Skip to content

Commit

Permalink
Adding google_user(s) and project alert policy resources (#59)
Browse files Browse the repository at this point in the history
* Updates related to google-api-version upgrade

More details:
- Added helper method to container cluster
- Added metric_type attribute to project metrics plural resource
- Added resources corresponding to project alert policies

Signed-off-by: Stuart Paterson <[email protected]>

* Adding google_user(s) resources based on the new train admin_client.

Signed-off-by: Stuart Paterson <[email protected]>

* Brought to you with ... rubocopping.

Signed-off-by: Stuart Paterson <[email protected]>

* Add pagination for google_users resource.

Signed-off-by: Stuart Paterson <[email protected]>

* Update to google_users docs.

Signed-off-by: Stuart Paterson <[email protected]>

* Updates to alert policy and policies documentation.

Signed-off-by: Stuart Paterson <[email protected]>

* Add import to google_project_metric and tighten up google_compute_network legacy helper method.

Signed-off-by: Stuart Paterson <[email protected]>

* Improved helper method for metadata lookup.

Signed-off-by: Stuart Paterson <[email protected]>

* Improve container cluster helper method.

Signed-off-by: Stuart Paterson <[email protected]>
  • Loading branch information
Stuart Paterson authored and chris-rock committed Oct 2, 2018
1 parent 8b83ca4 commit 03bc8f8
Show file tree
Hide file tree
Showing 16 changed files with 587 additions and 4 deletions.
78 changes: 78 additions & 0 deletions docs/resources/google_project_alert_policies.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: About the google_project_alert_policies Resource
platform: gcp
---

# google\_compute\_alert\_policies

Use the `google_project_alert_policies` InSpec audit resource to test properties of all, or a filtered group of, GCP project alert policies.

<br>

## Syntax

A `google_project_alert_policies` resource block collects GCP project alert policies by project then tests that group.

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_project_alert_policy`.

google_project_alert_policies(project: 'chef-inspec-gcp').policy_names.each do |policy_name|
describe google_project_alert_policy(name: policy_name) do
it { should exist }
it { should be_enabled }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of project alert policies available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('count') { should be <= 100}
end

### Test that an expected policy name is available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_names') { should include 'projects/spaterson-project/alertPolicies/9271751234503117449' }
end

### Test whether any expected policy display name is available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_display_names') { should_not include 'banned policy' }
end

### Ensure no existing policies are inactive

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_enabled_states') { should_not include false }
end


<br>

## Filter Criteria

This resource supports the following filter criteria: `policy_name`; `policy_display_name`; `policy_filter_list` and `policy_enabled_state`. Any of these may be used with `where`, as a block or as a method.

## Properties

* `policy_names` - an array of google_project_alert_policy name strings
* `policy_display_names` - an array of google_project_alert_policy display name strings
* `policy_enabled_states`- an array of google_project_alert_policy enabled status booleans
* `policy_filter_lists`- an array of google_project_alert_policy_condition filter string arrays

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
49 changes: 49 additions & 0 deletions docs/resources/google_project_alert_policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_project_alert_policy Resource
platform: gcp
---

# google\_project\_alert\_policy

Use the `google_project_alert_policy` InSpec audit resource to test properties of a single GCP project alert policy.

<br>

## Syntax

A `google_project_alert_policy` resource block declares the tests for a single GCP project alert policy by name.

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP alert policy is enabled

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
it { should be_enabled }
end

### Test that a GCP compute alert policy display name is correct

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
its('display_name') { should eq 'policy name' }
end

<br>

## Properties

* `combiner`, `conditions`, `creation_record`, `display_name`, `enabled`, `mutation_record`, `name`

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
50 changes: 50 additions & 0 deletions docs/resources/google_project_alert_policy_condition.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_project_alert_policy_condition Resource
platform: gcp
---

# google\_project\_alert\_policy\_condition

Use the `google_project_alert_policy_condition` InSpec audit resource to test properties of a single GCP project alert policy condition.

<br>

## Syntax

A `google_project_alert_policy_condition` resource block declares the tests for a single GCP project alert policy condition by name and filter.

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.


### Test that a GCP project alert policy condition has a particular threshold value

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
its('condition_threshold_value'){ should eq 0.001 }
end

### Test that a GCP project alert policy condition has a particular aggregation alignment period

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
its('aggregation_alignment_period'){ should eq '60s' }
end

<br>

## Properties

* `condition_threshold_value`, `aggregation_alignment_period`, `aggregation_per_series_aligner`, `aggregation_cross_series_reducer`

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
5 changes: 3 additions & 2 deletions docs/resources/google_project_metrics.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,13 @@ The following examples show how to use this InSpec audit resource.

## Filter Criteria

This resource supports the following filter criteria: `metric_name` and `metric_filter`. Either of these may be used with `where`, as a block or as a method.
This resource supports the following filter criteria: `metric_name`; `metric_type` and `metric_filter`. Either of these may be used with `where`, as a block or as a method.

