Output a Key Vault Secrets report
Project description
azure-key-vault-report
Description
Generates reports from the output of az keyvault commands.
The column names/header/key values for the reports are defined in the config.py file.
- The
az keyvaultcommand output is treated as a rows. - Each line is treated as a row.
- Each row consists or row elements.
The summary
A summary (stats about the records) of the outputs of the az keyvault commands.
- Total number of vaults
- Total number of records
- Records already expired
- Records missing Expiration Date
- Records updated in the last year
- Records NOT updated in the last year
- Records NOT updated for the last 2 years
- Records NOT updated for the last 3 years
NOTE: Defined in the config.py file.
Available as:
- JSON (dict)
- Plain text Markdown
The rows
The processed and enriched outputs of the az keyvault commands.
Defined in the config.py file:
- Record Name
- Record Type
- Vault Name
- Last Updated
- Expiration
- Comment May include info about:
- Days to when the secret will expire
- Days since the secret expired
- Info if the secret has no expiration date set
- Days since the Secret was last updated
Available as:
- JSON (dict)
- Plain text Markdown
NOTE: Will include all rows if include_all is set to True.
If not, only the rows not filterer out by any of the parameters will be added.
The summary and the rows combined
Available as:
- JSON (dict)
- Plain text Markdown
Full report
A dict version of the full report were all the rows are included (unfiltered) and a dict of the summary is ALWAYS created.
Available as:
- JSON (dict)
MS Teams payload with facts and a HTML table
A payload ready to be posted to a MS Teams webhook.
Consists of a title, facts (the summary) and a html table of the rows.
The MS Team payload will use the following base template:
{
"@type": "MessageCard", "@context": "http://schema.org/extensions", "themeColor": "0076D7", "summary": "-", "sections": [ { "activityTitle": "<TITLE>", "activitySubtitle": "", "activityImage": "", "facts": [], "markdown": true }, { "startGroup": true, "text": "<TEXT>" } ]}
activityTitlewill contain the value of the providedtitle-factswill contain the rows from the summary tabletextmay contain additional data. Defaults to a html table
Slack items
Items to be posted to Slack.
Slack Markdown items
These posts are only generated if the records is filtered by the critical_threshold parameter.
Slack Workflow items
List of tuple pairs ("title" and "text") to be posted to a Slack Workflow.
The text is made up of the summary and the rows as a plain text Markdown table.
Slack App items
List of dicts to be converted to json and posted to a Slack App.
The key name of the json is "text". The value is a formatted message made up of a title and the rows as a plain text Markdown table.
parameters (add_report)
The reports are generated based on the following add_report method parameters
expire_threshold
critical_threshold
ignore_no_expiration
include_all
teams_json
Installation
pip install ops-py-azure-key-vault-report
Usage
The azure_key_vault_report object must be initialized with the json output of one more az keyvault list commands.
Please refer to the code documentation provided in the az_cmd.py file.
Example code which will process the records of type secretand certificatefrom a Key Vault named kv-test in the subscription:
NOTE: az login and az account set --subscription ... must have been executed prior to running this code.
Initial code
import az_cmd
import azure_key_vault_report
vaults = ["kv-test"]
az_results = []
for vault in vaults:
az_results += az_cmd.az_cmd(vault, ["secret", "certificate"])
kv_report = azure_key_vault_report.AzureKeyVaultReport(az_results)
kv_report.parse_results()
kv_report.add_summary()
Only records with Expiration date set
Process the records, but filter out records not having a Expiration date set:
kv_report.add_report()
Get various results
The summary only
As plaintext Markdown table:
out = kv_report.get_summary_markdown()
print(out)
As dict:
out = kv_report.get_summary()
print(out)
The report only
As plaintext Markdown table:
out = kv_report.get_report_markdown()
print(out)
As list of dicts:
out = kv_report.get_report()
print(out)
Combined summary and report as plaintext Markdown table
out = kv_report.get_report_summary_markdown()
print(out)
Full report - combined summary and report - as dict
This will include all the processed records, even the ones not having an Expiration date set.
It will always include all the processed records, regardless of the add_report parameters.
out = kv_report.get_report_full()
print(out)
Full report - combined summary and report - as plaintext Markdown table
To include all and output as plaintext Markdown the include_all parameter has to be set to True
kv_report.add_report(include_all=True)
out = kv_report.get_report_summary_markdown()
print(out)
Only expired and soon expiring records - combined summary and report
Soon expiring records are defined by the expire_threshold parameter.
E.g. to only list records that will expire within the next 30 days (expired are automatically included):
kv_report.add_report(expire_threshold=30)
As plaintext Markdown table:
out = kv_report.get_report_summary_markdown()
print(out)
As plaintext Markdown table in a Slack App post:
out = kv_report.get_slack_payloads("My Key Vault report")
print(out)
As plaintext Markdown table in a Slack Workflow post:
out = kv_report.get_slack_payloads("My Key Vault report", app=False)
print(out)
As MS Team payload with html_table:
kv_report.add_report(expire_threshold=30, teams_json=True)
out = kv_report.get_teams_payload("My Key Vault report")
print(out)
Critical records as Slack post messages
Slack Markdown JSON will be generated from a row if it contains a record which is within the critical_thresholdparameter.
E.g. if the critical_threshold is set to 7, a Slack Markdown JSON of the row is generated
if the row contains a record which is expiring within the next 7 days OR
if the record has already expired, but only for 7 or fewer days.
kv_report.add_report(critical_threshold=7)
out = kv_report.get_slack_payloads("title", md=True)
print(out)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ops_py_azure_key_vault_report-7.0.1.tar.gz.
File metadata
- Download URL: ops_py_azure_key_vault_report-7.0.1.tar.gz
- Upload date:
- Size: 18.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bf8f8d340b674a01dec2ab55fb793eec65d9c82f9baae671c38a69b8530954d3 |
|
| MD5 | 6cf5c671cd1e30d34d15a1235b51084c |
|
| BLAKE2b-256 | e1a8300ca50c8f10368e73d58ff0ef91b29abdb486a3496f8b5bf87fbe070801 |
File details
Details for the file ops_py_azure_key_vault_report-7.0.1-py3-none-any.whl.
File metadata
- Download URL: ops_py_azure_key_vault_report-7.0.1-py3-none-any.whl
- Upload date:
- Size: 19.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d798177092d59e1aa5393702bdcfb61c4bb6cee6fb3d7ed05d097243702453a3 |
|
| MD5 | 9f96c95eb5fdc538612e2e853fc24950 |
|
| BLAKE2b-256 | a498bef17564dcb4f126ef9ec448aad718c96031497a5be3ab9d6dd8970eb428 |
