-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| param( | ||
|
|
||
| [Parameter(Mandatory)] | ||
|
|
||
| [ValidateNotNullOrEmpty()] | ||
|
|
||
| [string]$ResourceGroupName | ||
|
|
||
| ) | ||
|
|
||
|
|
||
| $here = Split-Path -Parent $MyInvocation.MyCommand.Path | ||
| $template = Split-Path -Leaf $here | ||
|
|
||
| Describe "Virtual Machine Tests" { | ||
|
|
||
| $VMs = Get-AzVM -ResourceGroupName $ResourceGroupName | ||
|
|
||
| Context "Antivirus" { | ||
|
|
||
| foreach ($vm in $vms) { | ||
|
|
||
| $avExtension = Get-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $vm.name -Name IaaSAntimalware | ||
| $publicSettings = ConvertFrom-Json $avExtension.PublicSettings | ||
|
|
||
| It "$($vm.name) Should Have Micrsoft Antimalware Extension Installed" { | ||
|
|
||
| $avExtension | Should Not Be $null | ||
| $avExtension.ProvisioningState | Should Be "Succeeded" | ||
| $publicSettings.AntimalwareEnabled | Should Be "True" | ||
| } | ||
|
|
||
| It "$($vm.name) Should Have Real Time Protection Enabled" { | ||
| $publicSettings.RealtimeProtectionEnabled | Should Be "true" | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
| Context "VM Network Security Groups" { | ||
|
|
||
| foreach ($vm in $vms) { | ||
|
|
||
| foreach ($nicID in $vm.NetworkProfile.NetworkInterfaces) { | ||
| $Nic = Get-AzNetworkInterface -ResourceGroupName $ResourceGroupName | where { $_.Id -eq $nicID.id } | ||
| $nicNSG = $nic.NetworkSecurityGroup | ||
| $subnet = $nic.IpConfigurations.subnet | ||
| $VirtualNetwork = Get-AzVirtualNetwork -ResourceGroupName $ResourceGroupName | Where { $_.Subnets.ID -match $subnet.id } | ||
| $subnetNSG = $($VirtualNetwork.Subnets | Where { $_.ID -match $subnet.id }).NetworkSecurityGroup | ||
|
|
||
| It "$($vm.name) NIC $($nicID.name) Should Have an NSG Enabled" { | ||
| ($nicNSG -eq $null) -and ($subnetNSG -eq $null)| Should Not Be $true | ||
| } | ||
|
|
||
| } | ||
|
|
||
| } | ||
| } | ||
|
|
||
| Context "VM Bitlocker Encryption" { | ||
| foreach ($vm in $vms) { | ||
| $encryptionStatus = Get-AzVMDiskEncryptionStatus -ResourceGroupName $resourcegroupname -VMName $vm.name | ||
|
|
||
| It "$($vm.name) Should have an encrypted OS disk" { | ||
| $encryptionStatus.OsVolumeEncrypted | should be "Encrypted" | ||
| } | ||
|
|
||
| It "$($vm.name) Should have encrypted Data disks" { | ||
| $encryptionStatus.DataVolumesEncrypted | should be "Encrypted" | ||
| } | ||
|
|
||
| } | ||
|
|
||
| } | ||
| } | ||
|
|
||
| Describe "Network Security Group Tests" { | ||
|
|
||
| $NSGS = Get-AzNetworkSecurityGroup -ResourceGroupName $ResourceGroupName | ||
|
|
||
| Context "Ports Open to All" { | ||
| foreach ($NSG in $NSGS) { | ||
| $openAllCount = 0 | ||
| foreach ($rule in $NSG.SecurityRules) { | ||
| if ($rule.Direction -eq "Inbound" -and $rule.SourceAddressPrefix -eq "*") { | ||
| $openAllCount ++ | ||
| } | ||
| } | ||
| It "$($NSG.name) Should Have no inbound rules open to all" { | ||
| $openAllCount| Should Be 0 | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
| } | ||
|
|
||
|
|
||
| Describe "Storage Account Tests" { | ||
| $storageAccounts = Get-AzStorageAccount -ResourceGroupName $ResourceGroupName | ||
|
|
||
