bartvdbraak/keyweave
1
0
Fork 0
mirror of https://github.com/bartvdbraak/keyweave.git synced 2025-04-28 15:21:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: e2e test for firewalled kv

Browse source
This commit is contained in:
Bart van der Braak 2023-11-22 02:18:20 +01:00
parent c885abd540
commit cde1d2207c
2 changed files with 65 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
.github/workflows/e2e.yml vendored
View file

@ -5,7 +5,7 @@ permissions:
contents: read contents: read
env: env:
VAULT_NAME: bvdbkeyweavetweukvt1 VAULT_NAME: bvdbkeyweavetweukvt{0}
on: on:
push: push:
@ -63,7 +63,7 @@ jobs:
- name: Use Keyweave with No Access Policies - name: Use Keyweave with No Access Policies
run: | run: |
chmod +x ./artifact/keyweave chmod +x ./artifact/keyweave
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
get-test: get-test:
name: Tests with Get access name: Tests with Get access
@ -80,7 +80,7 @@ jobs:
- name: Use Keyweave with Only Get Access Policy - name: Use Keyweave with Only Get Access Policy
run: | run: |
chmod +x ./artifact/keyweave chmod +x ./artifact/keyweave
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
list-test: list-test:
name: Tests with List access name: Tests with List access
@ -97,7 +97,7 @@ jobs:
- name: Use Keyweave with Only List Access Policy - name: Use Keyweave with Only List Access Policy
run: | run: |
chmod +x ./artifact/keyweave chmod +x ./artifact/keyweave
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
get-list-test: get-list-test:
name: Tests with Get and List access name: Tests with Get and List access
@ -114,24 +114,27 @@ jobs:
- name: Use Keyweave with both Get and List Access Policies - name: Use Keyweave with both Get and List Access Policies
run: | run: |
chmod +x ./artifact/keyweave chmod +x ./artifact/keyweave
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
- name: Use Keyweave with a filter - name: Use Keyweave with a filter
run: | run: |
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --filter "filter" ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --filter "filter"
- name: Use Keyweave with a complex file path - name: Use Keyweave with a complex file path
run: | run: |
mkdir -p "user/projects/project 1/src/lib" mkdir -p "user/projects/project 1/src/lib"
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "user/projects/project 1/src/lib/.env" ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "user/projects/project 1/src/lib/.env"
- name: Use Keyweave with a non-existent Key Vault - name: Use Keyweave with a non-existent Key Vault
run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}1234 run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}1234
- name: Use Keyweave with a firewalled Key Vault
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '2') }}
- name: Use Keyweave with a no permissions - name: Use Keyweave with a no permissions
run: | run: |
mkdir -p "user/projects/project 1/src/lib" mkdir -p "user/projects/project 1/src/lib"
./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "/.env" ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "/.env"
- uses: azure/login@v1 - uses: azure/login@v1
with: with:
@ -139,7 +142,7 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }} subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }}
- name: Use Keyweave while logged into other Subscription - name: Use Keyweave while logged into other Subscription
run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
# - uses: azure/login@v1 # - uses: azure/login@v1
# with: # with:
@ -147,4 +150,4 @@ jobs:
# tenant-id: ${{ secrets.OTHER_TENANT_ID }} # tenant-id: ${{ secrets.OTHER_TENANT_ID }}
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# - name: Use Keyweave while logged into other Azure Tenant # - name: Use Keyweave while logged into other Azure Tenant
# run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} # run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

52
bicep/modules/kv.bicep
View file

@ -53,7 +53,43 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
} }
/* /*
Diagnostic Settings for Key Vault Key Vault
*/
resource keyVaultWithFirewall 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: replace(toLower(format(nameFormat, 'KVT', 2)), '-', '')
location: location
tags: tags
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enableSoftDelete: true
enablePurgeProtection: true
accessPolicies: accessPolicies
networkAcls: {
defaultAction: 'Deny'
ipRules: []
}
}
resource testSecret 'secrets' = {
name: 'testSecret'
properties: {
value: 'testSecretValue'
}
}
resource filterTestSecret 'secrets' = {
name: 'filterTestSecret'
properties: {
value: 'filterTestSecretValue'
}
}
}
/*
Diagnostic Settings for Key Vaults
*/ */
resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
@ -69,3 +105,17 @@ resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-
] ]
} }
} }
resource keyVaultWithFirewallDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'keyVaultLogging'
scope: keyVaultWithFirewall
properties: {
workspaceId: _logAnalyticsWorkspace.id
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
}