-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding google_user(s) and project alert policy resources (#59)
* Updates related to google-api-version upgrade More details: - Added helper method to container cluster - Added metric_type attribute to project metrics plural resource - Added resources corresponding to project alert policies Signed-off-by: Stuart Paterson <[email protected]> * Adding google_user(s) resources based on the new train admin_client. Signed-off-by: Stuart Paterson <[email protected]> * Brought to you with ... rubocopping. Signed-off-by: Stuart Paterson <[email protected]> * Add pagination for google_users resource. Signed-off-by: Stuart Paterson <[email protected]> * Update to google_users docs. Signed-off-by: Stuart Paterson <[email protected]> * Updates to alert policy and policies documentation. Signed-off-by: Stuart Paterson <[email protected]> * Add import to google_project_metric and tighten up google_compute_network legacy helper method. Signed-off-by: Stuart Paterson <[email protected]> * Improved helper method for metadata lookup. Signed-off-by: Stuart Paterson <[email protected]> * Improve container cluster helper method. Signed-off-by: Stuart Paterson <[email protected]>
- Loading branch information
1 parent
8b83ca4
commit 03bc8f8
Showing
16 changed files
with
587 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
--- | ||
title: About the google_project_alert_policies Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_compute\_alert\_policies | ||
|
||
Use the `google_project_alert_policies` InSpec audit resource to test properties of all, or a filtered group of, GCP project alert policies. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_project_alert_policies` resource block collects GCP project alert policies by project then tests that group. | ||
|
||
describe google_project_alert_policies(project: 'chef-inspec-gcp') do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate IDs then test in-depth using `google_project_alert_policy`. | ||
|
||
google_project_alert_policies(project: 'chef-inspec-gcp').policy_names.each do |policy_name| | ||
describe google_project_alert_policy(name: policy_name) do | ||
it { should exist } | ||
it { should be_enabled } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of project alert policies available for the project | ||
|
||
describe google_project_alert_policies(project: 'chef-inspec-gcp') do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected policy name is available for the project | ||
|
||
describe google_project_alert_policies(project: 'chef-inspec-gcp') do | ||
its('policy_names') { should include 'projects/spaterson-project/alertPolicies/9271751234503117449' } | ||
end | ||
|
||
### Test whether any expected policy display name is available for the project | ||
|
||
describe google_project_alert_policies(project: 'chef-inspec-gcp') do | ||
its('policy_display_names') { should_not include 'banned policy' } | ||
end | ||
|
||
### Ensure no existing policies are inactive | ||
|
||
describe google_project_alert_policies(project: 'chef-inspec-gcp') do | ||
its('policy_enabled_states') { should_not include false } | ||
end | ||
|
||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `policy_name`; `policy_display_name`; `policy_filter_list` and `policy_enabled_state`. Any of these may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `policy_names` - an array of google_project_alert_policy name strings | ||
* `policy_display_names` - an array of google_project_alert_policy display name strings | ||
* `policy_enabled_states`- an array of google_project_alert_policy enabled status booleans | ||
* `policy_filter_lists`- an array of google_project_alert_policy_condition filter string arrays | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_project_alert_policy Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_project\_alert\_policy | ||
|
||
Use the `google_project_alert_policy` InSpec audit resource to test properties of a single GCP project alert policy. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_project_alert_policy` resource block declares the tests for a single GCP project alert policy by name. | ||
|
||
describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP alert policy is enabled | ||
|
||
describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do | ||
it { should be_enabled } | ||
end | ||
|
||
### Test that a GCP compute alert policy display name is correct | ||
|
||
describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do | ||
its('display_name') { should eq 'policy name' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `combiner`, `conditions`, `creation_record`, `display_name`, `enabled`, `mutation_record`, `name` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
--- | ||
title: About the google_project_alert_policy_condition Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_project\_alert\_policy\_condition | ||
|
||
Use the `google_project_alert_policy_condition` InSpec audit resource to test properties of a single GCP project alert policy condition. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_project_alert_policy_condition` resource block declares the tests for a single GCP project alert policy condition by name and filter. | ||
|
||
describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
|
||
### Test that a GCP project alert policy condition has a particular threshold value | ||
|
||
describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do | ||
its('condition_threshold_value'){ should eq 0.001 } | ||
end | ||
|
||
### Test that a GCP project alert policy condition has a particular aggregation alignment period | ||
|
||
describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do | ||
its('aggregation_alignment_period'){ should eq '60s' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `condition_threshold_value`, `aggregation_alignment_period`, `aggregation_per_series_aligner`, `aggregation_cross_series_reducer` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
title: About the google_user Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_user | ||
|
||
Use the `google_user` InSpec audit resource to test properties of a single GCP user. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_user` resource block declares the tests for a single GCP user by principal email address or immutable ID. | ||
|
||
describe google_user(user_key: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP user with specified ID exists | ||
|
||
describe google_user(user_key: '110491234567894702010') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP user has expected full name | ||
|
||
describe google_user(user_key: '110491234567894702010') do | ||
its('name.full_name') { should eq "Bill S. Preston Esq." } | ||
end | ||
|
||
### Test that a GCP user has MFA enabled | ||
|
||
describe google_user(user_key: '[email protected]') do | ||
it { should have_mfa_enabled } | ||
end | ||
|
||
### Test that a GCP user is suspended or not | ||
|
||
describe google_user(user_key: '[email protected]') do | ||
it { should_not be_suspended } | ||
end | ||
<br> | ||
|
||
## Properties | ||
|
||
* `agreed_to_terms`, `archived`, `change_password_at_next_login`, `creation_time`, `customer_id`, `emails`, `etag`, `id`, `include_in_global_address_list`, `ip_whitelisted`, `is_admin`, `is_delegated_admin`, `is_enforced_in2_sv`, `is_enrolled_in2_sv`, `is_mailbox_setup`, `kind`, `last_login_time`, `name`, `non_editable_aliases`, `org_unit_path`, `primary_email`, `suspended` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
--- | ||
title: About the google_users Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_users | ||
|
||
Use the `google_users` InSpec audit resource to test properties of all, or a filtered group of, GCP users. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_users` resource block collects GCP users for the specified customer. As documented [here](https://developers.google.com/admin-sdk/directory/v1/reference/users/list), this defaults to the `my_customer` alias to represent your account's `customerId`. | ||
|
||
describe google_users(customer: 'my_customer') do | ||
it { should exist } | ||
end | ||
|
||
The `domain` argument can optionally be provided to get fields from only one domain. Either the customer or the domain parameter must be provided. | ||
|
||
describe google_users(domain: 'my_domain.com') do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate IDs then test in-depth using `google_user`. | ||
|
||
google_users(customer: 'my_customer').user_ids.each do |user_id| | ||
describe google_user(user_key: user_id) do | ||
it { should exist } | ||
it { should_not be_suspended } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of users available for the project | ||
|
||
describe google_users(customer: 'my_customer') do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected user is available for the project | ||
|
||
describe google_users(customer: 'my_customer') do | ||
its('user_names') { should include "Monsieur Happy" } | ||
end | ||
|
||
### Test that a subset of all users with name matching "Batman" exists | ||
|
||
google_users(customer: 'my_customer').where(user_full_name: /Batman/).user_ids.each do |user_id| | ||
describe google_user(user_key: user_id) do | ||
it { should exist } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `user_id`; `user_full_name` and `user_email`. Any of these may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `user_ids` - an array of google_user identifier integers | ||
* `user_full_names` - an array of google_user full name strings | ||
* `user_emails`- an array of google_user primary email address strings | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.