Skip to content

Run pipelines to detect and correct Azure resources that are non-compliant with CIS benchmarks.

License

Notifications You must be signed in to change notification settings

turbot/flowpipe-mod-azure-cis

Azure CIS Mod for Flowpipe

Pipelines to detect and remediate Azure resources non-compliant with CIS benchmarks.

Documentation

Getting Started

Requirements

Docker daemon must be installed and running. Please see Install Docker Engine for more information.

Installation

Download and install Flowpipe (https://flowpipe.io/downloads) and Steampipe (https://steampipe.io/downloads). Or use Brew:

brew install turbot/tap/flowpipe
brew install turbot/tap/steampipe

Install the Azure plugin with Steampipe:

steampipe plugin install azure

Steampipe will automatically use your default Azure credentials. Optionally, you can setup multiple subscriptions or customize Azure credentials.

Create a connection_import resource to import your Steampipe Azure connections:

vi ~/.flowpipe/config/azure.fpc
connection_import "azure" {
  source      = "~/.steampipe/config/azure.spc"
  connections = ["*"]
}

For more information on importing connections, please see Connection Import.

For more information on connections in Flowpipe, please see Managing Connections.

Install the mod:

mkdir azure-cis
cd azure-cis
flowpipe mod install github.com/turbot/flowpipe-mod-azure-cis

Install the dependencies:

flowpipe mod install

Running CIS Pipelines

To run your first CIS pipeline, you'll need to ensure your Steampipe server is up and running:

steampipe service start

To find your desired CIS pipeline, you can filter the pipeline list output:

flowpipe pipeline list | grep "cis"

Then run your chosen pipeline:

flowpipe pipeline run azure_cis.pipeline.cis_v300

By default the above approach would find the relevant resources and then send a message to your configured notifier.

Configure Variables

Several pipelines have input variables that can be configured to better match your environment and requirements.

The easiest approach is to setup your flowpipe.fpvars file, starting with the example file:

cp flowpipe.fpvars.example flowpipe.fpvars
vi flowpipe.fpvars

Alternatively, you can pass variables on the command line:

flowpipe pipeline run azure_cis.pipeline.cis_v300 --var notifier=notifier.default

Or through environment variables:

export FP_VAR_notifier="notifier.default"
flowpipe pipeline run azure_cis.pipeline.cis_v300

For more information, please see Passing Input Variables

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Flowpipe and Steampipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #flowpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues: