Skip to content

Add policy pack - Check Azure VNets have flow log enabled. Closes #893 #894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add policy pack - Check Azure VNets have flow log enabled. Closes #893 #894

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0d5d423
Add policy pack - Azure VNets have flow log enabled. Closes #893
vkumbha Dec 23, 2024
2a9fb3d
Update messages and title
vkumbha Dec 23, 2024
d804a57
update title
vkumbha Dec 23, 2024
26d7921
update file name
vkumbha Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions policy_packs/azure/network/check_virtual_networks_have_flowlogs_enabled/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
categories: ["logging", "networking"]
primary_category: "networking"
type: "featured"
---

# Check Azure Virtual Networks Have Flow Logs Enabled

Ensure that Azure Virtual Networks have flow logs configured and enabled to monitor and analyze network traffic. Flow logs capture information about IP traffic flowing in and out of network interfaces in the virtual network. This helps detect anomalies, troubleshoot issues, and maintain compliance with security best practices and regulatory requirements.

This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for network security groups:

- Check if flow logs are configured for Azure Virtual Networks
- Validate that flow logging status is enabled
Comment on lines +11 to +14
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for network security groups:
- Check if flow logs are configured for Azure Virtual Networks
- Validate that flow logging status is enabled
This [policy pack](https://turbot.com/guardrails/docs/concepts/policy-packs) can help you configure the following settings for virtual networks:
- Check if flow logs are configured and enabled
- Delete unapproved virtual networks if flow logging is not enabled


**[Review policy settings →](https://hub.guardrails.turbot.com/policy-packs/azure_network_check_virtual_networks_have_flowlog_enabled/settings)**

## Getting Started

### Requirements

- [Terraform](https://developer.hashicorp.com/terraform/install)
- Guardrails mods:
- [@turbot/azure-network](https://hub.guardrails.turbot.com/mods/azure/mods/azure-network)
- [@turbot/azure-networkwatcher](https://hub.guardrails.turbot.com/mods/azure/mods/azure-networkwatcher)

### Credentials

To create a policy pack through Terraform:

- Ensure you have `Turbot/Admin` permissions (or higher) in Guardrails
- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails

And then set your credentials:

```sh
export TURBOT_WORKSPACE=myworkspace.acme.com
export TURBOT_ACCESS_KEY=acce6ac5-access-key-here
export TURBOT_SECRET_KEY=a8af61ec-secret-key-here
```

Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods.

## Usage

### Install Policy Pack

> [!NOTE]
> By default, installed policy packs are not attached to any resources.
>
> Policy packs must be attached to resources in order for their policy settings to take effect.

Clone:

```sh
git clone https://github.com/turbot/guardrails-samples.git
cd guardrails-samples/policy_packs/azure/network/check_virtual_networks_have_flowlog_enabled
```

Run the Terraform to create the policy pack in your workspace:

```sh
terraform init
terraform plan
```

Then apply the changes:

```sh
terraform apply
```

### Apply Policy Pack

Log into your Guardrails workspace and [attach the policy pack to a resource](https://turbot.com/guardrails/docs/guides/policy-packs#attach-a-policy-pack-to-a-resource).

If this policy pack is attached to a Guardrails folder, its policies will be applied to all accounts and resources in that folder. The policy pack can also be attached to multiple resources.

For more information, please see [Policy Packs](https://turbot.com/guardrails/docs/concepts/policy-packs).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the Enable Enforcement block if the Enforce option is added to the Policy Pack.

5 changes: 5 additions & 0 deletions policy_packs/azure/network/check_virtual_networks_have_flowlogs_enabled/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
resource "turbot_policy_pack" "main" {
title = "Check Azure Virtual Networks Have Flow Logs Enabled"
description = "Ensure that logging is enabled for Azure Virtual Networks to monitor traffic and maintain security compliance."
akas = ["azure_network_check_virtual_networks_have_flowlog_enabled"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the aka would be azure_network_enforce_virtual_networks_have_flowlog_enabled if we include the Enforce option too?

