From 2b5276158ac7790ba2f4050b5488b33346d3d43c Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Thu, 10 Jan 2019 23:54:56 +0000 Subject: [PATCH 1/8] Update pubsub attributes to new external attribute system Signed-off-by: Modular Magician --- test/integration/verify/controls/google_pubsub_subscription.rb | 2 +- test/integration/verify/controls/google_pubsub_subscriptions.rb | 2 +- test/integration/verify/controls/google_pubsub_topic.rb | 2 +- test/integration/verify/controls/google_pubsub_topics.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/verify/controls/google_pubsub_subscription.rb b/test/integration/verify/controls/google_pubsub_subscription.rb index bde2c6cd8..78c2deb67 100644 --- a/test/integration/verify/controls/google_pubsub_subscription.rb +++ b/test/integration/verify/controls/google_pubsub_subscription.rb @@ -14,7 +14,7 @@ title 'Test GCP google_pubsub_subscription resource.' -gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') subscription = attribute('subscription', default: {"name"=>"inspec-gcp-subscription", "ack_deadline_seconds"=>20}) control 'google_pubsub_subscription-1.0' do diff --git a/test/integration/verify/controls/google_pubsub_subscriptions.rb b/test/integration/verify/controls/google_pubsub_subscriptions.rb index f90f2f59b..2f35bfcfb 100644 --- a/test/integration/verify/controls/google_pubsub_subscriptions.rb +++ b/test/integration/verify/controls/google_pubsub_subscriptions.rb @@ -14,7 +14,7 @@ title 'Test GCP google_pubsub_subscriptions resource.' -gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') subscription = attribute('subscription', default: {"name"=>"inspec-gcp-subscription", "ack_deadline_seconds"=>20}) control 'google_pubsub_subscriptions-1.0' do diff --git a/test/integration/verify/controls/google_pubsub_topic.rb b/test/integration/verify/controls/google_pubsub_topic.rb index c4e1c895b..d2c36e0e9 100644 --- a/test/integration/verify/controls/google_pubsub_topic.rb +++ b/test/integration/verify/controls/google_pubsub_topic.rb @@ -14,7 +14,7 @@ title 'Test GCP google_pubsub_topic resource.' -gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') topic = attribute('topic', default: {"name"=>"inspec-gcp-topic"}) control 'google_pubsub_topic-1.0' do diff --git a/test/integration/verify/controls/google_pubsub_topics.rb b/test/integration/verify/controls/google_pubsub_topics.rb index cb1b6c9ad..ad9b77464 100644 --- a/test/integration/verify/controls/google_pubsub_topics.rb +++ b/test/integration/verify/controls/google_pubsub_topics.rb @@ -14,7 +14,7 @@ title 'Test GCP google_pubsub_topics resource.' -gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') topic = attribute('topic', default: {"name"=>"inspec-gcp-topic"}) control 'google_pubsub_topics-1.0' do From 991e4294dda89dbc2cf64ca5276dd047e50a5cde Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Fri, 11 Jan 2019 00:28:09 +0000 Subject: [PATCH 2/8] Add negative tests for nonexistent resources Signed-off-by: Modular Magician --- docs/resources/google_compute_disk.md | 4 ++++ docs/resources/google_compute_ssl_policy.md | 4 ++++ docs/resources/google_pubsub_subscription.md | 4 ++++ docs/resources/google_pubsub_topic.md | 3 +++ test/integration/verify/controls/google_compute_disk.rb | 4 ++++ test/integration/verify/controls/google_compute_ssl_policy.rb | 4 ++++ .../integration/verify/controls/google_pubsub_subscription.rb | 4 ++++ test/integration/verify/controls/google_pubsub_topic.rb | 4 ++++ 8 files changed, 31 insertions(+) diff --git a/docs/resources/google_compute_disk.md b/docs/resources/google_compute_disk.md index 638db57c6..7092047a7 100644 --- a/docs/resources/google_compute_disk.md +++ b/docs/resources/google_compute_disk.md @@ -26,6 +26,10 @@ describe.one do end end end + +describe google_compute_disk(project: 