Skip to content

Manual Test Runbook — N6: NSG Baseline + Flow Logs

Owner: Sagar  |  Time: ~10 min (Parts A + B) · +5 min (optional Part C integration) · +25 min (optional Part D flow-logs-landing drill)  |  Sandbox: snowops-sandbox-01

Promotes N6 (modules/azure/nsg-baseline/) from 🟦 Code Complete → 🟩 Shipped. Part C (the build-tagged integration test) creates an NSG + rules and tears it down (~$0, flow logs OFF). Part D is the live "flow logs landing within 10 min" drill — it needs a real Log Analytics workspace + storage account and incurs a few cents of ingestion.

Prerequisites

  • Sandbox subscription access active (PIM activated if required)
  • az login done; az account show confirms the sandbox subscription is selected
  • Sandbox SP / identity has Contributor on the sandbox sub
  • SNOWOPS_SANDBOX_SUBSCRIPTION_ID + SNOWOPS_SANDBOX_TENANT_ID exported
  • Local tooling: terraform >= 1.6, go >= 1.22, az CLI >= 2.50
  • Working directory: repo root

Steps

Part A — terraform fmt + validate (offline, ~3 min)

  1. Module + example:
terraform -chdir=modules/azure/nsg-baseline fmt -recursive -check
terraform -chdir=modules/azure/nsg-baseline init -backend=false -input=false
terraform -chdir=modules/azure/nsg-baseline validate

terraform -chdir=modules/azure/nsg-baseline/examples/basic init -backend=false -input=false
terraform -chdir=modules/azure/nsg-baseline/examples/basic validate

Expected: Success! The configuration is valid. for both.

  1. Offline Terratest case:
cd tests/terratest
go test -v -timeout 5m ./modules/azure/... -run TestNSGBaselineValidate

Expected: PASS.

Part B — full Terratest suite (offline, ~3 min)

  1. bash cd tests/terratest go test -count=1 -timeout 15m ./...

Expected: full offline suite green (33 top-level tests across all packages).

Part C — integration test: NSG + rules apply/destroy (sandbox, ~5 min, ~$0)

  1. Run the build-tagged integration test (creates a unique RG + NSG with the curated baseline deny rules + one custom Allow rule, asserts shape, destroys — flow logs OFF for unattended teardown):
cd tests/terratest
go test -v -tags integration -timeout 30m ./modules/azure/... -run TestNSGBaselineModule

Expected: PASS. Asserts the NSG ARM ID under the test RG, the three baseline rule names (DenySSHFromInternet, DenyRDPFromInternet, DenyAllInboundFromInternet) + the custom AllowHttpsFromVnet, and flow_logs_enabled = false.

Part D — flow-logs-landing drill (optional, ~25 min)

Proves the catalog criterion: "flow logs landing in workspace within 10 min." Needs a real workspace + storage account; Traffic Analytics has a processing delay (interval defaults to 10 min).

  1. Provision (or reuse) a Log Analytics workspace + a diagnostics storage account in the sandbox, then apply the example with flow logs wired:
cd modules/azure/nsg-baseline/examples/basic
terraform init -input=false
terraform apply -auto-approve \
  -var "subscription_id=$SNOWOPS_SANDBOX_SUBSCRIPTION_ID" \
  -var "tenant_id=$SNOWOPS_SANDBOX_TENANT_ID" \
  -var "log_analytics_workspace_id=<LAW_ARM_ID>" \
  -var "flow_log_storage_account_id=<STORAGE_ACCOUNT_ARM_ID>"

Confirm flow_logs_enabled = true in the outputs.

  1. Confirm the flow log resource and Traffic Analytics are enabled:
az network watcher flow-log list -g NetworkWatcherRG \
  --query "[?contains(name,'snowops-baseline-nsg')].{name:name, enabled:enabled, ta:flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled}" -o json

Expected: the flow log present, enabled = true, Traffic Analytics enabled = true.

  1. Generate a little traffic to the NSG-protected subnet (e.g., a VM in the subnet, or any allowed/denied connection attempt), wait ~10–15 min, then query the workspace for landed flow records:
az monitor log-analytics query \
  --workspace <LAW_CUSTOMER_ID> \
  --analytics-query "NTANetAnalytics | where TimeGenerated > ago(20m) | take 5" -o table
# (or AzureNetworkAnalytics_CL on older schemas)

Expected: ≥1 flow record landed within ~10–15 min of the traffic.

Pass criteria

  • Part A — module + example validate; TestNSGBaselineValidate passes
  • Part B — full offline Terratest suite passes (33 top-level)
  • (Part C) TestNSGBaselineModule applies the NSG + rules and destroys clean
  • (Part D) flow logs + Traffic Analytics enabled; ≥1 record lands within ~10 min
  • All test resources removed

Teardown

# Part C cleans up after itself (deferred terraform destroy).
# Part D (if run):
cd modules/azure/nsg-baseline/examples/basic
terraform destroy -auto-approve \
  -var "subscription_id=$SNOWOPS_SANDBOX_SUBSCRIPTION_ID" \
  -var "tenant_id=$SNOWOPS_SANDBOX_TENANT_ID" \
  -var "log_analytics_workspace_id=<LAW_ARM_ID>" \
  -var "flow_log_storage_account_id=<STORAGE_ACCOUNT_ARM_ID>"

The auto-provisioned Network Watcher + NetworkWatcherRG are not managed by N6 and are left in place.

Sign-off

  • Tester: _  |  Date: _  |  Result: PASS / FAIL / N/A
  • Notes: