How to use Azure - epam/ecc-azure-rulepack GitHub Wiki

This page describes how to install and use Cloud Custodian for Azure.   

1. Pre-requisites
   1.1. Install Python 3
   1.2. Create your virtual environment
   1.3. Install Cloud Custodian
2. Authentication & Access
   2.1. Install Azure CLI and sign in
3. Scan a project
   3.1. Explore Cloud Custodian
   3.2. Run a policy
   3.3. Cross-region policies
4. Useful links

Cloud Custodian supports Python 3.8 and higher. The recommended version is Python 3.8.

On Ubuntu

1. To install Python 3.8, execute the following script:

sudo apt update
sudo apt-get install python3.8

2. Install pip and venv:

sudo apt-get install python3-pip
sudo apt-get install python3.8-venv

On MacOS with Homebrew

To install Python 3, execute the following script:

/usr/bin/ruby -e "$(curl -fsSL http://raw.githubusercontent.com/Homebrew/install/master/install)"
brew install python3
brew install git

Installing python3  will get you the latest version of Python 3 supported by Homebrew, currently Python 3.9.

To do so, use the venv module and upgrade pip to the latest version:

python3.8 -m venv custodian
source custodian/bin/activate
pip install --upgrade pip

1. Install the latest version from the repository:

git clone https://github.com/cloud-custodian/cloud-custodian.git
git clone https://github.com/epam/ecc-azure-rulepack.git

2. Install Cloud Custodian:

pip3 install -e ./cloud-custodian/

3. Install Plugin for Cloud Custodian:

pip3 install -e ./cloud-custodian/tools/c7n_azure

ℹ️ Note: To use  Cloud Custodian once again, run the following command:

source custodian/bin/activate

The alternative way to install Cloud Custodian using make:

cd path/to/cloud-custodian
python3.8 -m venv .venv
source .venv/bin/activate
pip install poetry
make install

## Authentication & Access

Before running Custodian, you need to login to your Azure environment. You can authenticate to Custodian via Azure CLI.

Find information on how to install Azure CLI on Windows, MacOS, or Linux here.

1. Sign in with Azure CLI by using the following command:

az login

2. Sign in to the browser with your account credentials: 

• In the appeared browser window, enter your credentials;
• After successful authentication, you will be redirected to Azure CLI documents;
• To check your subscription, enter az account show in your terminal.

Cloud Custodian is configured to manage cloud resources using policies. Custodian policies are expressed in YAML file that follows a predetermined schema to describe what you want the Custodian to do. 

There are three main components to a policy:

• resource: the type of resource to run the policy against;
• filters: criteria to narrow down the set of resources;
• actions: directives to take on the filtered set of resources.

To obtain the information below, run the following commands:

• To see a list of available commands, run custodian -h.
• To see the complete list of cloud resources against which you can run policies, run custodian schema.
• To invoke command-line help with more information about policy schema details, run custodian schema -h.
• To see the available resources for a specific cloud provider, run custodian schema <cloud-provider>, for example: custodian schema azure
• To see the available filters and actions for each resource, run custodian schema <cloud-provider>.<resource>.

To run a policy, go to folder ecc-azure-rulepack/policies:

cd ecc-azure-rulepack/policies

Run the following command to execute the policy with Custodian:

custodian run --cache-period=0 --output-dir=. epam-azure-049-cis_net_ssh.yml

If successful, you will see the output similar to the following on the command line:

2020-01-29 14:34:29,402: custodian.policy:INFO policy:epam-azure-049-cis_net_ssh resource:azure.networksecuritygroup region: count:1 time:1.04

You should also find a new policy directory with log and other files. The name of this directory will match the name of the policy you are using. The following files are stored in the directory:

• custodian-run.log – log file;
• metadata.json – information in JSON format about the scanning process and description of the rule itself;
• resources.json – description of resources in JSON format that does not comply with the rule.

Check the resources below to find more information about Cloud Custodian, Azure, and the rules: 

• Official Cloud Custodian documentation: https://cloudcustodian.io/; 
• Official Azure documentation: https://docs.microsoft.com/ru-ru/azure/?product=featured;
• Policies for analyzing Azure using Custodian: https://github.com/epam/ecc-azure-rulepack.git;
• What is Cloud Custodian?: https://www.youtube.com/watch?v=bGtQiGQOkHs.