Skip to main content

azure_key_vault resource

Use the azure_key_vault InSpec audit resource to test the properties related to a key vault.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

resource_group and name, or the resource_id are required parameters.

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT-101') do
  it            { should exist }
  its('name')   { should cmp 'vault-101' }    
end

describe azure_key_vault(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults/{vaultName}') do
  it            { should exist }
end

Parameters

resource_group
Azure resource group where the targeted resource resides.
name
Name of the Azure resource to test.
vault_name
Name of the Azure resource to test (for backward compatibility).
resource_id
The unique resource ID.
diagnostic_settings_api_version
The endpoint API version for the diagnostic_settings property. 2017-05-01-preview will be used for backward compatibility unless provided.

Either one of the parameter sets can be provided for a valid query:

  • resource_id
  • resource_group and name
  • resource_group and vault_name

Properties

diagnostic_settings
The active diagnostic settings list for the key vault.
diagnostic_settings_logs
The logs enabled status of every category for the key vault.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

Also, see the Azure documentation for other available properties. You can access any attribute in the response with the key names separated by dots (.).

Examples

Test key vault’s SKU family:

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do
  its('properties.sku.family') { should eq 'A' }
end

Test if the key vault is enabled for disk encryption:

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do
  its('properties.enabledForDiskEncryption') { should be_true }
end

Test if Azure key vault audit logging is enabled:

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do
  its('diagnostic_settings_logs') { should include(true) }
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

exists

# If a key vault is found, it will exist.

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do
  it { should exist }
end

not_exists

# Key vaults that aren't found, will not exist.

describe azure_key_vault(resource_group: 'RESOURCE_GROUP', name: 'VAULT_NAME') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×