Traffic Manager Scanner #110

cmd/azqr/scan.go

@@ -33,6 +33,7 @@ import (
 	"github.com/Azure/azqr/internal/scanners/apim"
 	"github.com/Azure/azqr/internal/scanners/appcs"
 	"github.com/Azure/azqr/internal/scanners/appi"
+	"github.com/Azure/azqr/internal/scanners/asp"
 	"github.com/Azure/azqr/internal/scanners/cae"
 	"github.com/Azure/azqr/internal/scanners/ci"
 	"github.com/Azure/azqr/internal/scanners/cog"
@@ -47,13 +48,13 @@ import (
 	"github.com/Azure/azqr/internal/scanners/logic"
 	"github.com/Azure/azqr/internal/scanners/maria"
 	"github.com/Azure/azqr/internal/scanners/mysql"
-	"github.com/Azure/azqr/internal/scanners/asp"
 	"github.com/Azure/azqr/internal/scanners/psql"
 	"github.com/Azure/azqr/internal/scanners/redis"
 	"github.com/Azure/azqr/internal/scanners/sb"
 	"github.com/Azure/azqr/internal/scanners/sigr"
 	"github.com/Azure/azqr/internal/scanners/sql"
 	"github.com/Azure/azqr/internal/scanners/st"
+	"github.com/Azure/azqr/internal/scanners/traf"
 	"github.com/Azure/azqr/internal/scanners/vm"
 	"github.com/Azure/azqr/internal/scanners/vnet"
 	"github.com/Azure/azqr/internal/scanners/wps"
@@ -466,6 +467,7 @@ func GetScanners() []scanners.IAzureScanner {
 		&sb.ServiceBusScanner{},
 		&sigr.SignalRScanner{},
 		&sql.SQLScanner{},
+		&traf.TrafficManagerScanner{},
 		&st.StorageScanner{},
 		&vm.VirtualMachineScanner{},
 		&vnet.VirtualNetworkScanner{},

cmd/azqr/traf.go

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package azqr
+
+import (
+	"github.com/Azure/azqr/internal/scanners"
+	"github.com/Azure/azqr/internal/scanners/traf"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	scanCmd.AddCommand(trafCmd)
+}
+
+var trafCmd = &cobra.Command{
+	Use:   "traf",
+	Short: "Scan Azure Traffic Manager",
+	Long:  "Scan Azure Traffic Manager",
+	Args:  cobra.NoArgs,
+	Run: func(cmd *cobra.Command, args []string) {
+		serviceScanners := []scanners.IAzureScanner{
+			&traf.TrafficManagerScanner{},
+		}
+
+		scan(cmd, serviceScanners)
+	},
+}

