Skip to content

Commit

Permalink
Merge pull request #36 from inspec/add-kms-resources
Browse files Browse the repository at this point in the history
Add kms resources
  • Loading branch information
russellseymour authored Jul 5, 2018
2 parents 2a80d39 + f9617df commit 43c88a0
Show file tree
Hide file tree
Showing 30 changed files with 1,185 additions and 22 deletions.
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,14 @@ The following resources are available in the InSpec GCP Profile
- [google_container_clusters](docs/resources/google_container_clusters.md)
- [google_container_node_pool](docs/resources/google_container_node_pool.md)
- [google_container_node_pools](docs/resources/google_container_node_pools.md)
- [google_kms_crypto_key](docs/resources/google_kms_crypto_key.md)
- [google_kms_crypto_key_iam_binding](docs/resources/google_kms_crypto_key_iam_binding.md)
- [google_kms_crypto_key_iam_bindings](docs/resources/google_kms_crypto_key_iam_bindings.md)
- [google_kms_crypto_keys](docs/resources/google_kms_crypto_keys.md)
- [google_kms_key_ring](docs/resources/google_kms_key_ring.md)
- [google_kms_key_ring_iam_binding](docs/resources/google_kms_key_ring_iam_binding.md)
- [google_kms_key_ring_iam_bindings](docs/resources/google_kms_key_ring_iam_bindings.md)
- [google_kms_key_rings](docs/resources/google_kms_key_rings.md)
- [google_project](docs/resources/google_project.md)
- [google_project_iam_binding](docs/resources/google_project_iam_binding.md)
- [google_project_iam_bindings](docs/resources/google_project_iam_bindings.md)
Expand Down
62 changes: 62 additions & 0 deletions docs/resources/google_kms_crypto_key.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: About the google_kms_crypto_key Resource
platform: gcp
---

# google\_kms\_crypto\_key

Use the `google_kms_crypto_key` InSpec audit resource to test properties of a single GCP KMS crypto key. See [this page](https://cloud.google.com/kms/docs/object-hierarchy?hl=en_US&_ga=2.223343707.-1730338523.1522320263#cryptokeyversion) for useful background.

<br>

## Syntax

A `google_kms_crypto_key` resource block declares the tests for a single GCP KMS crypto key by project, location, key ring name and key name.

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP KMS crypto key was created recently

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end

### Test when the next rotation time for a GCP KMS crypto key is scheduled

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('next_rotation_time_date') { should be > Time.now - 100000 }
end

### Check that the crypto key purpose is as expected

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('purpose') { should eq "ENCRYPT_DECRYPT" }
end

### Check that the crypto key primary is in "ENABLED" state

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('primary_state') { should eq "ENABLED" }
end


<br>

## Properties

* `create_time`, `create_time_date`, `name`, `crypto_key_name`, `crypto_key_url`, `next_rotation_time`, `next_rotation_time_date`, `primary_create_time`, `primary_create_time_date`, `primary_name`, `primary_state`, `purpose`, `rotation_period`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
49 changes: 49 additions & 0 deletions docs/resources/google_kms_crypto_key_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_kms_crypto_key_iam_binding Resource
platform: gcp
---

# google\_kms\_crypto\_key\_iam\_binding

Use the `google_kms_crypto_key_iam_binding` InSpec audit resource to test properties of a single GCP KMS Crypto Key IAM Binding.

<br>

## Syntax

A `google_kms_crypto_key_iam_binding` resource block declares the tests for a single KMS Crypto Key IAM Binding for specified role.

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP KMS Crypto Key IAM Binding exists for the specified role

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
end

### Test that a GCP KMS Crypto Key IAM Binding has the desired user included for the specified role

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
its('members') {should include 'user:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
68 changes: 68 additions & 0 deletions docs/resources/google_kms_crypto_key_iam_bindings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: About the google_kms_crypto_key_iam_bindings Resource
platform: gcp
---

# google\_kms\_crypto\_key\_iam\_bindings

Use the `google_kms_crypto_key_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS Crypto Key IAM Bindings.

<br>

## Syntax

A `google_kms_crypto_key_iam_bindings` resource block collects GCP KMS Crypto Key IAM Bindings then tests that group.

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
it { should exist }
end

Use this InSpec resource to enumerate roles then test in-depth using `google_kms_key_ring_iam_binding`.

google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').iam_binding_roles.each do |iam_binding_role|
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
its('members') {should include 'user:[email protected]' }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of IAM bindings roles available for the crypto key

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
its('count') { should be <= 100}
end

### Test that an expected IAM binding is available for the crypto key

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end

### Test that a particular role does not exist using filtering of the plural resource

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method.

## Properties

* `iam_binding_roles` - an array of google_kms_crypto_key_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.s
65 changes: 65 additions & 0 deletions docs/resources/google_kms_crypto_keys.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
title: About the google_kms_crypto_keys Resource
platform: gcp
---

# google\_kms\_crypto\_keys

Use the `google_kms_crypto_keys` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS crypto keys for supplied project, location and key ring name.

<br>

## Syntax

A `google_kms_crypto_keys` resource block collects GCP KMS crypto keys then tests that group.

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_kms_crypto_key`.

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring').crypto_key_names.each do |key_name|
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: key_name) do
it { should exist }
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
its('purpose') { should eq "ENCRYPT_DECRYPT" }
its('primary_state') { should eq "ENABLED" }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of keys in the key ring

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
its('count') { should be <= 100}
end

### Test that an expected key name is present in the key ring

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
its('crypto_key_names') { should include "my-crypto-key-name" }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `key_name`. This may be used with `where`, as a block or as a method.

## Properties

* `crypto_key_names` - an array of google_kms_crypto_key name strings e.g. `['key-name']`
* `crypto_key_urls` - an array of google_kms_crypto_key url strings e.g. `['projects/PROJECT/locations/LOCATION/keyRings/key-ring-name/cryptoKeys/key-name']`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
51 changes: 51 additions & 0 deletions docs/resources/google_kms_key_ring.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
title: About the google_kms_key_ring Resource
platform: gcp
---

# google\_kms\_key\_ring

Use the `google_kms_key_ring` InSpec audit resource to test properties of a single GCP kms key ring.

<br>

## Syntax

A `google_kms_key_ring` resource block declares the tests for a single GCP key ring by project and name.

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP kms key ring exists

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
it { should exist }
end

### Test that a GCP kms key ring is in the expected state

For any existing key ring, below should definitely be true!

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
its('create_time_date') { should be > Time.now - 365*60*60*24*50 }
end

<br>

## Properties

* `create_time`, `create_time_date`, `name`, `key_ring_name`, `key_ring_url`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
50 changes: 50 additions & 0 deletions docs/resources/google_kms_key_ring_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_kms_key_ring_iam_binding Resource
platform: gcp
---

# google\_kms\_key\_ring\_iam\_binding

Use the `google_kms_key_ring_iam_binding` InSpec audit resource to test properties of a single GCP KMS key ring IAM binding.

<br>

## Syntax

A `google_kms_key_ring_iam_binding` resource block declares the tests for a single GCP KMS key ring IAM binding by role.

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
it { should exist }
its('members') {should include 'user:[email protected]' }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP project KMS key ring IAM binding exists

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
it { should exist }
end

### Test that a GCP project KMS key ring IAM binding has the desired user included

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
its('members') {should include 'user:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
Loading

0 comments on commit 43c88a0

Please sign in to comment.