From c868c26e1fec0cbbaa2a18f2636ebb1b8cb6eda2 Mon Sep 17 00:00:00 2001
From: Ruairi Fennell <rfennell@chef.io>
Date: Fri, 4 Oct 2019 14:23:03 +0100
Subject: [PATCH 1/2] Adds azurerm_locks

Signed-off-by: Ruairi Fennell <rfennell@chef.io>
---
 docs/resources/azurerm_locks.md.erb           | 82 +++++++++++++++++++
 libraries/azurerm_locks.rb                    | 32 ++++++++
 libraries/support/azure/management.rb         |  8 ++
 libraries/support/azure/service.rb            |  4 +-
 .../verify/controls/azurerm_locks.rb          | 10 +++
 5 files changed, 134 insertions(+), 2 deletions(-)
 create mode 100644 docs/resources/azurerm_locks.md.erb
 create mode 100644 libraries/azurerm_locks.rb
 create mode 100644 test/integration/verify/controls/azurerm_locks.rb

diff --git a/docs/resources/azurerm_locks.md.erb b/docs/resources/azurerm_locks.md.erb
new file mode 100644
index 000000000..d843bdade
--- /dev/null
+++ b/docs/resources/azurerm_locks.md.erb
@@ -0,0 +1,82 @@
+---
+title: About the azurerm_locks Resource
+platform: azure
+---
+
+# azurerm\_locks
+
+Use the `azurerm_locks` InSpec audit resource to test properties of
+some or all Azure Resource Locks.
+
+<br />
+
+## Azure REST API version
+
+This resource interacts with version `2016-09-01` of the Azure
+Management API. For more information see the [official Azure documentation](https://docs.microsoft.com/en-us/rest/api/resources/managementlocks/listatresourcelevel).
+
+At the moment, there doesn't appear to be a way to select the version of the
+Azure API docs. If you notice a newer version being referenced in the official
+documentation please open an issue or submit a pull request using the updated
+version.
+
+## Availability
+
+### Installation
+
+This resource is available in the `inspec-azure` [resource
+pack](https://www.inspec.io/docs/reference/glossary/#resource-pack). To use it, add the
+following to your `inspec.yml` in your top-level profile:
+
+    depends:
+      - name: inspec-azure
+        git: https://github.com/inspec/inspec-azure.git
+
+You'll also need to setup your Azure credentials; see the resource pack
+[README](https://github.com/inspec/inspec-azure#inspec-for-azure).
+
+### Version
+
+This resource first became available in 1.3.8 of the inspec-azure resource pack.
+
+## Syntax
+
+An `azurerm_locks` resource block returns all Locks on a given Resource.
+
+    describe azurerm_locks(resource_group: 'rg', resource_name: 'my-vm', resource_type: 'Microsoft.Compute/virtualMachines') do
+      ...
+    end
+
+<br />
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Ensure a Lock exists
+
+    describe azurerm_locks(resource_group: 'my-rg', resource_name: 'my-vm', resource_type: 'Microsoft.Compute/virtualMachines') do
+      it { should exist }
+    end
+
+## Filter Criteria
+
+* `ids`
+* `names`
+* `properties`
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers,
+please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exists
+
+The control will pass if the filter returns at least one result. Use
+`should_not` if you expect zero matches.
+
+## Azure Permissions
+
+Your [Service
+Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal)
+must be setup with a `contributor` role on the subscription you wish to test.
diff --git a/libraries/azurerm_locks.rb b/libraries/azurerm_locks.rb
new file mode 100644
index 000000000..70baeb4f5
--- /dev/null
+++ b/libraries/azurerm_locks.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'azurerm_resource'
+
+class AzurermLocks < AzurermPluralResource
+  name 'azurerm_locks'
+  desc 'Verifies settings for an Azure Lock on a Resource'
+  example <<-EXAMPLE
+    describe azurerm_locks(resource_group: 'my-rg', resource_name: 'my-vm', resource_type: 'Microsoft.Compute/virtualMachines') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  attr_reader :table
+
+  FilterTable.create
+      .register_column(:ids,        field: :id)
+      .register_column(:names,      field: :name)
+      .register_column(:properties, field: :properties)
+      .install_filter_methods_on_resource(self, :table)
+
+  def initialize(resource_group: nil, resource_name: nil, resource_type: nil)
+    resp = management.locks(resource_group, resource_name, resource_type)
+    return if has_error?(resp)
+
+    @table = resp
+  end
+
+  def to_s
+    'Azure Locks'
+  end
+end
diff --git a/libraries/support/azure/management.rb b/libraries/support/azure/management.rb
index 9cb87e3c9..f97816fbb 100644
--- a/libraries/support/azure/management.rb
+++ b/libraries/support/azure/management.rb
@@ -34,6 +34,14 @@ def activity_log_alert_filtered(filter)
       )
     end
 