| foreach ($storageAccount in $storageAccounts) { | ||
| It "$($storageAccount.StorageAccountName ) Should have encrypted blob storage" { | ||
| $storageAccount.Encryption.Services.Blob.enabled | should be $true | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
|
|
||
| Describe "Azure SQL Tests" { | ||
| $sqlServers = Get-AzSqlServer -ResourceGroupName $ResourceGroupName | ||
| foreach ($sqlserver in $sqlServers) { | ||
| $sqlDatabases = Get-AzSqlDatabase -ServerName $sqlServer.ServerName -ResourceGroupName $ResourceGroupName | ||
|
|
||
| foreach ($sqlDatabase in $sqlDatabases) { | ||
| if ($sqlDatabase.databaseName -ne "Master") { | ||
| $tdeStatus = Get-AzSqlDatabaseTransparentDataEncryption -ServerName $sqlserver.ServerName -DatabaseName $sqlDatabase.databaseName -ResourceGroupName $ResourceGroupName | ||
| $threatDetectionStatus = Get-AzSqlDatabaseThreatDetectionPolicy -ServerName $sqlserver.ServerName -DatabaseName $sqlDatabase.databaseName -ResourceGroupName $ResourceGroupName | ||
| It "$($sqlDatabase.DatabaseName) on server $($sqlServer.serverName) Should have TDE Enabled" { | ||
| $tdeStatus.State| should be "Enabled" | ||
| } | ||
|
|
||
| It "$($sqlDatabase.DatabaseName) on server $($sqlServer.serverName) Should have Threat Detection Enabled" { | ||
| $threatDetectionStatus.ThreatDetectionState| should be "Enabled" | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| $prefix="dev" | ||
| $resourceGroup = "dev-rg" | ||
|
|
||
| Describe "Resource Group tests" -tag "AzureInfrastructure" { | ||
|
|
||
| Context "Resource Groups" { | ||
| It "Check Main Resource Group $resourceGroup Exists" { | ||
| Get-AzResourceGroup -Name $resourceGroup -ErrorAction SilentlyContinue | Should Not be $null | ||
| } | ||
|
|
||
| } | ||
| } | ||
|
|
||
| Describe "Networking Tests" -tag "AzureInfrastructure" { | ||
| Context "Networking" { | ||
| $vNet=Get-AzVirtualNetwork -Name "$prefix-vNet" -ResourceGroupName $resourceGroup -ErrorAction SilentlyContinue | ||
|
|
||
| it "Check Virtual Network $prefix-vNet Exists" { | ||
| $vNet | Should Not be $null | ||
| } | ||
|
|
||
| it "Subnet public-subnet Should Exist" { | ||
| $subnet = Get-AzVirtualNetworkSubnetConfig -Name "public-subnet" -VirtualNetwork $vNet -ErrorAction SilentlyContinue | ||
| $subnet| Should Not be $null | ||
| } | ||
|
|
||
| it "Subnet public-subnet Should have Address Range 10.0.2.0/23" { | ||
| $subnet = Get-AzVirtualNetworkSubnetConfig -Name "public-subnet" -VirtualNetwork $vNet -ErrorAction SilentlyContinue | ||
| $subnet.AddressPrefix | Should be "10.0.2.0/23" | ||
| } | ||
|
|
||
| } | ||
| } | ||
|
|
||
|
|
||
| Describe "Virtual Machine Tests" -tag "AzureInfrastructure"{ | ||
| context "VM Tests"{ | ||
| $vmName="$prefix-Vm1" | ||
| $vm= Get-AzVM -Name $vmName -ResourceGroupName $resourceGroup | ||
|
|
||
| it "Virtual Machine $vmName Should Exist" { | ||
| $vm| Should Not be $null | ||
| } | ||
|
|
||
| it "Virtual Machine $vmName Should Be Size Standard_DS1_v2" { | ||
| $vm.HardwareProfile.VmSize | should be "Standard_DS1_v2" | ||
| } | ||
|
|
||
| it "Virtual Machine $vmName Should Be Located in West Europe" { | ||
| $vm.Location | should be "westeurope" | ||
| } | ||
|
|
||
| } | ||
|
|
||
| } |