-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #36 from inspec/add-kms-resources
Add kms resources
- Loading branch information
Showing
30 changed files
with
1,185 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
title: About the google_kms_crypto_key Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_crypto\_key | ||
|
||
Use the `google_kms_crypto_key` InSpec audit resource to test properties of a single GCP KMS crypto key. See [this page](https://cloud.google.com/kms/docs/object-hierarchy?hl=en_US&_ga=2.223343707.-1730338523.1522320263#cryptokeyversion) for useful background. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_crypto_key` resource block declares the tests for a single GCP KMS crypto key by project, location, key ring name and key name. | ||
|
||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP KMS crypto key was created recently | ||
|
||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do | ||
its('create_time_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
|
||
### Test when the next rotation time for a GCP KMS crypto key is scheduled | ||
|
||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do | ||
its('next_rotation_time_date') { should be > Time.now - 100000 } | ||
end | ||
|
||
### Check that the crypto key purpose is as expected | ||
|
||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do | ||
its('purpose') { should eq "ENCRYPT_DECRYPT" } | ||
end | ||
|
||
### Check that the crypto key primary is in "ENABLED" state | ||
|
||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do | ||
its('primary_state') { should eq "ENABLED" } | ||
end | ||
|
||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `create_time`, `create_time_date`, `name`, `crypto_key_name`, `crypto_key_url`, `next_rotation_time`, `next_rotation_time_date`, `primary_create_time`, `primary_create_time_date`, `primary_name`, `primary_state`, `purpose`, `rotation_period` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_kms_crypto_key_iam_binding Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_crypto\_key\_iam\_binding | ||
|
||
Use the `google_kms_crypto_key_iam_binding` InSpec audit resource to test properties of a single GCP KMS Crypto Key IAM Binding. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_crypto_key_iam_binding` resource block declares the tests for a single KMS Crypto Key IAM Binding for specified role. | ||
|
||
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP KMS Crypto Key IAM Binding exists for the specified role | ||
|
||
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP KMS Crypto Key IAM Binding has the desired user included for the specified role | ||
|
||
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do | ||
its('members') {should include 'user:[email protected]' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `members` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
--- | ||
title: About the google_kms_crypto_key_iam_bindings Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_crypto\_key\_iam\_bindings | ||
|
||
Use the `google_kms_crypto_key_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS Crypto Key IAM Bindings. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_crypto_key_iam_bindings` resource block collects GCP KMS Crypto Key IAM Bindings then tests that group. | ||
|
||
describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate roles then test in-depth using `google_kms_key_ring_iam_binding`. | ||
|
||
google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').iam_binding_roles.each do |iam_binding_role| | ||
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do | ||
it { should exist } | ||
its('members') {should include 'user:[email protected]' } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of IAM bindings roles available for the crypto key | ||
|
||
describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected IAM binding is available for the crypto key | ||
|
||
describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do | ||
its('iam_binding_roles') { should include "roles/storage.admin" } | ||
end | ||
|
||
### Test that a particular role does not exist using filtering of the plural resource | ||
|
||
describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').where(iam_binding_role: "roles/iam.securityReviewer") do | ||
it { should_not exist } | ||
end | ||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `iam_binding_roles` - an array of google_kms_crypto_key_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
--- | ||
title: About the google_kms_crypto_keys Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_crypto\_keys | ||
|
||
Use the `google_kms_crypto_keys` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS crypto keys for supplied project, location and key ring name. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_crypto_keys` resource block collects GCP KMS crypto keys then tests that group. | ||
|
||
describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate IDs then test in-depth using `google_kms_crypto_key`. | ||
|
||
describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring').crypto_key_names.each do |key_name| | ||
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: key_name) do | ||
it { should exist } | ||
its('create_time_date') { should be > Time.now - 365*60*60*24*10 } | ||
its('purpose') { should eq "ENCRYPT_DECRYPT" } | ||
its('primary_state') { should eq "ENABLED" } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of keys in the key ring | ||
|
||
describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected key name is present in the key ring | ||
|
||
describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do | ||
its('crypto_key_names') { should include "my-crypto-key-name" } | ||
end | ||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `key_name`. This may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `crypto_key_names` - an array of google_kms_crypto_key name strings e.g. `['key-name']` | ||
* `crypto_key_urls` - an array of google_kms_crypto_key url strings e.g. `['projects/PROJECT/locations/LOCATION/keyRings/key-ring-name/cryptoKeys/key-name']` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
title: About the google_kms_key_ring Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_key\_ring | ||
|
||
Use the `google_kms_key_ring` InSpec audit resource to test properties of a single GCP kms key ring. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_key_ring` resource block declares the tests for a single GCP key ring by project and name. | ||
|
||
describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP kms key ring exists | ||
|
||
describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP kms key ring is in the expected state | ||
|
||
For any existing key ring, below should definitely be true! | ||
|
||
describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do | ||
its('create_time_date') { should be > Time.now - 365*60*60*24*50 } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `create_time`, `create_time_date`, `name`, `key_ring_name`, `key_ring_url` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
--- | ||
title: About the google_kms_key_ring_iam_binding Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_kms\_key\_ring\_iam\_binding | ||
|
||
Use the `google_kms_key_ring_iam_binding` InSpec audit resource to test properties of a single GCP KMS key ring IAM binding. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_kms_key_ring_iam_binding` resource block declares the tests for a single GCP KMS key ring IAM binding by role. | ||
|
||
describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do | ||
it { should exist } | ||
its('members') {should include 'user:[email protected]' } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP project KMS key ring IAM binding exists | ||
|
||
describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP project KMS key ring IAM binding has the desired user included | ||
|
||
describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do | ||
its('members') {should include 'user:[email protected]' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `members` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located. |
Oops, something went wrong.