'chef-gcp-inspec', name: 'nonexistent', zone: 'zone') do + it { should_not exist } +end ``` ## Properties diff --git a/docs/resources/google_compute_ssl_policy.md b/docs/resources/google_compute_ssl_policy.md index 3df415f5d..827066f17 100644 --- a/docs/resources/google_compute_ssl_policy.md +++ b/docs/resources/google_compute_ssl_policy.md @@ -16,6 +16,10 @@ describe google_compute_ssl_policy(project: 'chef-gcp-inspec', name: 'inspec-gcp its('custom_features') { should include 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' } its('custom_features') { should include 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' } end + +describe google_compute_ssl_policy(project: 'chef-gcp-inspec', name: 'nonexistent') do + it { should_not exist } +end ``` ## Properties diff --git a/docs/resources/google_pubsub_subscription.md b/docs/resources/google_pubsub_subscription.md index 71dd45121..dec130338 100644 --- a/docs/resources/google_pubsub_subscription.md +++ b/docs/resources/google_pubsub_subscription.md @@ -13,6 +13,10 @@ describe google_pubsub_subscription(project: '', name: 'inspec-gcp-subscription' it { should exist } end +describe google_pubsub_subscription(project: '', name: 'nonexistent') do + it { should_not exist } +end + ``` ## Properties diff --git a/docs/resources/google_pubsub_topic.md b/docs/resources/google_pubsub_topic.md index 622a8f8c2..62a7e07db 100644 --- a/docs/resources/google_pubsub_topic.md +++ b/docs/resources/google_pubsub_topic.md @@ -13,6 +13,9 @@ describe google_pubsub_topic(project: '', name: 'inspec-gcp-topic') do it { should exist } end +describe google_pubsub_topic(project: '', name: 'nonexistent') do + it { should_not exist } +end ``` ## Properties diff --git a/test/integration/verify/controls/google_compute_disk.rb b/test/integration/verify/controls/google_compute_disk.rb index c0cf721ae..bd85f53af 100644 --- a/test/integration/verify/controls/google_compute_disk.rb +++ b/test/integration/verify/controls/google_compute_disk.rb @@ -40,4 +40,8 @@ end end end + + describe google_compute_disk(project: gcp_project_id, name: 'nonexistent', zone: gcp_zone) do + it { should_not exist } + end end diff --git a/test/integration/verify/controls/google_compute_ssl_policy.rb b/test/integration/verify/controls/google_compute_ssl_policy.rb index 971c667f4..af6a3b57e 100644 --- a/test/integration/verify/controls/google_compute_ssl_policy.rb +++ b/test/integration/verify/controls/google_compute_ssl_policy.rb @@ -33,4 +33,8 @@ its('custom_features') { should include ssl_policy['custom_feature'] } its('custom_features') { should include ssl_policy['custom_feature2'] } end + + describe google_compute_ssl_policy(project: gcp_project_id, name: 'nonexistent') do + it { should_not exist } + end end diff --git a/test/integration/verify/controls/google_pubsub_subscription.rb b/test/integration/verify/controls/google_pubsub_subscription.rb index bde2c6cd8..c781b654a 100644 --- a/test/integration/verify/controls/google_pubsub_subscription.rb +++ b/test/integration/verify/controls/google_pubsub_subscription.rb @@ -24,4 +24,8 @@ describe google_pubsub_subscription(project: gcp_project_id, name: subscription['name']) do it { should exist } end + + describe google_pubsub_subscription(project: gcp_project_id, name: 'nonexistent') do + it { should_not exist } + end end diff --git a/test/integration/verify/controls/google_pubsub_topic.rb b/test/integration/verify/controls/google_pubsub_topic.rb index c4e1c895b..b580593e6 100644 --- a/test/integration/verify/controls/google_pubsub_topic.rb +++ b/test/integration/verify/controls/google_pubsub_topic.rb @@ -24,4 +24,8 @@ describe google_pubsub_topic(project: gcp_project_id, name: topic['name']) do it { should exist } end + + describe google_pubsub_topic(project: gcp_project_id, name: 'nonexistent') do + it { should_not exist } + end end From 980323906144d5906a1bc2403a791b0b64052b8c Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Mon, 14 Jan 2019 14:15:15 -0800 Subject: [PATCH 3/8] Add dns readonly scope Signed-off-by: Sam Levenick --- libraries/gcp_backend.