[Asset Inventory][Azure] Add test cases and installation script (#2498)

elastic · Sep 20, 2024 · 065087e · 065087e
1 parent aa434ee
commit 065087e
Show file tree

Hide file tree

Showing 15 changed files with 579 additions and 45 deletions.
diff --git a/.github/actions/azure-asset-inventory-ci/action.yml b/.github/actions/azure-asset-inventory-ci/action.yml
@@ -0,0 +1,70 @@
+name: 'Azure Asset Inventory CI'
+description: 'Azure Asset Inventory integration tests'
+inputs:
+  elk-version:
+    description: 'ELK version'
+    required: true
+  azure-client-id:
+    description: 'Azure client id'
+    required: true
+  azure-tenant-id:
+    description: 'Azure tenant id'
+    required: true
+  azure-client-secret:
+    description: 'Azure client secret'
+    required: true
+
+  debug:
+    description: 'debug'
+    required: false
+    default: 'false'
+runs:
+  using: composite
+  steps:
+    - name: Init Integration
+      uses: ./.github/actions/init-integration
+      with:
+        elk-version: ${{ inputs.elk-version }}
+
+    - name: Run cloudbeat in background
+      env:
+        ES_HOST: http://localhost:9200
+        ES_USERNAME: elastic
+        ES_PASSWORD: changeme
+        AZURE_ACCOUNT_TYPE: single-account
+        AZURE_CREDENTIALS_TYPE: service_principal_with_client_secret
+        AZURE_CLIENT_ID: ${{ inputs.azure-client-id }}
+        AZURE_TENANT_ID: ${{ inputs.azure-tenant-id }}
+        AZURE_CLIENT_SECRET: ${{ inputs.azure-client-secret }}
+      shell: bash
+      run: |
+        ./cloudbeat -c deploy/asset-inventory/cloudbeat-azure-asset-inventory.yml -d '*' &
+
+    - name: Wait for cloudbeat to send some events
+      shell: bash
+      run: sleep 15
+
+    - name: Check for findings
+      working-directory: ./tests
+      env:
+        USE_K8S: "false"
+      shell: bash
+      run: poetry run pytest -k "asset_inventory_azure" --alluredir=./allure/results/ --clean-alluredir
+
+    - name: Upload test results
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: allure-results-ci-azure
+        path: tests/allure/results/
+        overwrite: true
+
+    - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
+      name: Upload cloudbeat logs
+      uses: actions/upload-artifact@v4
+      with:
+        name: cloubeat-logs-ci-azure
+        path: logs/
+        if-no-files-found: warn
+        retention-days: 1
+        overwrite: true
diff --git a/.github/workflows/ci-pull_request.yml b/.github/workflows/ci-pull_request.yml
@@ -67,6 +67,11 @@ jobs:
         shell: bash
         run: terraform fmt -check -recursive
 
+      - name: Show git diff on failure
+        shell: bash
+        if: ${{ failure() }}
+        run: git diff
+
   unit-test:
     name: Unit Test
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,9 +54,9 @@ jobs:
           azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
           azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
 
-  ci-aws:
+  ci-azure-asset-inventory:
     needs: [ init-hermit ]
-    name: CIS AWS CI
+    name: Azure Asset Inventory CI
     runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
@@ -69,17 +69,17 @@ jobs:
       - name: Hermit Environment
         uses: ./.github/actions/hermit
 
-      - name: Run AWS integration tests
-        uses: ./.github/actions/aws-ci
+      - name: Run Azure integration tests
+        uses: ./.github/actions/azure-asset-inventory-ci
         with:
           elk-version: ${{ env.ELK_VERSION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
-          aws-account-type: single-account
+          azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
+          azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
+          azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
 
-  ci-aws-asset-inventory:
+  ci-aws:
     needs: [ init-hermit ]
-    name: AWS Asset Inventory CI
+    name: CIS AWS CI
     runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
@@ -92,16 +92,17 @@ jobs:
       - name: Hermit Environment
         uses: ./.github/actions/hermit
 
-      - name: Run AWS Asset Inventory integration tests
-        uses: ./.github/actions/aws-asset-inventory-ci
+      - name: Run AWS integration tests
+        uses: ./.github/actions/aws-ci
         with:
           elk-version: ${{ env.ELK_VERSION }}
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
+          aws-account-type: single-account
 
-  ci-gcp-asset-inventory:
-    needs: [init-hermit]
-    name: GCP Asset Inventory CI
+  ci-aws-asset-inventory:
+    needs: [ init-hermit ]
+    name: AWS Asset Inventory CI
     runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
@@ -114,12 +115,12 @@ jobs:
       - name: Hermit Environment
         uses: ./.github/actions/hermit
 
-      - name: Run GCP Asset Inventory integration tests
-        uses: ./.github/actions/gcp-asset-inventory-ci
+      - name: Run AWS Asset Inventory integration tests
+        uses: ./.github/actions/aws-asset-inventory-ci
         with:
           elk-version: ${{ env.ELK_VERSION }}
-          credentials-json: ${{ secrets.GCP_ASSETS_INVENTORY_CREDENTIALS_JSON }}
-          project-id: "elastic-security-test"
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
 
   ci-gcp:
     needs: [ init-hermit ]
@@ -145,6 +146,29 @@ jobs:
           gcp-project-id: 'elastic-security-test'
           gcp-account-type: 'single-account'
 
