sjohner/check_nsg_default_subnet.rb

## check_nsg_default_subnet.rb
control 'azurerm_network_security_group' do
    title "Check nsg 'subnet-default-nsg'"
    desc "Check if nsg 'subnet-default-nsg' is present and in compliant state"
    describe azurerm_network_security_group(resource_group: 'grcpool-prod-rg', name: 'subnet-default-nsg') do
        it { should exist }
        it { should allow_ssh_from_internet }
        it { should_not allow_rdp_from_internet }
        its('security_rules') { should_not be_empty }
        its('default_security_rules') { should_not be_empty }
    end
end

## check_subnet_default.rb
control 'azurerm_subnet' do
    title "Check subnet 'default'"
    desc "Check if subnet 'default' is present and in compliant state"
    describe azurerm_subnet(resource_group: 'grcpool-prod-rg', vnet: 'grcpool-prod-rg-vnet', name: 'default') do
        it { should exist }
        its('name') { should eq('default') }
        its('type') { should eq 'Microsoft.Network/virtualNetworks/subnets' }
        its('address_prefix') { should eq "10.2.1.0/24" }
        its('nsg') { should eq 'subnet-default-nsg'}
    end
end

## check_vm_azl73627.rb
control 'azurerm_virtual_machine' do
    title "Check vm 'azl73627'"
    desc "Check if vm 'azl73627' is present and in compliant state"
    describe azurerm_virtual_machine(resource_group: 'grcpool-prod-rg', name: 'azl73627') do
        it { should exist }
        its('location') { should eq('westeurope') }
        its('name') { should eq('azl73627') }
        its('type') { should eq 'Microsoft.Compute/virtualMachines' }
        its('installed_extensions_types') { should include('OmsAgentForLinux') }
        its('installed_extensions_names') { should include('OmsAgentForLinux') }
    end
end

## check_vnet_grcpool-prod-rg-vnet.rb
control 'azurerm_virtual_network' do
    title "Check vnet 'grcpool-prod-rg-vnet'"
    desc "Check if vnet 'grcpool-prod-rg-vnet' is present and in compliant state"
    describe azurerm_virtual_network(resource_group: 'grcpool-prod-rg', name: 'grcpool-prod-rg-vnet') do
        it { should exist }
        its('location') { should eq('westeurope') }
        its('name') { should eq('grcpool-prod-rg-vnet') }
        its('type') { should eq 'Microsoft.Network/virtualNetworks' }
        its('subnets') { should eq ["default"] }
        its('address_space') { should eq ["10.2.1.0/24"] }
        its('dns_servers') { should eq ["1.1.1.1", "1.0.0.1"] }
        its('enable_ddos_protection') { should eq false }
    end
end

## inspec.yml
name: azure_grcpool
title: Checking compliance of GRC Pool resources
maintainer: Stefan Johner
copyright: Stefan Johner
license: Apache-2.0
summary: An InSpec Compliance Profile for GRC Pool resources running on Azure
version: 0.1.0
inspec_version: '>= 2.1.81'
depends:
  - name: inspec-azure
    url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
supports:
  - platform: azure
	control 'azurerm_network_security_group' do
	title "Check nsg 'subnet-default-nsg'"
	desc "Check if nsg 'subnet-default-nsg' is present and in compliant state"
	describe azurerm_network_security_group(resource_group: 'grcpool-prod-rg', name: 'subnet-default-nsg') do
	it { should exist }
	it { should allow_ssh_from_internet }
	it { should_not allow_rdp_from_internet }
	its('security_rules') { should_not be_empty }
	its('default_security_rules') { should_not be_empty }
	end
	end
	control 'azurerm_subnet' do
	title "Check subnet 'default'"
	desc "Check if subnet 'default' is present and in compliant state"
	describe azurerm_subnet(resource_group: 'grcpool-prod-rg', vnet: 'grcpool-prod-rg-vnet', name: 'default') do
	it { should exist }
	its('name') { should eq('default') }
	its('type') { should eq 'Microsoft.Network/virtualNetworks/subnets' }
	its('address_prefix') { should eq "10.2.1.0/24" }
	its('nsg') { should eq 'subnet-default-nsg'}
	end
	end
	control 'azurerm_virtual_machine' do
	title "Check vm 'azl73627'"
	desc "Check if vm 'azl73627' is present and in compliant state"
	describe azurerm_virtual_machine(resource_group: 'grcpool-prod-rg', name: 'azl73627') do
	it { should exist }
	its('location') { should eq('westeurope') }
	its('name') { should eq('azl73627') }
	its('type') { should eq 'Microsoft.Compute/virtualMachines' }
	its('installed_extensions_types') { should include('OmsAgentForLinux') }
	its('installed_extensions_names') { should include('OmsAgentForLinux') }
	end
	end
	control 'azurerm_virtual_network' do
	title "Check vnet 'grcpool-prod-rg-vnet'"
	desc "Check if vnet 'grcpool-prod-rg-vnet' is present and in compliant state"
	describe azurerm_virtual_network(resource_group: 'grcpool-prod-rg', name: 'grcpool-prod-rg-vnet') do
	it { should exist }
	its('location') { should eq('westeurope') }
	its('name') { should eq('grcpool-prod-rg-vnet') }
	its('type') { should eq 'Microsoft.Network/virtualNetworks' }
	its('subnets') { should eq ["default"] }
	its('address_space') { should eq ["10.2.1.0/24"] }
	its('dns_servers') { should eq ["1.1.1.1", "1.0.0.1"] }
	its('enable_ddos_protection') { should eq false }
	end
	end
	name: azure_grcpool
	title: Checking compliance of GRC Pool resources
	maintainer: Stefan Johner
	copyright: Stefan Johner
	license: Apache-2.0
	summary: An InSpec Compliance Profile for GRC Pool resources running on Azure
	version: 0.1.0
	inspec_version: '>= 2.1.81'
	depends:
	- name: inspec-azure
	url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
	supports:
	- platform: azure