docs/content/en/docs/Rules/_index.md

@@ -241,32 +241,39 @@ Azure Quick Review uses the following rules to identify Azure resources that may
 231 | sqldb-005 | Reliability | SKU | SQL Database SKU | High | [Learn](https://docs.microsoft.com/en-us/azure/azure-sql/database/service-tiers-vcore?tabs=azure-portal)
 232 | sqldb-006 | Operational Excellence | Naming Convention (CAF) | SQL Database Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
 233 | sqldb-007 | Operational Excellence | Tags | SQL Database should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
-234 | st-001 | Reliability | Diagnostic Logs | Storage should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage)
-235 | st-002 | Reliability | Availability Zones | Storage should have availability zones enabled | High | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage)
-236 | st-003 | Reliability | SLA | Storage should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/storage/)
-237 | st-004 | Security | Private Endpoint | Storage should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints)
-238 | st-005 | Reliability | SKU | Storage SKU | High | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types)
-239 | st-006 | Operational Excellence | Naming Convention (CAF) | Storage Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
-240 | st-007 | Security | HTTPS Only | Storage Account should use HTTPS only | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)
-241 | st-008 | Operational Excellence | Tags | Storage Account should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
-242 | st-009 | Security | TLS | Storage Account should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal)
-243 | vm-001 | Reliability | Diagnostic Logs | Virtual Machine should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install)
-244 | vm-002 | Reliability | Availability Zones | Virtual Machine should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones)
-245 | vm-003 | Reliability | SLA | Virtual Machine should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1)
-246 | vm-006 | Operational Excellence | Naming Convention (CAF) | Virtual Machine Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
-247 | vm-007 | Operational Excellence | Tags | Virtual Machine should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
-248 | vm-008 | Reliability | Reliability | Virtual Machine should use managed disks | High | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines)
-249 | vm-009 | Reliability | Reliability | Virtual Machine should host application or database data on a data disk | Low | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk)
-250 | vnet-001 | Reliability | Diagnostic Logs | Virtual Network should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing)
-251 | vnet-002 | Reliability | Availability Zones | Virtual Network should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones)
-252 | vnet-006 | Operational Excellence | Naming Convention (CAF) | Virtual Network Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
-253 | vnet-007 | Operational Excellence | Tags | Virtual Network should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
-254 | vnet-008 | Security | Networking | Virtual Network: All Subnets should have a Network Security Group associated | High | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices)
-255 | vnet-009 | Reliability | Reliability | Virtual NetworK should have at least two DNS servers assigned | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers)
-256 | wps-001 | Reliability | Diagnostic Logs | Web Pub Sub should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs)
-257 | wps-002 | Reliability | Availability Zones | Web Pub Sub should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones)
-258 | wps-003 | Reliability | SLA | Web Pub Sub should have a SLA | High | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/)
-259 | wps-004 | Security | Private Endpoint | Web Pub Sub should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints)
-260 | wps-005 | Reliability | SKU | Web Pub Sub SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/)
-261 | wps-006 | Operational Excellence | Naming Convention (CAF) | Web Pub Sub Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
-262 | wps-007 | Operational Excellence | Tags | Web Pub Sub should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
+234 | traf-001 | Reliability | Diagnostic Logs | Traffic Manager should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-diagnostic-logs)
+235 | traf-002 | Reliability | Availability Zones | Traffic Manager should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/architecture/high-availability/reference-architecture-traffic-manager-application-gateway)
+236 | traf-003 | Reliability | SLA | Traffic Manager should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/traffic-manager/)
+237 | traf-006 | Operational Excellence | Naming Convention (CAF) | Traffic Manager Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
+238 | traf-007 | Operational Excellence | Tags | Traffic Manager should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
+239 | traf-008 | Security | Networking | Traffic Manager should use at least 2 endpoints | High | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types)
+240 | traf-009 | Reliability | Reliability | Traffic Manager: HTTP endpoints should be monitored using HTTPS | High | [Learn](https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring)
+241 | st-001 | Reliability | Diagnostic Logs | Storage should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage)
+242 | st-002 | Reliability | Availability Zones | Storage should have availability zones enabled | High | [Learn](https://learn.microsoft.com/EN-US/azure/reliability/migrate-storage)
+243 | st-003 | Reliability | SLA | Storage should have a SLA | High | [Learn](https://www.azure.cn/en-us/support/sla/storage/)
+244 | st-004 | Security | Private Endpoint | Storage should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints)
+245 | st-005 | Reliability | SKU | Storage SKU | High | [Learn](https://learn.microsoft.com/en-us/rest/api/storagerp/srp_sku_types)
+246 | st-006 | Operational Excellence | Naming Convention (CAF) | Storage Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
+247 | st-007 | Security | HTTPS Only | Storage Account should use HTTPS only | High | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)
+248 | st-008 | Operational Excellence | Tags | Storage Account should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
+249 | st-009 | Security | TLS | Storage Account should enforce TLS >= 1.2 | Low | [Learn](https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal)
+250 | vm-001 | Reliability | Diagnostic Logs | Virtual Machine should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-windows-install)
+251 | vm-002 | Reliability | Availability Zones | Virtual Machine should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-machines/availability#availability-zones)
+252 | vm-003 | Reliability | SLA | Virtual Machine should have a SLA | High | [Learn](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1)
+253 | vm-006 | Operational Excellence | Naming Convention (CAF) | Virtual Machine Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
+254 | vm-007 | Operational Excellence | Tags | Virtual Machine should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
+255 | vm-008 | Reliability | Reliability | Virtual Machine should use managed disks | High | [Learn](https://learn.microsoft.com/en-us/azure/architecture/checklist/resiliency-per-service#virtual-machines)
+256 | vm-009 | Reliability | Reliability | Virtual Machine should host application or database data on a data disk | Low | [Learn](https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#data-disk)
+257 | vnet-001 | Reliability | Diagnostic Logs | Virtual Network should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/monitor-virtual-network#collection-and-routing)
+258 | vnet-002 | Reliability | Availability Zones | Virtual Network should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones)
+259 | vnet-006 | Operational Excellence | Naming Convention (CAF) | Virtual Network Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
+260 | vnet-007 | Operational Excellence | Tags | Virtual Network should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)
+261 | vnet-008 | Security | Networking | Virtual Network: All Subnets should have a Network Security Group associated | High | [Learn](https://learn.microsoft.com/azure/virtual-network/concepts-and-best-practices)
+262 | vnet-009 | Reliability | Reliability | Virtual NetworK should have at least two DNS servers assigned | High | [Learn](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat#specify-dns-servers)
+263 | wps-001 | Reliability | Diagnostic Logs | Web Pub Sub should have diagnostic settings enabled | Medium | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-troubleshoot-resource-logs)
+264 | wps-002 | Reliability | Availability Zones | Web Pub Sub should have availability zones enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/concept-availability-zones)
+265 | wps-003 | Reliability | SLA | Web Pub Sub should have a SLA | High | [Learn](https://azure.microsoft.com/en-gb/support/legal/sla/web-pubsub/)
+266 | wps-004 | Security | Private Endpoint | Web Pub Sub should have private endpoints enabled | High | [Learn](https://learn.microsoft.com/en-us/azure/azure-web-pubsub/howto-secure-private-endpoints)
+267 | wps-005 | Reliability | SKU | Web Pub Sub SKU | High | [Learn](https://azure.microsoft.com/en-us/pricing/details/web-pubsub/)
+268 | wps-006 | Operational Excellence | Naming Convention (CAF) | Web Pub Sub Name should comply with naming conventions | Low | [Learn](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations)
+269 | wps-007 | Operational Excellence | Tags | Web Pub Sub should have tags | Low | [Learn](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json)