+  ci-gcp-asset-inventory:
+    needs: [init-hermit]
+    name: GCP Asset Inventory CI
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    permissions:
+      contents: "read"
+      id-token: "write"
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
+
+      - name: Run GCP Asset Inventory integration tests
+        uses: ./.github/actions/gcp-asset-inventory-ci
+        with:
+          elk-version: ${{ env.ELK_VERSION }}
+          credentials-json: ${{ secrets.GCP_ASSETS_INVENTORY_CREDENTIALS_JSON }}
+          project-id: "elastic-security-test"
+
+
   ci-cnvm:
     needs: [ init-hermit ]
     name: CNVM CI
@@ -269,9 +293,11 @@ jobs:
   upload-allure-results:
     needs:
       - ci-azure
+      - ci-azure-asset-inventory
       - ci-aws
       - ci-aws-asset-inventory
       - ci-gcp
+      - ci-gcp-asset-inventory
       - ci-cnvm
       - ci-k8s
     name: Upload integration tests results

diff --git a/.github/workflows/test-environment.yml b/.github/workflows/test-environment.yml
@@ -425,6 +425,20 @@ jobs:
           AZURE_TAGS: ${{ env.AZURE_DEFAULT_TAGS }}
         run: ./install_agent_az_cli.sh
 
+      - name: Install Azure Asset Inventory integration
+        id: azure-asset-inventory-integration
+        working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }}
+        run: |
+          poetry run python ./install_azure_asset_inventory_integration.py
+
+      - name: Deploy Azure Asset Inventory agent
+        id: azure-asset-inventory-agent
+        working-directory: deploy/azure
+        env:
+          AZURE_TAGS: ${{ env.AZURE_DEFAULT_TAGS }}
+          DEPLOYMENT_NAME: "${{ env.DEPLOYMENT_NAME }}-inventory"
+        run: ./install_agent_az_cli.sh
+
       - name: Install D4C integration
         id: kspm-d4c
         working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }}

diff --git a/deploy/asset-inventory/cloudbeat-azure-asset-inventory.yml b/deploy/asset-inventory/cloudbeat-azure-asset-inventory.yml
@@ -0,0 +1,66 @@
+cloudbeat:
+  type: cloudbeat/asset_inventory
+  config:
+    v1:
+      type: asset_inventory
+      asset_inventory_provider: azure
+      azure:
+        account_type: ${AZURE_ACCOUNT_TYPE:""}
+        credentials:
+          type: ${AZURE_CREDENTIALS_TYPE:""}
+          client_id: ${AZURE_CLIENT_ID:""}
+          tenant_id: ${AZURE_TENANT_ID:""}
+          client_secret: ${AZURE_CLIENT_SECRET:""}
+  # Defines how often an event is sent to the output
+  period: 30s
+  evaluator:
+    decision_logs: false
+# =================================== Kibana ===================================
+setup.kibana:
+  # Kibana Host
+  host: "http://host.docker.internal:5601"
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Cloudbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ${ES_HOST}
+
+  # Protocol - either `http` (default) or `https`.
+  #  protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  username: ${ES_USERNAME}
+  password: ${ES_PASSWORD}
+
+  # Enable to allow sending output to older ES versions
+  allow_older_versions: true
+
+# ================================= Processors =================================
+processors:
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
+  - drop_fields:
+      fields: ["host.name"]
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+logging.level: debug
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: ["publisher"]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
diff --git a/deploy/cloud/data/agent_policy_asset_inventory_azure.json b/deploy/cloud/data/agent_policy_asset_inventory_azure.json
@@ -0,0 +1,8 @@
+{
+    "name": "tf-ap-asset-inventory-azure",
+    "namespace": "default",
+    "monitoring_enabled": [
+        "logs",
+        "metrics"
+    ]
+}
diff --git a/deploy/cloud/data/package_policy_asset_inventory_azure.json b/deploy/cloud/data/package_policy_asset_inventory_azure.json
@@ -0,0 +1,30 @@
+{
+    "policy_id": "${agent_policy_id}",
+    "package": {
+        "name": "cloud_asset_inventory",
+        "version": "0.2.1"
+    },
+    "name": "pkg-plcy-asset-inventory-azure-tf",
+    "description": "",
+    "namespace": "default",
+    "inputs": {
+        "asset_inventory-cloudbeat/asset_inventory_aws": {
+            "enabled": false,
+            "streams": {
+                "cloud_asset_inventory.asset_inventory": {
+                    "enabled": false,
+                    "vars": {}
+                }
+            }
+        },
+        "asset_inventory-cloudbeat/asset_inventory_azure": {
+            "enabled": true,
+            "streams": {
+                "cloud_asset_inventory.asset_inventory": {
+                    "enabled": true,
+                    "vars": {}
+                }
+            }
+        }
+    }
+}