Control: Key Vault should use a virtual network service endpoint

Description

This policy audits any Key Vault not configured to use a virtual network service endpoint.

Usage

Run the control in your terminal:

powerpipe control run terraform_azure_compliance.control.keyvault_vault_use_virtual_service_endpoint

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_azure_compliance.control.keyvault_vault_use_virtual_service_endpoint --share

SQL

This control uses a named query:

with key_vaults as (
  select
    *
  from
    terraform_resource
  where
    type = 'azurerm_key_vault'
), key_vaults_subnet as (
  select
    distinct address
  from
    key_vaults as a,
    jsonb_array_elements(attributes_std -> 'network_acls' -> 'virtual_network_subnet_ids') as id
)
select
  a.address as resource,
  case
    when (attributes_std -> 'network_acls' ->> 'default_action')::text <> 'Deny' then 'alarm'
    when s.address is null then 'alarm'
    else 'ok'
  end as status,
  split_part(a.address, '.', 2) || case
    when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint'
    when s.address is null then ' not configured with virtual service endpoint'
    else ' configured with virtual service endpoint'
  end || '.' reason
  
  , path || ':' || start_line
from
  key_vaults as a
  left join key_vaults_subnet as s on a.address = s.address;

Control: Key Vault should use a virtual network service endpoint

Description

Usage

SQL

Tags