s.operations.'
'_storage_accounts_operations.StorageAccountsOperations.update'
% self._get_storage_management_client_api_string()) as update_storage_mock:
p = self.load_policy({
'name': 'my-first-policy',
'resource': 'azure.storage',
'filters': [
{'type': 'value',
'key': 'name',
'op': 'glob',
'value_type': 'normalize',
'value': 'cctstorage*'}
],
'actions': [
{'type': 'require-secure-transfer',
'value': True}
]
})
p.run()
args = update_storage_mock.call_args_list[0][0]

self.assertEqual(args[0], 'test_storage')
self.assertTrue(args[1].startswith('cctstorage'))
self.assertEqual(args[2],
StorageAccountUpdateParameters(enable_https_traffic_only=True))

def _get_storage_management_client_api_string(self):
return local_session(Session)\
.client('azure.mgmt.storage.StorageManagementClient')\
.DEFAULT_API_VERSION.replace("-", "_")

0 comments on commit cff20ac

Please sign in to comment.