From 374b35e13d14b1c5531642092be27fc9ee8018e4 Mon Sep 17 00:00:00 2001 From: Svetlin Date: Mon, 19 Oct 2020 21:09:06 +0200 Subject: [PATCH] Addressing conditional IAM role bindings (#66) Discovered when InSpec is checking conditional role bindings. In case they don't have any members (it happens after the expiration of the condition), the control simply fails. --- controls/1.05-iam.rb | 14 +++++++++++--- inspec.yml | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/controls/1.05-iam.rb b/controls/1.05-iam.rb index 686d607..63fbc09 100644 --- a/controls/1.05-iam.rb +++ b/controls/1.05-iam.rb @@ -43,9 +43,17 @@ ref 'GCP Docs', url: 'https://cloud.google.com/iam/docs/understanding-service-accounts' iam_bindings_cache.iam_bindings.keys.grep(/admin/i).each do |role| - describe "[#{gcp_project_id}] Admin roles" do - subject { iam_bindings_cache.iam_bindings[role] } - its('members') { should_not include(/@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/) } + role_bindings = iam_bindings_cache.iam_bindings[role] + if role_bindings.members.nil? + impact 'none' + describe "[#{gcp_project_id}] Role bindings for role [#{role}] do not contain any members. This test is Not Applicable." do + skip "[#{gcp_project_id}] role bindings for role [#{role}] do not contain any members." + end + else + describe "[#{gcp_project_id}] Admin role [#{role}]" do + subject { role_bindings } + its('members') { should_not include(/@[a-z][a-z0-9|-]{4,28}[a-z].iam.gserviceaccount.com/) } + end end end diff --git a/inspec.yml b/inspec.yml index e860c76..508b242 100644 --- a/inspec.yml +++ b/inspec.yml @@ -19,7 +19,7 @@ copyright: "(c) 2020, Google, Inc." copyright_email: "copyright@google.com" license: "Apache-2.0" summary: "Inspec Google Cloud Platform Center for Internet Security Benchmark v1.1 Profile" -version: 1.1.0-19 +version: 1.1.0-20 supports: - platform: gcp