Skip to main content

Chef InSpec and Azure

Chef InSpec has resources for auditing Azure.

Initialize an InSpec profile for auditing Azure

With Chef InSpec 4 or greater, you can create a profile for testing Azure resources with inspec init profile:

$ inspec init profile --platform azure <PROFILE_NAME>
Create new profile at /Users/me/<PROFILE_NAME>
 * Creating directory libraries
 * Creating file README.md
 * Creating directory controls
 * Creating file controls/example.rb
 * Creating file inspec.yml
 * Creating file inputs.yml
 * Creating file libraries/.gitkeep

Assuming the inputs.yml file contains your Azure project ID, you can execute this sample profile using the following command:

inspec exec <PROFILE_NAME> --input-file=<PROFILE_NAME>/inputs.yml -t azure://

Set Azure credentials

To use Chef InSpec Azure resources, create a Service Principal Name (SPN) to audit an Azure subscription.

This can be done on the command line or from the Azure Portal:

The information from the SPN can be specified either in the file ~/.azure/credentials, as environment variables, or by using Chef InSpec target URIs.

Set the Azure credentials file

By default, Chef InSpec is configured to look at ~/.azure/credentials, and it should contain:

[<SUBSCRIPTION_ID>]
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"
tenant_id = "<TENANT_ID>"

Note

In the Azure web portal, these values are labeled differently:

  • The client_id is referred to as the ‘Application ID’
  • The client_secret is referred to as the ‘Key (Password Type)’
  • The tenant_id is referred to as the ‘Directory ID’

With the credentials in place, you can now execute Chef InSpec.

inspec exec <PROFILE_NAME> -t azure://

Provide credentials using environment variables

You may also set the Azure credentials using environment variables:

  • AZURE_SUBSCRIPTION_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_TENANT_ID

For example:

AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://

Provide credentials using Chef InSpec target option

If you have created a ~/.azure/credentials file as above, you may also use the Chef InSpec command line --target / -t option to select a subscription ID. For example:

inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3

Thank you for your feedback!

×