TestCases/SubscriptionSecurity/SSProvisioning/SSProvisioningTest.ps1
|
Set-StrictMode -Version Latest class SSProvisioningTest:AzSDKTestBase{ [string]$AlertsRGName = "AzSDKRG" #This is the standard name used by AzSDK for Alerts RG. SSProvisioningTest([TestCase] $testcase, [TestSettings] $testsettings):Base($testcase, $testsettings){ } [void] Execute(){ switch ($this.testcase.TestMethod.Trim()){ "TestSetAzSDKAlerts"{ $this.TestSetAzSDKAlerts() break } "TestRemoveAzSDKAlertsJustOne"{ $this.TestRemoveAzSDKAlertsJustOne() break } "TestRemoveAzSDKAlerts"{ $this.TestRemoveAzSDKAlerts() break } "TestSetAzSDKARMPolicies"{ $this.TestSetAzSDKARMPolicies() break } "TestRemoveAzSDKARMPolicies"{ $this.TestRemoveAzSDKARMPolicies() break } Default { } } } [TestCaseResult] TestSetAzSDKAlerts(){ try{ if($this.SetAzSDKAlertTestPrerequisite([AlertPrerequisites]::RemoveAlerts)) { Set-AzSDKAlerts -SubscriptionId $this.settings.SubscriptionId -SecurityContactEmails $this.settings.SecurityPOCEmail -DoNotOpenOutputFolder #Expected control status for id Azure_Subscription_Audit_Configure_Critical_Alerts should be Passed $this.testcaseResult = $this.GetControlIdStatus("Azure_Subscription_Audit_Configure_Critical_Alerts",[TestStatus]::Passed) } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while setting AzSDK Alerts.") } return $this.testcaseResult } [TestCaseResult] TestRemoveAzSDKAlertsJustOne(){ try{ #Validate if alerts are present on subscriptions if($this.SetAzSDKAlertTestPrerequisite([AlertPrerequisites]::SetAlerts)) { Remove-AzSDKAlerts -SubscriptionId $this.settings.SubscriptionId -AlertNames $this.settings.AlertName $alertResource = Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName -ResourceName $this.settings.AlertName -ErrorAction Ignore if($alertResource -eq $null ) { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed only one alert.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Remove-AzSDKAlerts with alertName must remove just that alert.") } } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing desired AzSDK Alert.") } return $this.testcaseResult } [TestCaseResult] TestRemoveAzSDKAlerts(){ try { #Set prerequisite by setting alerts if($this.SetAzSDKAlertTestPrerequisite([AlertPrerequisites]::SetAlerts)) { Remove-AzSDKAlerts -SubscriptionId $this.settings.SubscriptionId -Tags "Mandatory" $alertResource = $this.GetAzSDKAlertsList() if($alertResource -eq $null) { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed allalert.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Remove-AzSDKAlerts not removed all alerts.") } } else { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Unable to set prerequisite for test case.") } } catch { $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing AzSDK Alerts.") } return $this.testcaseResult } [TestCaseResult] GetControlIdStatus([string] $ControlId,[TestStatus] $expectedStatus) { $testcaseResult = $null $subScanPath = Get-AzSDKSubscriptionSecurityStatus -SubscriptionId $this.settings.SubscriptionId -ControlIds $ControlId -DoNotOpenOutputFolder $securityReportFile = (Get-ChildItem $subScanPath -Recurse -Include "SecurityReport*") | Select-Object -First 1 $testResult = [TestStatus]::Failed if($securityReportFile.FullName) { $testResult = Get-Content $securityReportFile.FullName | ConvertFrom-Csv | Where-Object ControlID -EQ "Azure_Subscription_Audit_Configure_Critical_Alerts" | Select Status if($null -ne $testResult -and $testResult.Status -eq $expectedStatus) { $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully verified expected status '$expectedStatus' for control id $ControlId") } else{ $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Not able to verify expected status '$expectedStatus' for control id $ControlId") } } else { $testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Not able to verify status as get scan not exported report") } return $testcaseResult } [bool] SetAzSDKAlertTestPrerequisite([AlertPrerequisites] $alertPreq) { $IsPrerequisiteSet = $false $alertsRG = Get-AzureRmResourceGroup -Name $this.AlertsRGName -ErrorAction Ignore $existingalerts= $null if($alertsRG) { $existingalerts = $this.GetAzSDKAlertsList() } switch($alertPreq) { "RemoveAlerts" { #Validate if AzSDK alerts are already present and remove alerts if exists if(($existingalerts | Measure-Object).Count -ne '0') { Remove-AzSDKAlerts -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' -DoNotOpenOutputFolder #Validate if all alerts are removed $alerttlist = $this.GetAzSDKAlertsList() if($null -eq $alerttlist -or ($alerttlist | Measure-Object) -eq 0) { return $true } } else { return $true } } "SetAlerts" { if(($existingalerts | Measure-Object).Count -eq 0) { Set-AzSDKAlerts -SubscriptionId $this.settings.SubscriptionId -SecurityContactEmails $this.settings.SecurityPOCEmail -DoNotOpenOutputFolder #Validate if all alerts are set if(($this.GetAzSDKAlertsList() -ne $null) ) { return $true } } else { return $true } } } return $IsPrerequisiteSet } [PSObject] GetAzSDKAlertsList() { return Get-AzureRmResource -ResourceType "Microsoft.Insights/activityLogAlerts" -ResourceGroupName $this.AlertsRGName -ErrorAction Ignore } [TestCaseResult[]] TestSetAzSDKARMPolicies(){ try{ $ExistingPolicy = [array](Get-AzureRmPolicyAssignment) if(($ExistingPolicy| Measure-Object).Count -ne '0') { try{ Remove-AzSDKARMPolicies -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' } catch { #error while removing ARM policies } } Set-AzSDKARMPolicies -SubscriptionId $this.settings.SubscriptionId $tstPol = [array](Get-AzureRmPolicyAssignment) if(($tstPol| Measure-Object).Count -ge '6'){ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully set the AzSDK ARM policy.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Failed to set the AzSDK ARM policy.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while setting AzSDK ARM policy.") } return $this.testcaseResult } [TestCaseResult[]] TestRemoveAzSDKARMPolicies(){ try{ $ExistingPolicy = [array](Get-AzureRmPolicyAssignment) if(($ExistingPolicy| Measure-Object).Count -eq '0') { try{ Set-AzSDKARMPolicies -SubscriptionId $this.settings.SubscriptionId } catch { #error while setting ARM policies } } Remove-AzSDKARMPolicies -SubscriptionId $this.settings.SubscriptionId -Tags 'Mandatory' $tstPol = [array](Get-AzureRmPolicyAssignment) if(($tstPol| Measure-Object).Count -eq 0){ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Passed,"Successfully removed the AzSDK ARM policy.") } else{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Failed to remove the AzSDK ARM policy.") } } catch{ $this.testcaseResult = [TestCaseResult]::new($this.testCase,[TestStatus]::Failed,"Error while removing AzSDK ARM policy.") } return $this.testcaseResult } } enum AlertPrerequisites{ SetAlerts RemoveAlerts } |