go.mod

@@ -42,6 +42,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/sql/armsql v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription v1.2.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/trafficmanager/armtrafficmanager v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/webpubsub/armwebpubsub v1.2.0
 	github.com/rs/zerolog v1.31.0
 	github.com/spf13/cobra v1.8.0

go.sum

@@ -81,6 +81,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0/go.mod h1:T5RfihdXtBDxt1Ch2wobif3TvzTdumDy29kahv6AV9A=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription v1.2.0 h1:UrGzkHueDwAWDdjQxC+QaXHd4tVCkISYE9j7fSSXF8k=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription v1.2.0/go.mod h1:qskvSQeW+cxEE2bcKYyKimB1/KiQ9xpJ99bcHY0BX6c=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/trafficmanager/armtrafficmanager v1.3.0 h1:e3kTG23M5ps+DjvPolK4dcgohDY8sHsXU7zrdHj1WzY=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/trafficmanager/armtrafficmanager v1.3.0/go.mod h1:Os5dq8Cvvz97rJauZhZJAfKHN+OEvF/0nVmHzF4aVys=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/webpubsub/armwebpubsub v1.2.0 h1:U+zDy6lU9scW8b58JpcQAlI+lsitiVSjz/RzBqbS5gM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/webpubsub/armwebpubsub v1.2.0/go.mod h1:gz64akQ/0Cfq2ZQCNsGE5RmRpl9ySpuV4zURgjBuyB0=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0 h1:hVeq+yCyUi+MsoO/CU95yqCIcdzra5ovzk8Q2BBpV2M=

internal/scanners/agw/rules.go

@@ -105,7 +105,7 @@ func (a *ApplicationGatewayScanner) GetRules() map[string]scanners.AzureRule {
 		"agw-008": {
 			Id:          "agw-008",
 			Category:    scanners.RulesCategoryReliability,
-			Subcategory: scanners.RulesSubcategoryReliabilitySubcategoryMaintenance,
+			Subcategory: scanners.RulesSubcategoryReliabilityMaintenance,
 			Description: "Application Gateway: Plan for backend maintenance by using connection draining",
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {

internal/scanners/kv/rules.go

@@ -96,7 +96,7 @@ func (a *KeyVaultScanner) GetRules() map[string]scanners.AzureRule {
 		"kv-008": {
 			Id:          "kv-008",
 			Category:    scanners.RulesCategoryReliability,
-			Subcategory: scanners.RulesSubcategoryReliabilitySubcategoryReliability,
+			Subcategory: scanners.RulesSubcategoryReliabilityReliability,
 			Description: "Key Vault should have soft delete enabled",
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {
@@ -108,7 +108,7 @@ func (a *KeyVaultScanner) GetRules() map[string]scanners.AzureRule {
 		"kv-009": {
 			Id:          "kv-009",
 			Category:    scanners.RulesCategoryReliability,
-			Subcategory: scanners.RulesSubcategoryReliabilitySubcategoryReliability,
+			Subcategory: scanners.RulesSubcategoryReliabilityReliability,
 			Description: "Key Vault should have purge protection enabled",
 			Severity:    scanners.SeverityMedium,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {

internal/scanners/logic/rules.go

@@ -42,7 +42,7 @@ func (a *LogicAppScanner) GetRules() map[string]scanners.AzureRule {
 		"logic-004": {
 			Id:          "logic-004",
 			Category:    scanners.RulesCategorySecurity,
-			Subcategory: scanners.RulesSubcategorySecurityPrivateEndpoint,
+			Subcategory: scanners.RulesSubcategorySecurityFirewall,
 			Description: "Logic App should limit access to Http Triggers",
 			Severity:    scanners.SeverityHigh,
 			Eval: func(target interface{}, scanContext *scanners.ScanContext) (bool, string) {