-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #50 from inspec/network-updates-2
Networking related updates
- Loading branch information
Showing
8 changed files
with
257 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| --- | ||
| title: About the google_dns_managed_zones Resource | ||
| platform: gcp | ||
| --- | ||
|
|
||
| # google\_dns\_managed\_zone | ||
|
|
||
| Use the `google_dns_managed_zones` InSpec audit resource to test properties of a single GCP DNS managed zone. | ||
|
|
||
| <br> | ||
|
|
||
| ## Syntax | ||
|
|
||
| A `google_dns_managed_zone` resource block declares the tests for a single GCP zone by project and name. | ||
|
|
||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do | ||
| it { should exist } | ||
| end | ||
|
|
||
| <br> | ||
|
|
||
| ## Examples | ||
|
|
||
| The following examples show how to use this InSpec audit resource. | ||
|
|
||
| ### Test that a GCP compute zone exists | ||
|
|
||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do | ||
| it { should exist } | ||
| end | ||
|
|
||
| ### Test that a GCP DNS managed zone has the expected DNS name | ||
|
|
||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do | ||
| its('dns_name') { should match 'mydomain.com' } | ||
| end | ||
|
|
||
| ### Test that a GCP DNS managed zone has expected name server | ||
|
|
||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do | ||
| its('name_servers') { should include 'ns-cloud-d1.googledomains.com.' } | ||
| end | ||
|
|
||
|
|
||
| <br> | ||
|
|
||
| ## Properties | ||
|
|
||
| * `creation_time`, `creation_time_date`, `description`, `dns_name`, `dnssec_config`, `id`, `kind`, `name`, `name_servers`, `key_signing_key_algorithm`, `zone_signing_key_algorithm` | ||
|
|
||
| <br> | ||
|
|
||
|
|
||
| ## GCP Permissions | ||
|
|
||
| Ensure the [Cloud DNS API](https://console.cloud.google.com/apis/api/dns.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| --- | ||
| title: About the google_dns_managed_zones Resource | ||
| platform: gcp | ||
| --- | ||
|
|
||
| # google\_dns\_managed\_zones | ||
|
|
||
| Use the `google_dns_managed_zones` InSpec audit resource to test properties of all, or a filtered group of, GCP DNS managed zones for a project. | ||
|
|
||
| <br> | ||
|
|
||
| ## Syntax | ||
|
|
||
| A `google_dns_managed_zones` resource block collects GCP zones by project then tests that group. | ||
|
|
||
| describe google_dns_managed_zones(project: 'chef-inspec-gcp') do | ||
| it { should exist } | ||
| end | ||
|
|
||
| Use this InSpec resource to enumerate IDs then test in-depth using `google_dns_managed_zone`. | ||
|
|
||
| google_dns_managed_zones(project: 'chef-inspec-gcp').zone_names.each do |zone_name| | ||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: zone_name) do | ||
| it { should exist } | ||
| end | ||
| end | ||
|
|
||
| <br> | ||
|
|
||
| ## Examples | ||
|
|
||
| The following examples show how to use this InSpec audit resource. | ||
|
|
||
| ### Test that there are no more than a specified number of zones available for the project | ||
|
|
||
| describe google_dns_managed_zones(project: 'chef-inspec-gcp') do | ||
| its('count') { should be <= 100} | ||
| end | ||
|
|
||
| ### Test that an expected, named managed zone is available for the project | ||
|
|
||
| describe google_dns_managed_zones(project: 'chef-inspec-gcp') do | ||
| its('zone_names') { should include "zone-name" } | ||
| end | ||
|
|
||
| ### Test that a subset of all zones matching "myzone*" exist | ||
|
|
||
| google_dns_managed_zones(project: 'chef-inspec-gcp').where(zone_name: /^myzone/).zone_names.each do |zone_name| | ||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: zone_name) do | ||
| it { should exist } | ||
| end | ||
| end | ||
|
|
||
| <br> | ||
|
|
||
| ## Filter Criteria | ||
|
|
||
| This resource supports the following filter criteria: `zone_id`; `zone_name`; `zone_dns_name` and `dnssec_enabled`. Any of these may be used with `where`, as a block or as a method. | ||
|
|
||
| ## Properties | ||
|
|
||
| * `zone_ids` - an array of google_dns_managed_zone identifier integers | ||