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libraries/gcp_backend.rb b/libraries/gcp_backend.rb index afa600191..01031738d 100644 --- a/libraries/gcp_backend.rb +++ b/libraries/gcp_backend.rb @@ -197,7 +197,11 @@ def initialize def fetch_auth unless @service_account_file.nil? return Network::Authorization.new.for!( - ['https://www.googleapis.com/auth/compute.readonly', 'https://www.googleapis.com/auth/pubsub'], + [ + 'https://www.googleapis.com/auth/compute.readonly', + 'https://www.googleapis.com/auth/pubsub', + 'https://www.googleapis.com/auth/ndev.clouddns.readonly', + ], ).from_service_account_json!( @service_account_file, ) From f8cf81c22eea066625b57b8020bd1664c5af79a8 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Tue, 15 Jan 2019 23:19:23 +0000 Subject: [PATCH 4/8] Inspec resource record sets Signed-off-by: Modular Magician --- .../google_dns_resource_record_set.md | 32 +++++++++ .../google_dns_resource_record_sets.md | 33 +++++++++ libraries/google_dns_resource_record_set.rb | 72 +++++++++++++++++++ libraries/google_dns_resource_record_sets.rb | 72 +++++++++++++++++++ test/integration/build/gcp-mm.tf | 29 ++++++++ .../configuration/mm-attributes.yml | 16 +++++ .../google_dns_resource_record_set.rb | 43 +++++++++++ .../google_dns_resource_record_sets.rb | 43 +++++++++++ 8 files changed, 340 insertions(+) create mode 100644 docs/resources/google_dns_resource_record_set.md create mode 100644 docs/resources/google_dns_resource_record_sets.md create mode 100644 libraries/google_dns_resource_record_set.rb create mode 100644 libraries/google_dns_resource_record_sets.rb create mode 100644 test/integration/verify/controls/google_dns_resource_record_set.rb create mode 100644 test/integration/verify/controls/google_dns_resource_record_sets.rb diff --git a/docs/resources/google_dns_resource_record_set.md b/docs/resources/google_dns_resource_record_set.md new file mode 100644 index 000000000..277f93de7 --- /dev/null +++ b/docs/resources/google_dns_resource_record_set.md @@ -0,0 +1,32 @@ +--- +title: About the ResourceRecordSet resource +platform: gcp +--- + + +## Syntax +A `google_dns_resource_record_set` is used to test a Google ResourceRecordSet resource + +## Examples +``` +describe google_dns_resource_record_set(project: 'chef-gcp-inspec', name: 'backend.my.domain.com.', type: 'A', managed_zone: 'inspec-gcp-managed-zone') do + it { should exist } + its('type') { should eq 'A' } + its('ttl') { should eq '300' } + its('target') { should include '8.8.8.8' } + its('target') { should include '8.8.4.4' } +end +``` + +## Properties +Properties that can be accessed from the `google_dns_resource_record_set` resource: + + * `name`: For example, www.example.com. + + * `type`: One of valid DNS resource types. + + * `ttl`: Number of seconds that this ResourceRecordSet can be cached by resolvers. + + * `target`: As defined in RFC 1035 (section 5) and RFC 1034 (section 3.6.1) + + * `managed_zone`: Identifies the managed zone addressed by this request. Can be the managed zone name or id. diff --git a/docs/resources/google_dns_resource_record_sets.md b/docs/resources/google_dns_resource_record_sets.md new file mode 100644 index 000000000..785835fdd --- /dev/null +++ b/docs/resources/google_dns_resource_record_sets.md @@ -0,0 +1,33 @@ +--- +title: About the ResourceRecordSet resource +platform: gcp +--- + + +## Syntax +A `google_dns_resource_record_sets` is used to test a Google ResourceRecordSet resource + +## Examples +``` +describe google_dns_resource_record_sets(project: 