train icon indicating copy to clipboard operation
train copied to clipboard

Published 20 hours ago verified publisher icon inspec

Azure Government Endpoints are not working

Open yarick opened this issue 7 years ago • 2 comments

Description

Error during execution is 'The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Train and Platform Version

os RHEL7.5 inspec 2.2.20 ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]

Replication Case

execute test

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose

inspec profile check

  tag "Default Value": "Generic Resource Test at Azure Gov \n\n\n"
  describe azure_generic_resource(group_name: ENV.fetch('AZURE_RG'), name: 'vm') do
    its('location') { should eq 'usgovvirginia' }
  end

Possible Solutions

according to tcpdump, inspec performs lookups for azure instead of azuregov, verified ip addresses to which connection is made is the same address provided by dns resolution, assumption is made inspec is connecting to azure endpoints instead of azuregov

Stacktrace

https://gist.github.com/yarick/983adc75570948cd30cc4d40c028ee57

inspec exec ./test/integration/default -t azure:// -l=debug --diagnose InSpec version: 2.2.20 Train version: 1.4.15 Command line configuration: {"target"=>"azure://", "log_level"=>"debug", "diagnose"=>true} JSON configuration file: {} Merged configuration: {"reporter"=>{"cli"=>{"stdout"=>true}}, "show_progress"=>false, "color"=>true, "create_lockfile"=>true, "backend_cache"=>true, "type"=>:exec, "target"=>"azure://", "log_level"=>"debug", "diagnose"=>true}

[2018-06-26T11:18:33-04:00] DEBUG: Option backend_cache is enabled [2018-06-26T11:18:33-04:00] DEBUG: Resolve ./test/integration/default into cache /root/.inspec/cache [2018-06-26T11:18:33-04:00] DEBUG: Dependency does not exist in the cache ./test/integration/default [2018-06-26T11:18:33-04:00] DEBUG: Starting run with targets: ["Inspec::Profile"] [2018-06-26T11:18:33-04:00] DEBUG: Using existing lockfile ./test/integration/default/inspec.lock [2018-06-26T11:18:33-04:00] DEBUG: Loading ./test/integration/default/controls/M-2.12.rb into #Inspec::ProfileContext:0x0000000003bb93f8 [DEPRECATED] use a specific azure resources instead of 'azure_generic_resource'. See https://github.com/inspec/inspec/issues/3131 [2018-06-26T11:18:34-04:00] DEBUG: Registering rule M-2.12

Profile: AZURE Inspec Demo based on CIS_Microsoft_Azure_Foundations_Benchmark (azure-inspec-demo) Version: 0.2 Target: azure://12345678-1234-1234-1234-123456789012

× M-2.12: 2.12 Ensure that 'JIT Network Access' is set to 'On' (Scored) (2 failed) × azure_generic_resource The subscription '12345678-1234-1234-1234-123456789012' could not be found. × azure_resource_group The subscription '12345678-1234-1234-1234-123456789012' could not be found.

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 2 failures, 0 skipped

yarick avatar Jun 26 '18 15:06 yarick

Hi ... I have a patch available which works for AzureGermanCloud, which suffers from the same "problem" as the US-Government Cloud. Would there stlll be interest to have that integrated?

cruwe avatar Apr 24 '19 19:04 cruwe

yes, I think we should paramartize this and if possible enable it to look at the region you are using and default to that and then have a fail through to have it statically set to perhaps at the far end.

so it would go in my mind:

  1. user ENV_VAR
  2. Azure setting file
  3. find by 'region' matrix
  4. static fall through

aaronlippold avatar Jan 24 '20 15:01 aaronlippold