Addressing conditional IAM role bindings (#66)

Discovered when InSpec is checking conditional role bindings. In case they don't have any members (it happens after the expiration of the condition), the control simply fails.
GoogleCloudPlatform · Oct 19, 2020 · 60702e0 · 60702e0
1 parent a9134fc
commit 60702e0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/controls/1.05-iam.rb b/controls/1.05-iam.rb
@@ -43,9 +43,17 @@
   ref 'GCP Docs', url: 'https://cloud.google.com/iam/docs/understanding-service-accounts'
 
   iam_bindings_cache.iam_bindings.keys.grep(/admin/i).each do |role|
-    describe "[#{gcp_project_id}] Admin roles" do
-      subject { iam_bindings_cache.iam_bindings[role] }
-      its('members') { should_not include(/@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/) }
+    role_bindings = iam_bindings_cache.iam_bindings[role]
+    if role_bindings.members.nil?
+      impact 'none'
+      describe "[#{gcp_project_id}] Role bindings for role [#{role}] do not contain any members. This test is Not Applicable." do
+        skip "[#{gcp_project_id}] role bindings for role [#{role}] do not contain any members."
+      end
+    else
+      describe "[#{gcp_project_id}] Admin role [#{role}]" do
+        subject { role_bindings }
+        its('members') { should_not include(/@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/) }
+      end
     end
   end
 

diff --git a/inspec.yml b/inspec.yml
@@ -19,7 +19,7 @@ copyright: "(c) 2020, Google, Inc."
 copyright_email: "[email protected]"
 license: "Apache-2.0"
 summary: "Inspec Google Cloud Platform Center for Internet Security Benchmark v1.1 Profile"
-version: 1.1.0-19
+version: 1.1.0-20
 
 supports:
   - platform: gcp