'chef-gcp-inspec', name: 'backend.my.domain.com.', managed_zone: 'inspec-gcp-managed-zone') do + its('count') { should eq 3 } + its('types') { should include 'A' } + its('ttls') { should include '300' } + its('targets.flatten') { should include '8.8.8.8' } + its('targets.flatten') { should include '8.8.4.4' } +end +``` + +## Properties +Properties that can be accessed from the `google_dns_resource_record_sets` resource: + +See [google_dns_resource_record_set.md](google_dns_resource_record_set.md) for more detailed information + * `names`: an array of `google_dns_resource_record_set` name + * `types`: an array of `google_dns_resource_record_set` type + * `ttls`: an array of `google_dns_resource_record_set` ttl + * `targets`: an array of `google_dns_resource_record_set` target + * `managed_zones`: an array of `google_dns_resource_record_set` managed_zone + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. diff --git a/libraries/google_dns_resource_record_set.rb b/libraries/google_dns_resource_record_set.rb new file mode 100644 index 000000000..a7266353d --- /dev/null +++ b/libraries/google_dns_resource_record_set.rb @@ -0,0 +1,72 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' + +# A provider to manage Google Cloud DNS resources. +class ResourceRecordSet < GcpResourceBase + name 'google_dns_resource_record_set' + desc 'ResourceRecordSet' + supports platform: 'gcp' + + attr_reader :name + attr_reader :type + attr_reader :ttl + attr_reader :target + attr_reader :managed_zone + def base + 'https://www.googleapis.com/dns/v1/' + end + + def url + 'projects/{{project}}/managedZones/{{managed_zone}}/rrsets?name={{name}}&type={{type}}' + end + + def initialize(params) + super(params.merge({ use_http_transport: true })) + fetched = @connection.fetch(base, url, params) + @fetched = unwrap(fetched, params) + parse unless @fetched.nil? + end + + def identity + %w{name type} + end + + def collection_item + 'rrsets' + end + + def unwrap(fetched, params) + fetched[collection_item].find { |result| identity.all? { |id| result[id.to_sym] == params[id] } } + end + + def parse + @name = @fetched['name'] + @type = @fetched['type'] + @ttl = @fetched['ttl'] + @target = @fetched['rrdatas'] + @managed_zone = @fetched['managed_zone'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end +end diff --git a/libraries/google_dns_resource_record_sets.rb b/libraries/google_dns_resource_record_sets.rb new file mode 100644 index 000000000..3ab457ab8 --- /dev/null +++ b/libraries/google_dns_resource_record_sets.rb @@ -0,0 +1,72 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class ResourceRecordSets < GcpResourceBase + name 'google_dns_resource_record_sets' + desc 'ResourceRecordSet plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:names, field: :name) + filter_table_config.add(:types, field: :type) + filter_table_config.add(:ttls, field: :ttl) + filter_table_config.add(:targets, field: :target) + filter_table_config.add(:managed_zones, field: :managed_zone) + + filter_table_config.connect(self, :table) + + def base + 'https://www.googleapis.com/dns/v1/' + end + + def url + 'projects/{{project}}/managedZones/{{managed_zone}}/rrsets' + end + + def api_names + { + 'rrdatas' => 'target', + } + end + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('rrsets') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(base, url, @params) + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_pair { |k, v| api_names.key?