azure / azqr Goto Github PK

Expected Behavior

Successfully run
./azqr-ubuntu-latest-amd64 -s "XXX" -g "YYY"

Actual Behavior

`2023/02/08 13:03:35 Analyzing SQL in Resource Group YYY
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xbfb1ff]

goroutine 86 [running]:
github.com/cmendible/azqr/internal/scanners.(*StorageScanner).Scan(0xc000382b40, {0x7fffaeff2edd, 0x1a})
/home/runner/work/azqr/azqr/internal/scanners/st.go:50 +0x19f
main.reviewRunner.func1(0xc000153d00, {0x7fffaeff2edd, 0x1a})
/home/runner/work/azqr/azqr/cmd/azqr/main.go:195 +0x102
created by main.reviewRunner
/home/runner/work/azqr/azqr/cmd/azqr/main.go:189 +0x73`

Steps to Reproduce the Problem

[Service] Include EventHub analysis

Expected Behavior

I should be able to execute the tool without error.

Actual Behavior

After running the tool for a customer, I received the following error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x8 pc=0x168a8ed]

goroutine 419 [running]:
github.com/cmendible/azqr/internal/scanners.(*AKSScanner).Scan(0xc0002815f0, {0xc0002ba4c0, 0xc})
D:/a/azqr/azqr/internal/scanners/aks.go:56 +0x18d
main.reviewRunner.func1(0xc0000e1440, {0xc0002ba4c0, 0xc})
D:/a/azqr/azqr/cmd/azqr/main.go:196 +0x102
created by main.reviewRunner
D:/a/azqr/azqr/cmd/azqr/main.go:190 +0x73

Steps to Reproduce the Problem

I actually don't know, there is no problem when executing the same in other customers.

Expected Behavior

During Storage Account scan inside a resource group, script crashes

2023/02/08 16:39:15 Analyzing SQL in Resource Group RG_CONTAINER_REGISTRY
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0xed53ff]

goroutine 290 [running]:
github.com/cmendible/azqr/internal/scanners.(*StorageScanner).Scan(0xc000388840, {0xc000036180, 0x15})
D:/a/azqr/azqr/internal/scanners/st.go:50 +0x19f
main.reviewRunner.func1(0xc0001331c0, {0xc000036180, 0x15})
D:/a/azqr/azqr/cmd/azqr/main.go:195 +0x102
created by main.reviewRunner
D:/a/azqr/azqr/cmd/azqr/main.go:189 +0x73

Steps to Reproduce the Problem

Crash happens during scan of storage accounts (presumed by st.go error)
Version used: latest release .\azqr-windows-latest-amd64.exe
azqr version: 0.7.3
No verbose logs can be shared, so is not possible to know deeply the root cause of the issue

Describe the proposal

Creation Code of Conduct for supporting Community Standards

Describe the feature

Include Azure App Services analysis

Expected Behavior

Private Endpoints always must return true for App Services or Functions configured with Private Endpoints

Actual Behavior

Private Endpoints always return false for App Services or Functions

Describe the feature

Add guidance on what can be done when facing Azure ARM throttling issues:

Tipical output looks like:

--------------------------------------------------------------------------------
RESPONSE 429: 429 Too Many Requests
ERROR CODE: ResourceRequestsThrottled
--------------------------------------------------------------------------------
{
  "error": {
    "code": "ResourceRequestsThrottled",
    "message": "Number of requests for action 'Microsoft.Cdn/profiles/read' exceeded the limit of '50' for time interval '00:05:00'. Please try again after '372' seconds."
  }
}

Describe the feature

Create Azure Cognitive Services scanner

Describe the feature

if user is not authorized, azqr should continue instead of stopping with exception.

Exception Example:

2023/04/21 11:31:29 Scanning Costs...
2023/04/21 11:31:31 POST https://management.azure.com/subscriptions/40945bea-3615-4350-9169-4cfa61f0f064/providers/Microsoft.CostManagement/query
--------------------------------------------------------------------------------
RESPONSE 401: 401 Unauthorized
ERROR CODE: RBACAccessDenied
--------------------------------------------------------------------------------
{
  "error": {
    "code": "RBACAccessDenied",
    "message": "The client does not have authorization to perform action. Request ID: 3dc73d4b-c00a-4820-88d3-2bc896310563"
  }
}
--------------------------------------------------------------------------------

Describe the feature

Create Azure Bastion scanner

Expected Behavior

azqr should check for nil pointers in advisor line 82

Actual Behavior

azqr exits with Nil pointer dereference exception on advisor line 82

[Analyzer] Create SLA rule for CosmosDB

See documentation for more information: https://learn.microsoft.com/en-us/azure/cosmos-db/high-availability#slas

Expected Behavior

I expect some output when running the azqr scan command

Actual Behavior

azqr scan
2023/06/26 07:51:51 Generating Report: azqr_report_2023_06_26_T075150.xlsx
2023/06/26 07:51:51 Skipping Overview. No data to render
2023/06/26 07:51:52 Skipping Recommendations. No data to render
2023/06/26 07:51:52 Skipping Services. No data to render
2023/06/26 07:51:52 Skipping Defender. No data to render
2023/06/26 07:51:52 Skipping Advisor. No data to render
2023/06/26 07:51:52 Skipping Costs. No data to render
2023/06/26 07:51:52 Scan completed.