+    def locks(resource_group, resource_name, resource_type)
+      get(
+        url: link(location: "#{resource_type}/#{resource_name}",
+                  resource_group: resource_group) + 'providers/Microsoft.Authorization/locks',
+        api_version: '2016-09-01',
+      )
+    end
+
     def log_profile(id)
       get(
         url: link(location: 'Microsoft.Insights/logProfiles') + id,
diff --git a/libraries/support/azure/service.rb b/libraries/support/azure/service.rb
index 72a008d91..6145e984c 100644
--- a/libraries/support/azure/service.rb
+++ b/libraries/support/azure/service.rb
@@ -102,13 +102,13 @@ def get(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true, pa
       end
     end
 
-    def post(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true)
+    def post(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true, params: {})
       confirm_configured!
 
       body = cache.fetch(url) if use_cache
 
       body ||= rest_client.post(url,
-                                params:  { 'api-version' => api_version },
+                                params:  { 'api-version' => api_version }.merge(params),
                                 headers: { Accept: 'application/json' }).body
 
       error_handler&.(body)
diff --git a/test/integration/verify/controls/azurerm_locks.rb b/test/integration/verify/controls/azurerm_locks.rb
new file mode 100644
index 000000000..cc9b92c53
--- /dev/null
+++ b/test/integration/verify/controls/azurerm_locks.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+resource_group = attribute('resource_group', default: nil)
+resource_name = attribute('windows_vm_name', default: nil)
+resource_type = 'Microsoft.Compute/virtualMachines'
+
+control 'azurerm_locks' do
+  describe azurerm_locks(resource_group: resource_group, resource_name: resource_name,resource_type: resource_type) do
+    it { should_not exist }
+  end
+end

From 3036bd1138b6f982a920d5bdd631eab25f93e5d9 Mon Sep 17 00:00:00 2001
From: Ruairi Fennell <rfennell@chef.io>
Date: Fri, 4 Oct 2019 14:45:35 +0100
Subject: [PATCH 2/2] Rubocop

Signed-off-by: Ruairi Fennell <rfennell@chef.io>
---
 libraries/azurerm_locks.rb                        | 8 ++++----
 libraries/support/azure/service.rb                | 2 +-
 test/integration/verify/controls/azurerm_locks.rb | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/libraries/azurerm_locks.rb b/libraries/azurerm_locks.rb
index 70baeb4f5..65928bca8 100644
--- a/libraries/azurerm_locks.rb
+++ b/libraries/azurerm_locks.rb
@@ -14,10 +14,10 @@ class AzurermLocks < AzurermPluralResource
   attr_reader :table
 
   FilterTable.create
-      .register_column(:ids,        field: :id)
-      .register_column(:names,      field: :name)
-      .register_column(:properties, field: :properties)
-      .install_filter_methods_on_resource(self, :table)
+             .register_column(:ids,        field: :id)
+             .register_column(:names,      field: :name)
+             .register_column(:properties, field: :properties)
+             .install_filter_methods_on_resource(self, :table)
 
   def initialize(resource_group: nil, resource_name: nil, resource_type: nil)
     resp = management.locks(resource_group, resource_name, resource_type)
diff --git a/libraries/support/azure/service.rb b/libraries/support/azure/service.rb
index 6145e984c..10af784cb 100644
--- a/libraries/support/azure/service.rb
+++ b/libraries/support/azure/service.rb
@@ -102,7 +102,7 @@ def get(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true, pa
       end
     end
 
-    def post(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true, params: {})
+    def post(url:, api_version:, error_handler: nil, unwrap: nil, use_cache: true, params: {}) # rubocop:disable Metrics/ParameterLists
       confirm_configured!
 
       body = cache.fetch(url) if use_cache
diff --git a/test/integration/verify/controls/azurerm_locks.rb b/test/integration/verify/controls/azurerm_locks.rb
index cc9b92c53..38185d322 100644
--- a/test/integration/verify/controls/azurerm_locks.rb
+++ b/test/integration/verify/controls/azurerm_locks.rb
@@ -4,7 +4,7 @@
 resource_type = 'Microsoft.Compute/virtualMachines'
 
 control 'azurerm_locks' do
-  describe azurerm_locks(resource_group: resource_group, resource_name: resource_name,resource_type: resource_type) do
+  describe azurerm_locks(resource_group: resource_group, resource_name: resource_name, resource_type: resource_type) do
     it { should_not exist }
   end
 end