feat(azure): add new check storage_ensure_private_endpoints_in_storage_accounts (#3326)

Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
2026-02-10 06:45:08 +00:00 · 2024-01-29 13:55:19 +01:00
parent ae1ab1d957
commit db4579435a
14 changed files with 204 additions and 0 deletions
--- a/tests/lib/check/check_test.py
+++ b/tests/lib/check/check_test.py
@@ -47,6 +47,13 @@ expected_packages = [
        name="prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days",
        ispkg=False,
    ),
+    ModuleInfo(
+        module_finder=FileFinder(
+            "/root_dir/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts"
+        ),
+        name="prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts",
+        ispkg=False,
+    ),
    ModuleInfo(
        module_finder=FileFinder("/root_dir/prowler/providers/azure/services/storage"),
        name="prowler.providers.azure.services.storage.storage_ensure_encryption_with_customer_managed_keys",
@@ -82,6 +89,13 @@ def mock_list_modules(*_):
            name="prowler.providers.azure.services.storage.storage_key_rotation_90_days.storage_key_rotation_90_days",
            ispkg=False,
        ),
+        ModuleInfo(
+            module_finder=FileFinder(
+                "/root_dir/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts"
+            ),
+            name="prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts",
+            ispkg=False,
+        ),
        ModuleInfo(
            module_finder=FileFinder(
                "/root_dir/prowler/providers/azure/services/storage"
@@ -465,6 +479,10 @@ class Test_Check:
                "storage_key_rotation_90_days",
                "/root_dir/prowler/providers/azure/services/storage/storage_key_rotation_90_days",
            ),
+            (
+                "storage_ensure_private_endpoints_in_storage_accounts",
+                "/root_dir/prowler/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts",
+            ),
            (
                "storage_ensure_encryption_with_customer_managed_keys",
                "/root_dir/prowler/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys",
--- a/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py
+++ b/tests/providers/azure/services/storage/storage_blob_public_access_level_is_disabled/storage_blob_public_access_level_is_disabled_test.py
@@ -39,6 +39,7 @@ class Test_storage_blob_public_access_level_is_disabled:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -79,6 +80,7 @@ class Test_storage_blob_public_access_level_is_disabled:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py
+++ b/tests/providers/azure/services/storage/storage_default_network_access_rule_is_denied/storage_default_network_access_rule_is_denied_test.py
@@ -41,6 +41,7 @@ class Test_storage_default_network_access_rule_is_denied:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -81,6 +82,7 @@ class Test_storage_default_network_access_rule_is_denied:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py
+++ b/tests/providers/azure/services/storage/storage_ensure_azure_services_are_trusted_to_access_is_enabled/storage_ensure_azure_services_are_trusted_to_access_is_enabled_test.py
@@ -41,6 +41,7 @@ class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -81,6 +82,7 @@ class Test_storage_ensure_azure_services_are_trusted_to_access_is_enabled:
                    encryption_type=None,
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py
+++ b/tests/providers/azure/services/storage/storage_ensure_encryption_with_customer_managed_keys/storage_ensure_encryption_with_customer_managed_keys_test.py
@@ -39,6 +39,7 @@ class Test_storage_ensure_encryption_with_customer_managed_keys:
                    encryption_type="None",
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -79,6 +80,7 @@ class Test_storage_ensure_encryption_with_customer_managed_keys:
                    encryption_type="Microsoft.Keyvault",
                    minimum_tls_version=None,
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py
+++ b/tests/providers/azure/services/storage/storage_ensure_minimum_tls_version_12/storage_ensure_minimum_tls_version_12_test.py
@@ -39,6 +39,7 @@ class Test_storage_ensure_minimum_tls_version_12:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -79,6 +80,7 @@ class Test_storage_ensure_minimum_tls_version_12:
                    encryption_type="None",
                    minimum_tls_version="TLS1_2",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts_test.py
+++ b/tests/providers/azure/services/storage/storage_ensure_private_endpoints_in_storage_accounts/storage_ensure_private_endpoints_in_storage_accounts_test.py
@@ -0,0 +1,112 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.storage.v2023_01_01.models import PrivateEndpointConnection