Steps to Reproduce the Problem

az login successful , account set also , full access to subscription , still no output ...

Expected Behavior

azqr runs as expected.

Actual Behavior

I received the following error with an AKS component:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x145a9f0]

goroutine 355 [running]:
github.com/cmendible/azqr/internal/scanners/aks.(*AKSScanner).GetRules.func15({0x18f7a60?, 0xc00051c460?}, 0xc000546000?)
D:/a/azqr/azqr/internal/scanners/aks/rules.go:238 +0x50
github.com/cmendible/azqr/internal/scanners.(*RuleEngine).EvaluateRule(_, {{0x1b99f4c, 0x7}, {0x1b9de3a, 0xa}, {0x1b9f568, 0xb}, {0x1bbcaa5, 0x22}, {0x1b981f1, ...}, ...}, ...)
D:/a/azqr/azqr/internal/scanners/scanner.go:70 +0x6c
github.com/cmendible/azqr/internal/scanners.(*RuleEngine).EvaluateRules(0xc00034e360?, 0xc0002fa700?, {0x18f7a60, 0xc00051c460}, 0xc0003924b8?)
D:/a/azqr/azqr/internal/scanners/scanner.go:89 +0x138
github.com/cmendible/azqr/internal/scanners/aks.(*AKSScanner).Scan(0xc00034e360, {0xc0002fa700, 0xb}, 0x1d01d60?)
D:/a/azqr/azqr/internal/scanners/aks/aks.go:48 +0x16d
main.scanRunner.func1(0xc00014d080, {0xc0002fa700, 0xb})
D:/a/azqr/azqr/cmd/azqr/main.go:234 +0x114
created by main.scanRunner
D:/a/azqr/azqr/cmd/azqr/main.go:228 +0x7b

Steps to Reproduce the Problem

[Service] Include AppService analysis

Describe the feature

Include Azure Database for PostgreSQL Flexible Server

Describe the feature

Include Azure Database for MySQL scan

Describe the feature

Add a retry policy for ARM requests so MaxRetryDelay is higher than 60 seconds. This will help with throttling issues.