}
77 changes: 77 additions & 0 deletions policy_packs/azure/network/check_virtual_networks_have_flowlogs_enabled/policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Azure > Network > Virtual Network > Approved
resource "turbot_policy_setting" "azure_network_virtual_network_approved" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/azure-network#/policy/types/virtualNetworkApproved"
value = "Check: Approved"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we only want to add the Check option?
In general, we include the Enforce option as well if the policy supports it.

Copy link
Contributor Author

@vkumbha vkumbha Jan 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SumitPopat I believe that if a Virtual Network does not have Flow Logs enabled, the goal should be to enforce the creation of Flow Logs rather than deleting the VNet. However, since the Azure Flow Log stack (similar to the AWS > VPC > VPC > Flow Logging) is not currently available, we decided to proceed with a Check mode approach in this case.

}

# Azure > Network > Virtual Network > Approved > Usage
resource "turbot_policy_setting" "azure_network_virtual_network_approved_usage" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/azure-network#/policy/types/virtualNetworkApprovedUsage"
value = "Approved"
}

# Azure > Network > Virtual Network > Approved > Custom
resource "turbot_policy_setting" "azure_network_virtual_network_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/azure-network#/policy/types/virtualNetworkApprovedCustom"
template_input = <<-EOT
- |
{
resource {
name:get(path:"name")
flowLogs:get(path:"flowLogs")
}
}
- |
{
resource {
name:get(path:"name")
flowLogs:get(path:"flowLogs")
}
resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}'"){
items {
enabled:get(path:"enabled")
id:get(path:"id")
name:get(path:"name")
}
Comment on lines +23 to +38
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name:get(path:"name")
flowLogs:get(path:"flowLogs")
}
}
- |
{
resource {
name:get(path:"name")
flowLogs:get(path:"flowLogs")
}
resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}'"){
items {
enabled:get(path:"enabled")
id:get(path:"id")
name:get(path:"name")
}
name: get(path:"name")
flowLogs: get(path:"flowLogs")
}
}
- |
{
resource {
name: get(path:"name")
flowLogs: get(path:"flowLogs")
}
resources(filter:"resourceTypeId:tmod:@turbot/azure-networkwatcher#/resource/types/flowLog $.id:'{{ $.resource.flowLogs[0].id }}' resourceTypeLevel:self"){
items {
enabled:get(path:"enabled")
id:get(path:"id")
name:get(path:"name")
}

}
}
EOT
template = <<-EOT
{%- set virtualNetworkFlowLogs = $.resource.flowLogs %}
{%- set subscriptionFlowLogs = $.resources.items %}

{%- if virtualNetworkFlowLogs and virtualNetworkFlowLogs | length > 0 %}
{%- for vnetFlowLog in virtualNetworkFlowLogs %}
{%- set matchedFlowLog = null %}
{%- for subscriptionFlowLog in subscriptionFlowLogs %}
{%- if subscriptionFlowLog.id == vnetFlowLog.id %}
{%- set matchedFlowLog = subscriptionFlowLog %}
{%- endif %}
{%- endfor %}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the existing format for setting approved > custom policies. For reference please check: https://github.com/turbot/guardrails-samples/blob/main/policy_packs/aws/ec2/enforce_instances_use_amis_with_approved_tags/policies.tf#L13

{%- if matchedFlowLog %}
{%- if matchedFlowLog.enabled %}
- title: Flow Log
result: Approved
message: "Flow log '{{ matchedFlowLog.name }}' is enabled"
{%- else %}
- title: Flow Log
result: Not approved
message: "Flow log '{{ matchedFlowLog.name }}' is configured but not enabled"
{%- endif %}
{%- else %}
- title: Flow Log
result: Skip
message: "Flow log is configured, but the resource '{{ vnetFlowLog.id.split('/').pop() }}' is not in CMDB. Please run the Flow Log Discovery controls within the Subscription"
{%- endif %}
{%- endfor %}
{%- else %}
- title: Flow Log
result: Not approved
message: "Flow log is not configured"
{%- endif %}
EOT
}
11 changes: 11 additions & 0 deletions policy_packs/azure/network/check_virtual_networks_have_flowlogs_enabled/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
terraform {
required_providers {
turbot = {
source = "turbot/turbot"
version = ">= 1.11.0"
}
}
}

provider "turbot" {
}