Addressing conditional IAM role bindings

[szamfirov]

Discovered when InSpec is checking conditional role bindings. In
case they don't have any members (it happens after the expiration of
the condition), the control simply fails because of the nil value.

The issue is not well surfaced. In the beginning we were getting errors
like this one:

...
     ✔  [gsk-gsk-direct-e7d9] Admin roles members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin roles members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ×  [gsk-gsk-direct-e7d9] Admin roles members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     expected nil not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/, but it does not respond to `include?`
     ✔  [gsk-gsk-direct-e7d9] Admin roles members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin roles members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
...

We then proceeded to add some debugging by adding the role as an
addition to the output:

...
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/ml.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/monitoring.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ×  [gsk-gsk-direct-e7d9] Admin role [roles/monitoring.admin_withcond_a3db6685e6af0a7c34cd] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     expected nil not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/, but it does not respond to `include?`
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/pubsub.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/redis.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
...

You can see that the error above is regarding one of the conditional
role bindings related to the monitoring.admin role which has no
members. In that case the members array is empty (or nil) which
does not work well with include?.

With the proposed fix:

...
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/ml.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/monitoring.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ↺  [gsk-gsk-direct-e7d9] role bindings for role [roles/monitoring.admin_withcond_a3db6685e6af0a7c34cd] do not contain any members.
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/pubsub.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
     ✔  [gsk-gsk-direct-e7d9] Admin role [roles/redis.admin] members is expected not to include /@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/
...

[binamov]

/gcbrun

[binamov]

🍹

[KonradSchieban]

LGTM!

[KonradSchieban]

Thanks @szamfirov for your contribution! 🍸