clientOptions := &arm.ClientOptions{
		ClientOptions: policy.ClientOptions{
			Retry: policy.RetryOptions{
				RetryDelay:    20 * time.Millisecond,
				MaxRetries:    3,
				MaxRetryDelay: 10 * time.Minute,
			},
		},
	}
```

Describe the feature

Create Azure Logic Apps scanner

Nil pointer issue when scanning AKS

Check the following logs:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x88199b]

 

goroutine 199 [running]:
github.com/cmendible/azqr/internal/scanners/aks.(*AKSScanner).GetRules.func4({0xe5c1a0?, 0xc0006220a0?}, 0xc0003a7420?)
        D:/a/azqr/azqr/internal/scanners/aks/rules.go:91 +0x3b
github.com/cmendible/azqr/internal/scanners.(*RuleEngine).EvaluateRule(_, {{0x10f5da8, 0x7}, {0x10f7502, 0x8}, {0x10f9f38, 0xa}, {0x1115af7, 0x1d}, {0x10f1c7d, ...}, ...}, ...)
        D:/a/azqr/azqr/internal/scanners/scanner.go:74 +0x6c
github.com/cmendible/azqr/internal/scanners.(*RuleEngine).EvaluateRules(0xc0000a2270?, 0xc0004100f0?, {0xe5c1a0, 0xc0006220a0}, 0x0?)
        D:/a/azqr/azqr/internal/scanners/scanner.go:93 +0x138
github.com/cmendible/azqr/internal/scanners/aks.(*AKSScanner).Scan(0xc0000a2270, {0xc0004100f0, 0x21}, 0xc0005f1f08?)
        D:/a/azqr/azqr/internal/scanners/aks/aks.go:51 +0x16d
github.com/cmendible/azqr/cmd/azqr.retry(0x3, 0xc000666688?, 0xc0000c0000, {0xc0004100f0, 0x21}, 0x0?)
        D:/a/azqr/azqr/cmd/azqr/scan.go:328 +0x90
github.com/cmendible/azqr/cmd/azqr.scanRunner.func1(0x6b924a?, {0xc0004100f0, 0x21})
        D:/a/azqr/azqr/cmd/azqr/scan.go:316 +0xf1
created by github.com/cmendible/azqr/cmd/azqr.scanRunner
        D:/a/azqr/azqr/cmd/azqr/scan.go:310 +0x8c

Expected Behavior

azqr should work as expected when user is logged in using Azure CLI and running large scans

Actual Behavior

Scan fails with: AzureCLICredential: signal: killed

Expected Behavior

Continues on a 400 request by scanning the other subscriptions.

Actual Behavior

Fails and stops on 400, requiring manual interaction ... and potentially manually scanning multiple subscriptions?

Steps to Reproduce the Problem

╰─○ ./azqr-macos-latest-arm64 scan
2023/04/20 10:28:21 Scanning Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning API Management Services in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Container Apps in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Application Gateways in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning SignalR in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Service Bus in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning AKS Clusters in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning EventGrid Domains in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Container Apps in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Postgre in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Storage in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Key Vaults in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Postgre in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Postgre in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Container Instances in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Front Doors in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Container Registries in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning WebPubSub in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Redis in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning App Service Plans in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Azure Firewalls in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Event Hubs in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning SQL in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning CosmosDB Databases in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:21 Scanning Postgre in Resource Group cloud-shell-storage-westeurope
2023/04/20 10:28:27 Scanning Defender Status...
2023/04/20 10:28:29 Scanning Advisor Recommendations...
2023/04/20 10:28:31 Scanning Costs...
2023/04/20 10:28:44 Scanning Defender Status...
2023/04/20 10:28:45 Scanning Advisor Recommendations...
2023/04/20 10:28:47 Scanning Costs...
2023/04/20 10:28:56 GET https://management.azure.com/subscriptions/1234-...-8910/providers/Microsoft.Network/privateEndpoints

RESPONSE 400: 400 Bad Request
ERROR CODE: DisallowedOperation

{
"error": {
"code": "DisallowedOperation",
"message": "The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."
}
}

Subscription to blame:

Describe the feature

Add rules to check if supported services have tags

Describe the feature

Add scan to get the cost of each Azure subscription grouped by service name.

Expected Behavior

azqr should not failed if provider for a service is not registered.

Actual Behavior

azqr fails with exception: ERROR CODE: Subscription Not Registered exception

Describe the feature

Include Azure Web PubSub scan

Describe the feature

Include Azure Firewall scan

Expected Behavior

I expect to have an SLA of 99.9% of storage accounts that are configured as LRS and HOT tier.

I got an SLA of 99.99% of storage accounts that are configured as LRS and HOT tier.

Steps to Reproduce the Problem

Create an storage account with SKU LRS and HOT tier.

Additional info: https://azure.microsoft.com/en-us/support/legal/sla/storage/v1_5/

Hi there!

I tried running the scan and there's an error:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xbc5279]

any suggestion how do I solve this?
or might it be lack of permission related?

Describe the feature

Disable cost scan by default

Describe the feature

Create Azure Data Factory scanner

Describe the feature

Create Azure Load Balancer scanner

Expected Behavior

Installing azqr using winget should download the app, copy it to a logical location, add it to the path
and be called azqr

Actual Behavior

winget only downloads the binary, is called azqr-windows-latest-amd64.exe and is not added to the path. The is however a simlink called azqr in the links folder (C:\Users<username>\AppData\Local\Microsoft\WinGet\Links)

Steps to Reproduce the Problem

run : winget install azqr

Describe the feature

Create Azure Automation scanner

Describe the feature

Include Azure Functions analysis

[Tool] Enable setting the Subscription and Resource Group as parameter

Describe the proposal

Hey guys,
I came across this project and decided to give it a try. While playing with the project, I saw that the analyzers were run in a sequential manner. As a lot of the review process is API calls, the whole thing should mainly be I/O bound and would benefit greatly for a parallel approach

I'll link a PR as a follow up

Describe the feature

Include Azure Database for PostgreSQL Single Server analysis

as a user i'm not getting any report back in Excel nor a location where the file is located, I'm only getting the logging output (scan list)

Describe the feature

Create VWAN scanner

If the AKS is using a free SKU the report should include a recommendation message saying is not recommended for production environment, with a link to the official documentation: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json#kubernetes-api-server-uptime-sla

Describe the feature

Add guidance on how to install azqr on Azure Cloud Shell

Expected Behavior

I have an Application Gateway with SKU Standard V2 that is using Availability Zones. I don't expect any recommendation to show in the report if the resource is properly configured.

Actual Behavior

I got the following message after executing the tool:

_v2 SKU includes Zone Redundancy so an Application Gateway or WAF deployment can span multiple Availability Zones, removing the need to provision separate Application Gateway instances in each zone with a Traffic Manager.

Autoscaling and Zone-redundant Application Gateway v2 | Microsoft Docs_

Steps to Reproduce the Problem

Create an Application Gateway with SKU Standard V2 and configure Availability Zones for the resource. Then, run the tool and read the report.

Describe the feature

Create Azure Data Explorer scanner

Describe the feature

Thanks for creating a great tool, appreciate if you can create binaries for arm64 based systems. Currently, users have to build locally and generate the binary.

Since many admins use macOS, I would recommend offering the installation via homebrew.