+
+from prowler.providers.azure.services.storage.storage_service import Storage_Account
+
+AZURE_SUSCRIPTION = str(uuid4())
+
+
+class Test_storage_ensure_private_endpoints_in_storage_accounts:
+    def test_storage_ensure_private_endpoints_in_storage_accounts(self):
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts import (
+                storage_ensure_private_endpoints_in_storage_accounts,
+            )
+
+            check = storage_ensure_private_endpoints_in_storage_accounts()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_storage_ensure_private_endpoints_in_storage_accounts_no_endpoints(
+        self,
+    ):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=None,
+                    encryption_type="None",
+                    minimum_tls_version=None,
+                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts import (
+                storage_ensure_private_endpoints_in_storage_accounts,
+            )
+
+            check = storage_ensure_private_endpoints_in_storage_accounts()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} does not have private endpoint connections."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id
+
+    def test_storage_ensure_private_endpoints_in_storage_accounts_has_endpoints(
+        self,
+    ):
+        storage_account_id = str(uuid4())
+        storage_account_name = "Test Storage Account"
+        storage_client = mock.MagicMock
+        storage_client.storage_accounts = {
+            AZURE_SUSCRIPTION: [
+                Storage_Account(
+                    id=storage_account_id,
+                    name=storage_account_name,
+                    enable_https_traffic_only=False,
+                    infrastructure_encryption=False,
+                    allow_blob_public_access=None,
+                    network_rule_set=None,
+                    encryption_type="None",
+                    minimum_tls_version=None,
+                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=PrivateEndpointConnection(),
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts.storage_client",
+            new=storage_client,
+        ):
+            from prowler.providers.azure.services.storage.storage_ensure_private_endpoints_in_storage_accounts.storage_ensure_private_endpoints_in_storage_accounts import (
+                storage_ensure_private_endpoints_in_storage_accounts,
+            )
+
+            check = storage_ensure_private_endpoints_in_storage_accounts()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Storage account {storage_account_name} from subscription {AZURE_SUSCRIPTION} has private endpoint connections."
+            )
+            assert result[0].subscription == AZURE_SUSCRIPTION
+            assert result[0].resource_name == storage_account_name
+            assert result[0].resource_id == storage_account_id
--- a/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py
+++ b/tests/providers/azure/services/storage/storage_infrastructure_encryption_is_enabled/storage_infrastructure_encryption_is_enabled_test.py
@@ -39,6 +39,7 @@ class Test_storage_infrastructure_encryption_is_enabled:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -79,6 +80,7 @@ class Test_storage_infrastructure_encryption_is_enabled:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days_test.py
+++ b/tests/providers/azure/services/storage/storage_key_rotation_90_days/storage_key_rotation_90_days_test.py
@@ -39,6 +39,7 @@ class Test_storage_key_rotation_90_dayss:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=expiration_days,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -80,6 +81,7 @@ class Test_storage_key_rotation_90_dayss:
                    encryption_type="None",
                    minimum_tls_version="TLS1_2",
                    key_expiration_period_in_days=expiration_days,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -120,6 +122,7 @@ class Test_storage_key_rotation_90_dayss:
                    encryption_type="None",
                    minimum_tls_version="TLS1_2",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
--- a/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py
+++ b/tests/providers/azure/services/storage/storage_secure_transfer_required_is_enabled/storage_secure_transfer_required_is_enabled_test.py
@@ -39,6 +39,7 @@ class Test_storage_secure_transfer_required_is_enabled:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }
@@ -79,6 +80,7 @@ class Test_storage_secure_transfer_required_is_enabled:
                    encryption_type="None",
                    minimum_tls_version="TLS1_1",
                    key_expiration_period_in_days=None,
+                    private_endpoint_connections=None,
                )
            ]
        }