Inspec org log sink (#2243)

Merged PR #2243.

products/logging/api.yaml

@@ -190,3 +190,43 @@ objects:
                 item_type: Api::Type::String
                 description: |
                   The values must be monotonically increasing.
+  - !ruby/object:Api::Resource
+    name: "OrganizationLogSink"
+    base_url: organizations/{{organization}}/sinks
+    self_link: organizations/{{organization}}/sinks/{{name}}
+    collection_url_key: 'sinks'
+    description: |
+      Describes a sink used to export log entries
+    properties:
+      - !ruby/object:Api::Type::String
+        name: organization
+        description: |
+          Id of the organization that this sink belongs to.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: name
+        description: |
+          Name of the log sink.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: filter
+        description: |
+          An advanced logs filter. The only exported log entries are those that are in the
+          resource owning the sink and that match the filter.
+      - !ruby/object:Api::Type::String
+        name: destination
+        description: |
+          The export destination.
+      - !ruby/object:Api::Type::String
+        name: writerIdentity
+        description: |
+          An IAM identity—a service account or group—under which Logging writes the exported
+          log entries to the sink's destination. This field is set by sinks.create and sinks.update
+          based on the value of uniqueWriterIdentity in those methods.
+      - !ruby/object:Api::Type::Boolean
+        name: includeChildren
+        description: |
+          If the field is false, the default, only the logs owned by the sink's parent resource are
+          available for export. If the field is true, then logs from all the projects, folders, and
+          billing accounts contained in the sink's parent resource are also available for export.
+          Whether a particular log entry from the children is exported depends on the sink's filter expression.

products/logging/inspec.yaml

@@ -0,0 +1,21 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Provider::Inspec::Config
+overrides: !ruby/object:Overrides::ResourceOverrides
+  # Handwritten managed zone resources exist in inspec-gcp already
+  Metric: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
+  OrganizationLogSink: !ruby/object:Overrides::Inspec::ResourceOverride
+    # Creating a log sink requires organization level privileges
+    privileged: true

products/logging/terraform.yaml

@@ -38,6 +38,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     properties:
       metricDescriptor.labels.valueType: !ruby/object:Overrides::Terraform::PropertyOverride
         custom_flatten: 'templates/terraform/custom_flatten/default_if_empty.erb'
+  OrganizationLogSink: !ruby/object:Overrides::Terraform::ResourceOverride
+    exclude: true
 
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

templates/inspec/doc_template.md.erb

@@ -50,11 +50,11 @@ with `where` as a block or a method.
 <% end -%>
 
 <% end # if plural -%>
-<% unless @api.apis_required.empty? -%>
+<% unless @api.apis_required&.empty? -%>
 
 ## GCP Permissions
 
-<% @api.apis_required.each do |api| -%>
+<% @api.apis_required&.each do |api| -%>
 Ensure the [<%= api.name -%>](<%= api.url -%>) is enabled for the current project.
 <% end # @api.apis_required.each -%>
 <% end # unless @api.apis_required.empty? -%>

templates/inspec/examples/google_logging_organization_log_sink/google_logging_organization_log_sink.erb

@@ -0,0 +1,10 @@
+<% gcp_organization_id = "#{external_attribute('gcp_organization_id', doc_generation)}" -%>
+<% org_sink = grab_attributes['org_sink'] -%>
+describe google_logging_organization_log_sink(organization: <%= gcp_organization_id -%>, name: <%= doc_generation ? "'#{org_sink['name']}'" : "org_sink['name']" -%>) do
+  it { should exist }
+  its('filter') { should cmp <%= doc_generation ? "'#{org_sink['filter']}'" : "org_sink['filter']" -%> }
+end
+
+describe google_logging_organization_log_sink(organization: <%= gcp_organization_id -%>, name: 'nonexistent') do
+  it { should_not exist }
+end

templates/inspec/examples/google_logging_organization_log_sink/google_logging_organization_log_sink_attributes.erb

@@ -0,0 +1,3 @@
+org_sink = attribute('org_sink', default: <%= grab_attributes['org_sink'] -%>)
+gcp_organization_id = attribute(:gcp_organization_id, default: <%= external_attribute('gcp_organization_id') -%>, description: 'The identifier of the organization that is the parent of this folder')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')

templates/inspec/examples/google_logging_organization_log_sink/google_logging_organization_log_sinks.erb

@@ -0,0 +1,5 @@
+<% gcp_organization_id = "#{external_attribute('gcp_organization_id', doc_generation)}" -%>
+<% org_sink = grab_attributes['org_sink'] -%>
+describe google_logging_organization_log_sinks(organization: <%= gcp_organization_id -%>) do
+  its('names') { should include <%= doc_generation ? "'#{org_sink['name']}'" : "org_sink['name']" -%> }
+end

templates/inspec/tests/integration/build/gcp-mm.tf

@@ -141,6 +141,10 @@ variable "region_backend_service" {
   type = "map"
 }
 
+variable "org_sink" {
+  type = "map"
+}
+
 resource "google_compute_ssl_policy" "custom-ssl-policy" {
   name            = "${var.ssl_policy["name"]}"
   min_tls_version = "${var.ssl_policy["min_tls_version"]}"
@@ -511,7 +515,7 @@ resource "google_sourcerepo_repository" "gcp-inspec-sourcerepo-repository" {
 resource "google_folder" "inspec-gcp-folder" {
   count = "${var.gcp_organization_id == "none" ? 0 : var.gcp_enable_privileged_resources}"
   display_name = "${var.folder["display_name"]}"
-  parent       = "${var.gcp_organization_id}"
+  parent       = "organizations/${var.gcp_organization_id}"
 }
 
 resource "google_storage_bucket_object" "archive" {
@@ -552,4 +556,16 @@ resource "google_container_node_pool" "inspec-gcp-regional-node-pool" {
   region     = "${var.gcp_location}"
   cluster    = "${google_container_cluster.gcp-inspec-regional-cluster.name}"
   node_count = "${var.regional_node_pool["node_count"]}"
+}
+
+resource "google_logging_organization_sink" "my-sink" {
+  count       = "${var.gcp_organization_id == "none" ? 0 : var.gcp_enable_privileged_resources}"
+  name        = "${var.org_sink.name}"
+  org_id      = "${var.gcp_organization_id}"
+
+  # Can export to pubsub, cloud storage, or bigquery
+  destination = "storage.googleapis.com/${google_storage_bucket.generic-storage-bucket.name}"
+
+  # Log all WARN or higher severity messages relating to instances
+  filter      = "${var.org_sink.filter}"
 }

templates/inspec/tests/integration/configuration/mm-attributes.yml

@@ -220,4 +220,8 @@ regional_node_pool:
   name: inspec-gcp-regional-node-pool
   cluster_name: inspec-gcp-regional-node-pool-cluster
   node_count: 1
-  initial_node_count: 1
+  initial_node_count: 1
+
+org_sink:
+  name: inspec-gcp-org-sink
+  filter: resource.type = gce_instance