ops-py-azure-key-vault-alert 4.7.2

Post Key Vault Secrets report to webhook

azure-key-vault-alert

Description

Uses the ops-py-azure-key-vault-report tool to generate:

Azure Key Vault reports

Which may be posted to a Slack App webhook, Slack Workflow webhook, or an MS Teams webhook.

The output is formatted as a Slack Code Block when posted Slack. The content is output as a two plaintext Markdown tables:
the Summary and the Report.

When posted to a MS Teams payload the Summary is formatted as Facts, followed by the Report as an HTML Table.

OR

Azure Key Vault Slack alerts

Are only supported posted to a Slack App webhook.

Each alert message is formatted as Slack Markdown.

Installation

pip install ops-py-azure-key-vault-alert

Usage

Environment variables

Export the webhook url(s) as environment variables:

• WEBHOOK_REPORT
  This is where the reports(s) or alerts will be posted. It is automatically detected if the webook is of type:

  • Slack App
    When the webhook contains slack.com/services.

  • Slack Workflow
    When the webhook contains slack.com, but not the slack.com/services part.

  • MS Teams
    When the webhook does not contain slack.com.

  Example: export WEBHOOK_REPORT="https://hooks.slack.com/workflows/T02XYZ..."

• WEBHOOK_NOTIFY If set, then when the result has been posted to the WEBHOOK_REPORTwebhook, an additional empty POST is performed to the value of this webhook.

NOTE: The actual post requests are handled by the ops-py-message-handler.

---

Arguments

-v, --vaults
STRING (space separated)
Followed by the list of key vaults to check.

Example: -v kv-prod kv-dev kv-qa

-c, --alert_threshold
INT - Default: not set
If set, then only the records that are +/- this value in days till expire/expired will be alerted on, as individual messages.

Example: --alert_threshold 7
This will alert on records which will expire within the next 7 days OR the record that has expired, but only for less than 7 days ago.

NOTE: Only a Slack App WEBHOOK_REPORT is supported for this.
If specified, the summary and other reports will not be posted. Only the alert messages about the records which are caught by this alert_thresholdfilter will be posted.

-e, --expire_threshold
INT - Default: not set
If this argument is provided, the days to the record's Expiration Date must be below this threshold in order to be included in the report.

Example: --expire_threshold 60
This will include the record in the report only if the record will expire within the next 60 days.

-i, --include_no_expiration
Default: not set
If this argument is provided, the report will also include the records which has no Expiration Date set. The default behavior is simply to ignore records which do not have a Expiration Date set.

-r, --record_types
Default is all: certificate secret key
List of record types to check for. Valid types are: certificate, secret, key

Example: -r certificate secret

-a, --include_all
Default: not set
If this argument is provided, the report will include all the records (verbose) for the specified Record Types. Records which have been disabled will also be included.

-T, --title
Default: Azure Key Vault report
The title of the message posted in Slack or MS Teams.

-L, --slack_split_chars
INT - Default: 3500
If the Slack message is above this value it will be split into multiple posts. Each post will then include a maximum characters specified by this value.

-C, --teams_max_chars
INT - Default: 17367
The max characters the report can have due to the MS Teams payload size limits.

NOTE: If the message is above this threshold then only the facts (summary) will be posted to MS Teams. The HTML table will in this case not be included.

-S, --stdout_only
Default: not set
If set, only print the reports to stdout. No POST Slack or MS Teams will be performed.

-w, --workflow_output_file
STRING - Default: output.json
The file where a full json report will be written.

-s, --silence
Default: not set
If provided the workflow will run, log and write to the workflow_output_file, but no messages to Slack or MS Teams will be posted and no output to stdout.

Examples

Generate a Key Vault report and summary of all records for specified Key Vaults
Example: python3 azure_key_vault_alert -v kv-dev kv--test kv-qa -a

This will include all the records, even the records which are disabled and the records which has no Expiration Date set. The result will be a summary report and and full report, which are posted to the webhook exported in WEBHOOK_REPORT

To only print the result to stdout and not post to the webhook, append the -Sargument

For specified Key Vaults, generate a Key Vault report and summary of Secret records which will expire within the next 60 days or has already expired, with custom title of the post message
Example: python3 azure_key_vault_alert -v kv-dev kv--test kv-qa -e 60 -r secret -T "NON-PROD - Azure Key Vault report"

The report will then only include, for the specified Key Vaults:

• records of type Secret
• which will expire within the next 60 days
• and records which has already expired
• The message will have a custom Title

The summary will contain info about every records parsed, even if the record is not included to be output in the report.
NOTE: Only the Record Types specified will be included in the summary.
NOTE: If no records are included in the report (none expired and none expiring within the threshold), the summary will still be posted.

For specified Key Vaults, alert if any records is about to expire within the next 14 days or if any record has expired with the last 14 days
python3 azure_key_vault_alert -v kv-dev kv--test kv-qa -c 14

NOTE: Each record will be alerted on in separate Slack messages.
NOTE: E.g. if a record then has expired for 15 days or more, it will not be alerted on.

Log all output
A summary and a full report is always written to file. This may then be used to post to an Monitoring service API etc., e.g.:

curl --request POST \  
  --header 'Content-Type: application/json' \  
  --header 'X-Api-Key: MY-SUPER-SECRET-KEY' \  
  --data @output.json \  
  https://my-superb-api.com