## Properties

* `metric_names` - an array of google_project_metric name strings
* `metric_filters`- an array of google_project_metric filters
* `metric_filters`- an array of google_project_metric filter strings
* `metric_types` - an array of google_project_metric type strings

<br>

Expand Down
61 changes: 61 additions & 0 deletions docs/resources/google_user.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
title: About the google_user Resource
platform: gcp
---

# google\_user

Use the `google_user` InSpec audit resource to test properties of a single GCP user.

<br>

## Syntax

A `google_user` resource block declares the tests for a single GCP user by principal email address or immutable ID.

describe google_user(user_key: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP user with specified ID exists

describe google_user(user_key: '110491234567894702010') do
it { should exist }
end

### Test that a GCP user has expected full name

describe google_user(user_key: '110491234567894702010') do
its('name.full_name') { should eq "Bill S. Preston Esq." }
end

### Test that a GCP user has MFA enabled

describe google_user(user_key: '[email protected]') do
it { should have_mfa_enabled }
end

### Test that a GCP user is suspended or not

describe google_user(user_key: '[email protected]') do
it { should_not be_suspended }
end
<br>

## Properties

* `agreed_to_terms`, `archived`, `change_password_at_next_login`, `creation_time`, `customer_id`, `emails`, `etag`, `id`, `include_in_global_address_list`, `ip_whitelisted`, `is_admin`, `is_delegated_admin`, `is_enforced_in2_sv`, `is_enrolled_in2_sv`, `is_mailbox_setup`, `kind`, `last_login_time`, `name`, `non_editable_aliases`, `org_unit_path`, `primary_email`, `suspended`

<br>


## GCP Permissions

Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users.
78 changes: 78 additions & 0 deletions docs/resources/google_users.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: About the google_users Resource
platform: gcp
---

# google\_users

Use the `google_users` InSpec audit resource to test properties of all, or a filtered group of, GCP users.

<br>

## Syntax

A `google_users` resource block collects GCP users for the specified customer. As documented [here](https://developers.google.com/admin-sdk/directory/v1/reference/users/list), this defaults to the `my_customer` alias to represent your account's `customerId`.

describe google_users(customer: 'my_customer') do
it { should exist }
end

The `domain` argument can optionally be provided to get fields from only one domain. Either the customer or the domain parameter must be provided.

describe google_users(domain: 'my_domain.com') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_user`.

google_users(customer: 'my_customer').user_ids.each do |user_id|
describe google_user(user_key: user_id) do
it { should exist }
it { should_not be_suspended }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of users available for the project

describe google_users(customer: 'my_customer') do
its('count') { should be <= 100}
end

### Test that an expected user is available for the project

describe google_users(customer: 'my_customer') do
its('user_names') { should include "Monsieur Happy" }
end

### Test that a subset of all users with name matching "Batman" exists

google_users(customer: 'my_customer').where(user_full_name: /Batman/).user_ids.each do |user_id|
describe google_user(user_key: user_id) do
it { should exist }
end
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `user_id`; `user_full_name` and `user_email`. Any of these may be used with `where`, as a block or as a method.

## Properties

* `user_ids` - an array of google_user identifier integers
* `user_full_names` - an array of google_user full name strings
* `user_emails`- an array of google_user primary email address strings

<br>


## GCP Permissions

Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users.
1 change: 1 addition & 0 deletions libraries/google_compute_instance.rb
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ def block_project_ssh_keys
return false if !defined?(@instance.metadata.items)
@instance.metadata.items.each do |element|
return true if element.key=='block-project-ssh-keys' and element.value.casecmp('true').zero?
return true if element.key=='block-project-ssh-keys' and element.value=='1'
end
false
end
Expand Down
2 changes: 2 additions & 0 deletions libraries/google_compute_network.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ def legacy?
return false if @network.auto_create_subnetworks
return false if !defined?(@network.gateway_i_pv4)
return false if !defined?(@network.i_pv4_range)
return false if @network.i_pv4_range.nil?
return false if @network.gateway_i_pv4.nil?
true
end

Expand Down
9 changes: 8 additions & 1 deletion libraries/google_container_cluster.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ def has_legacy_abac_disabled?
def has_master_authorized_networks_enabled?
return false if !defined?(@cluster.master_authorized_networks_config)
return false if @cluster.master_authorized_networks_config.to_h.empty?
return true if @cluster.master_authorized_networks_config.to_h=={ 'enabled': true }
return false if !defined?(@cluster.master_authorized_networks_config.enabled)
return true if @cluster.master_authorized_networks_config.enabled == true
false
end

Expand Down Expand Up @@ -96,6 +97,12 @@ def has_pod_security_policy_config?
false
end

def private_cluster?
return false if !defined?(@cluster.private_cluster)
return true if @cluster.private_cluster==true
false
end

def exists?
!@cluster.nil?
end
Expand Down
Loading

0 comments on commit 03bc8f8

Please sign in to comment.