Add inspec support for ACM level (#4212)

GoogleCloudPlatform · Nov 12, 2020 · 7540d6a · 7540d6a
1 parent 4639b3d
commit 7540d6a
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 2 deletions.
diff --git a/products/accesscontextmanager/inspec.yaml b/products/accesscontextmanager/inspec.yaml
@@ -21,7 +21,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       name: !ruby/object:Overrides::Inspec::PropertyOverride
         name_from_self_link: true
   AccessLevel: !ruby/object:Overrides::Inspec::ResourceOverride
-    exclude: true
+    base_url: accessPolicies/{{parent}}/accessLevels
+    self_link: accessPolicies/{{parent}}/accessLevels/{{name}}
+    privileged: true
+    properties:
+      name: !ruby/object:Overrides::Inspec::PropertyOverride
+        name_from_self_link: true
+        description: "Name of the access level"
+      parent: !ruby/object:Overrides::Inspec::PropertyOverride
+        name_from_self_link: true
+        description: "Name of the parent access policy"
   AccessLevels: !ruby/object:Overrides::Inspec::ResourceOverride
     exclude: true
   AccessLevelCondition: !ruby/object:Overrides::Inspec::ResourceOverride

diff --git a/...google_access_context_manager_access_level/google_access_context_manager_access_level.erb b/...google_access_context_manager_access_level/google_access_context_manager_access_level.erb
@@ -0,0 +1,15 @@
+<% gcp_organization_id = "#{external_attribute(pwd, 'gcp_organization_id', doc_generation)}" -%>
+<% service_perimeter = grab_attributes(pwd)['service_perimeter'] -%>
+
+policy_name = google_access_context_manager_access_policies(org_id: <%= gcp_organization_id %>).names.first
+
+describe google_access_context_manager_access_level(parent: policy_name, name: "ip_subnet") do
+  it { should exist }
+  its('title') { should cmp "ip_subnet" }
+  its('basic.conditions.size') { should cmp 1 }
+  its('basic.conditions.first.ip_subnetworks') { should include "192.0.2.0/24" }
+end
+
+describe google_access_context_manager_access_level(parent: policy_name, name: "none") do
+  it { should_not exist }
+end
diff --git a/...ss_context_manager_access_level/google_access_context_manager_access_level_attributes.erb b/...ss_context_manager_access_level/google_access_context_manager_access_level_attributes.erb
@@ -0,0 +1,3 @@
+gcp_organization_id = attribute(:gcp_organization_id, default: <%= external_attribute(pwd, 'gcp_organization_id') -%>, description: 'The identifier of the organization that is the parent of the perimeter')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
+service_perimeter = attribute('service_perimeter', default: <%= JSON.pretty_generate(grab_attributes(pwd)['service_perimeter']) -%>, description: 'Service perimeter definition')
diff --git a/...oogle_access_context_manager_access_level/google_access_context_manager_access_levels.erb b/...oogle_access_context_manager_access_level/google_access_context_manager_access_levels.erb
@@ -0,0 +1,8 @@
+<% gcp_organization_id = "#{external_attribute(pwd, 'gcp_organization_id', doc_generation)}" -%>
+<% service_perimeter = grab_attributes(pwd)['service_perimeter'] -%>
+
+policy_name = google_access_context_manager_access_policies(org_id: <%= gcp_organization_id %>).names.first
+
+describe google_access_context_manager_access_levels(parent: policy_name) do
+  its('names') { should include "ip_subnet" }
+end
diff --git a/templates/inspec/tests/integration/build/gcp-mm.tf b/templates/inspec/tests/integration/build/gcp-mm.tf
@@ -941,7 +941,6 @@ resource "google_spanner_database" "database" {
   instance     = google_spanner_instance.spanner_instance.name
   name         = var.spannerdatabase["name"]
   ddl          = [var.spannerdatabase["ddl"]]
-  deletion_protection = false
 }
 
 resource "google_cloud_scheduler_job" "job" {
@@ -978,6 +977,25 @@ resource "google_access_context_manager_access_policy" "access-policy" {
   title  = var.service_perimeter["policy_title"]
 }
 
+resource "google_access_context_manager_access_level" "access-level" {
+  count  = "${var.gcp_organization_id == "" ? 0 : var.gcp_enable_privileged_resources}"
+  parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.0.name}"
+  name   = "accessPolicies/${google_access_context_manager_access_policy.access-policy.0.name}/accessLevels/os_lock"
+  title  = "os_lock"
+  basic {
+    conditions {
+      device_policy {
+        require_screen_lock = true
+      }
+      regions = [
+    "CH",
+    "IT",
+    "US",
+      ]
+    }
+  }
+}
+
 variable "firewall" {
   type = any
 }