Ensure “ids” parameters for plural resource are tested.

Add configuration flag for optionally executing tests that rely on gcloud/grep. Correct zones filter criteria and properties documentation. Signed-off-by: Stuart Paterson <[email protected]>
inspec · Jun 12, 2018 · 30e03bf · 30e03bf
1 parent 07013b1
commit 30e03bf
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 6 deletions.
diff --git a/docs/resources/google_compute_zones.md.erb b/docs/resources/google_compute_zones.md.erb
@@ -61,14 +61,13 @@ The following examples show how to use this InSpec audit resource.
 
 ## Filter Criteria
 
-This resource currently does not support any filter criteria; it will always fetch all available zones.
+This resource supports the following filter criteria:  `zone_id`; `zone_name` and `zone_status`. Anyy of these may be used with `where`, as a block or as a method.
 
 ## Properties
 
-*  `zone_id`, `zone_name`, `zone_statuses`
-*  `firewall_ids` - an array of google_compute_firewall identifier integers
-*  `firewall_name` - an array of google_compute_firewall name strings
-*  `firewall_directions`- an array of google_compute_firewall directions containing strings e.g. "INGRESS" or "EGRESS"
+*  `zone_ids` - an array of google_compute_zone identifier integers
+*  `zone_names` - an array of google_compute_zone name strings
+*  `zone_statuses`- an array of google_compute_zone statuses
 
 <br>
 

diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb
@@ -18,6 +18,7 @@ module GCPInspecConfig
       # Determine the storage account name and the admin password
       :gcp_location => "europe-west2",
       :gcp_zone => "europe-west2-a",
+      :gcp_zone_id => "2290",
       :gcp_int_vm_name => "gcp-inspec-int-linux-vm",
       :gcp_int_vm_size => "f1-micro",
       :gcp_int_vm_image => "ubuntu-os-cloud/ubuntu-1604-lts",
@@ -64,7 +65,11 @@ module GCPInspecConfig
       # be disabled meaning a user needs no special GCP privileges to run the integration test pack.
       #
       # Note, would prefer to use boolean true or false here but will revisit for a future version of tf, see here for more detail: https://www.terraform.io/docs/configuration/variables.html
-      :gcp_enable_privileged_resources => 0
+      :gcp_enable_privileged_resources => 0,
+      # Some controls make use of the gcloud command and grep to discover live data to then test against.
+      # Only test execution is affected by this flag, resource creation via terraform is unaffected.
+      # Default behaviour is for this to be disabled, enable by changing the below flag.
+      :gcp_enable_gcloud_calls => 0
   }
 
   def self.config

diff --git a/test/integration/verify/controls/google_compute_firewalls.rb b/test/integration/verify/controls/google_compute_firewalls.rb
@@ -1,9 +1,11 @@
 title 'Firewalls Properties'
 
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_enable_gcloud_calls = attribute(:gcp_enable_gcloud_calls,default:0,description:'Flag to enable the use of gcloud command line to pull in live data to test against.')
 
 control 'gcp-firewalls-1.0' do
 
+  only_if { gcp_enable_gcloud_calls.to_i == 1 }
   impact 1.0
   title 'Ensure firewalls have the correct properties in bulk'
 
@@ -15,6 +17,9 @@
     its('firewall_names') { should include "default-allow-rdp" }
     its('firewall_names') { should include "default-allow-internal" }
     its('firewall_names') { should include "default-allow-icmp" }
+    # Only make the call if the configuration flag is specified and the test will run
+    gcp_firewall_id = `gcloud compute firewall-rules list --filter="name=default-allow-ssh" --format=json | grep id | grep -o '[0-9]\\+'`.chomp.to_i
+    its('firewall_ids') { should include gcp_firewall_id }
   end
 
 end
diff --git a/test/integration/verify/controls/google_compute_vms.rb b/test/integration/verify/controls/google_compute_vms.rb
@@ -3,9 +3,11 @@
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
 gcp_zone = attribute(:gcp_zone, default: '', description: 'The GCP zone being used.')
 gcp_ext_vm_data_disk_name = attribute(:gcp_ext_vm_data_disk_name, default: '', description: 'A valid GCP VM name to check for.')
+gcp_enable_gcloud_calls = attribute(:gcp_enable_gcloud_calls,default:0,description:'Flag to enable the use of gcloud command line to pull in live data to test against.')
 
 control 'gcp-vms-1.0' do
 
+  only_if { gcp_enable_gcloud_calls.to_i == 1 }
   impact 1.0
   title 'Ensure VMs have the correct properties in bulk'
 
@@ -14,6 +16,9 @@
     its('count') { should be <= 100}
     its('instance_ids.count') { should cmp 9 }
     its('instance_names') { should include gcp_ext_vm_data_disk_name }
+    # Only make the call if the configuration flag is specified and the test will run
+    gcp_instance_id = `gcloud compute instances list --filter="name=gcp-inspec-ext-linux-vm" --format=json | grep id | grep -o '[0-9]\\+'`.chomp.to_i
+    its('instance_ids') { should include gcp_instance_id }
   end
 
 end
diff --git a/test/integration/verify/controls/google_compute_zones.rb b/test/integration/verify/controls/google_compute_zones.rb
@@ -2,6 +2,7 @@
 
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
 gcp_zone = attribute(:gcp_zone, default: '', description: 'The GCP zone being used.')
+gcp_zone_id = attribute(:gcp_zone_id, default: '', description: 'A sample zone identifier to test for.')
 
 control 'gcp-zones-1.0' do
 
@@ -13,6 +14,7 @@
     its('count') { should be <= 100} # 46 at the time of writing
     its('zone_names') { should include gcp_zone }
     its('zone_statuses') { should_not include "DOWN" }
+    its('zone_ids') { should include gcp_zone_id.to_i }
   end
 
 end