| * `zone_names` - an array of google_dns_managed_zone name strings | ||
| * `zone_dns_names` - an array of google_dns_managed_zone dns name strings | ||
| * `dnssec_config_state`- an array of google_dns_managed_zone dnssec_config boolean values | ||
|
|
||
| <br> | ||
|
|
||
|
|
||
| ## GCP Permissions | ||
|
|
||
| Ensure the [Cloud DNS API](https://console.cloud.google.com/apis/api/dns.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # frozen_string_literal: true | ||
|
|
||
| require 'gcp_backend' | ||
|
|
||
| module Inspec::Resources | ||
| class GoogleDnsManagedZone < GcpResourceBase | ||
| name 'google_dns_managed_zone' | ||
| desc 'Verifies settings for a GCP DNS managed zone' | ||
|
|
||
| example " | ||
| describe google_dns_managed_zone(project: 'chef-inspec-gcp', zone: 'zone-name') do | ||
| it { should exist } | ||
| end | ||
| " | ||
|
|
||
| def initialize(opts = {}) | ||
| # Call the parent class constructor | ||
| super(opts) | ||
| @display_name = opts[:name] | ||
| catch_gcp_errors do | ||
| @managed_zone = @gcp.gcp_client(Google::Apis::DnsV2beta1::DnsService).get_managed_zone(opts[:project], opts[:zone]) | ||
| create_resource_methods(@managed_zone) | ||
| @key_specs={} | ||
| if defined?(@managed_zone.dnssec_config.default_key_specs) | ||
| @managed_zone.dnssec_config.default_key_specs.each do |spec| | ||
| @key_specs[spec.key_type]=spec.algorithm | ||
| end | ||
| end | ||
| end | ||
| end | ||
|
|
||
| def exists? | ||
| !@managed_zone.nil? | ||
| end | ||
|
|
||
| def creation_time_date | ||
| return false if !defined?(@managed_zone.creation_time) | ||
| Time.parse(@managed_zone.creation_time) | ||
| end | ||
|
|
||
| def key_signing_key_algorithm | ||
| raise Inspec::Exceptions::ResourceFailed, "google_dns_managed_zone is missing expected property 'dnssec_config.default_key_specs'" if !@key_specs.key?('keySigning') | ||
| @key_specs['keySigning'] | ||
| end | ||
|
|
||
| def zone_signing_key_algorithm | ||
| raise Inspec::Exceptions::ResourceFailed, "google_dns_managed_zone is missing expected property 'dnssec_config.default_key_specs'" if !@key_specs.key?('zoneSigning') | ||
| @key_specs['zoneSigning'] | ||
| end | ||
|
|
||
| def to_s | ||
| "DNS Managed Zone #{@display_name}" | ||
| end | ||
| end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # frozen_string_literal: true | ||
|
|
||
| require 'gcp_backend' | ||
| require 'google/apis/dns_v2beta1' | ||
|
|
||
| module Inspec::Resources | ||
| class GoogleDnsManagedZones < GcpResourceBase | ||
| name 'google_dns_managed_zones' | ||
| desc 'Verifies settings for GCP DNS managed zones in bulk' | ||
|
|
||
| example " | ||
| describe google_dns_managed_zones(project: 'chef-inspec-gcp') do | ||
| it { should exist } | ||
| end | ||
| " | ||
|
|
||
| def initialize(opts = {}) | ||
| # Call the parent class constructor | ||
| super(opts) | ||
| @project = opts[:project] | ||
| end | ||
|
|
||
| # FilterTable setup | ||
| filter_table_config = FilterTable.create | ||
| filter_table_config.add(:zone_ids, field: :zone_id) | ||
| filter_table_config.add(:zone_names, field: :zone_name) | ||
| filter_table_config.add(:zone_dns_names, field: :zone_dns_name) | ||
| filter_table_config.add(:dnssec_config_states, field: :dnssec_config_state) | ||
| filter_table_config.connect(self, :fetch_data) | ||
|
|
||
| def fetch_data | ||
| managed_zones = [] | ||
| next_page = nil | ||
| loop do | ||
| catch_gcp_errors do | ||
| @managed_zones = @gcp.gcp_client(Google::Apis::DnsV2beta1::DnsService).list_managed_zones(@project, page_token: next_page) | ||
| end | ||
| return [] if !@managed_zones || !@managed_zones.managed_zones | ||
| @managed_zones.managed_zones.map do |zone| | ||
| dns_enabled=false | ||
| if defined?(zone.dnssec_config.state) | ||
| dns_enabled=true if zone.dnssec_config.state == 'on' | ||
| end | ||
| managed_zones+=[{ zone_id: zone.id, | ||
| zone_name: zone.name, | ||
| zone_dns_name: zone.dns_name, | ||
| dnssec_config_state: dns_enabled }] | ||
| end | ||
| next_page = @managed_zones.next_page_token | ||
| break unless next_page | ||
| end | ||
| @table = managed_zones | ||
| end | ||
| end | ||
| end |