(k) ? hash_with_symbols[api_names[k].to_sym] = v : hash_with_symbols[k.to_sym] = v } + converted.push(hash_with_symbols) + end + end + + converted + end +end diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf index 9b7853230..7e7d27ec4 100644 --- a/test/integration/build/gcp-mm.tf +++ b/test/integration/build/gcp-mm.tf @@ -10,6 +10,14 @@ variable "subscription" { type = "map" } +variable "managed_zone" { + type = "map" +} + +variable "record_set" { + type = "map" +} + resource "google_compute_ssl_policy" "custom-ssl-policy" { name = "${var.ssl_policy["name"]}" min_tls_version = "${var.ssl_policy["min_tls_version"]}" @@ -29,3 +37,24 @@ resource "google_pubsub_subscription" "default" { topic = "${google_pubsub_topic.topic.name}" ack_deadline_seconds = "${var.subscription["ack_deadline_seconds"]}" } + +resource "google_dns_managed_zone" "prod" { + name = "${var.managed_zone["name"]}" + dns_name = "${var.managed_zone["dns_name"]}" + description = "${var.managed_zone["description"]}" + + labels = { + key = "${var.managed_zone["label_value"]}" + } + project = "${var.gcp_project_id}" +} + +resource "google_dns_record_set" "a" { + name = "${var.record_set["name"]}" + managed_zone = "${google_dns_managed_zone.prod.name}" + type = "${var.record_set["type"]}" + ttl = "${var.record_set["ttl"]}" + + rrdatas = ["${var.record_set["rrdatas1"]}", "${var.record_set["rrdatas2"]}"] + project = "${var.gcp_project_id}" +} diff --git a/test/integration/configuration/mm-attributes.yml b/test/integration/configuration/mm-attributes.yml index 2a441f272..53c2ca1ce 100644 --- a/test/integration/configuration/mm-attributes.yml +++ b/test/integration/configuration/mm-attributes.yml @@ -4,8 +4,24 @@ ssl_policy: profile: 'CUSTOM' custom_feature: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' custom_feature2: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + topic: name: 'inspec-gcp-topic' + subscription: name: 'inspec-gcp-subscription' ack_deadline_seconds: 20 + +managed_zone: + name: 'inspec-gcp-managed-zone' + dns_name: 'my.domain.com.' + description: 'A test DNS zone' + label_key: key + label_value: 'value' + +record_set: + name: 'backend.my.domain.com.' + type: 'A' + ttl: 300 + rrdatas1: '8.8.8.8' + rrdatas2: '8.8.4.4' diff --git a/test/integration/verify/controls/google_dns_resource_record_set.rb b/test/integration/verify/controls/google_dns_resource_record_set.rb new file mode 100644 index 000000000..4cbeb88e1 --- /dev/null +++ b/test/integration/verify/controls/google_dns_resource_record_set.rb @@ -0,0 +1,43 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_dns_resource_record_set resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +record_set = attribute('record_set', default: { + "name": "backend.my.domain.com.", + "type": "A", + "ttl": 300, + "rrdatas1": "8.8.8.8", + "rrdatas2": "8.8.4.4" +}) +managed_zone = attribute('managed_zone', default: { + "name": "inspec-gcp-managed-zone", + "dns_name": "my.domain.com.", + "description": "A test DNS zone", + "label_key": "key", + "label_value": "value" +}) +control 'google_dns_resource_record_set-1.0' do + impact 1.0 + title 'google_dns_resource_record_set resource test' + + describe google_dns_resource_record_set(project: gcp_project_id, name: record_set['name'], type: record_set['type'], managed_zone: managed_zone['name']) do + it { should exist } + its('type') { should eq record_set['type'] } + its('ttl') { should eq record_set['ttl'] } + its('target') { should include record_set['rrdatas1'] } + its('target') { should include record_set['rrdatas2'] } + end +end diff --git a/test/integration/verify/controls/google_dns_resource_record_sets.rb b/test/integration/verify/controls/google_dns_resource_record_sets.rb new file mode 100644 index 000000000..9c9cad0d8 --- /dev/null +++ b/test/integration/verify/controls/google_dns_resource_record_sets.rb @@ -0,0 +1,43 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_dns_resource_record_sets resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +record_set = attribute('record_set', default: { + "name": "backend.my.domain.com.", + "type": "A", + "ttl": 300, + "rrdatas1": "8.8.8.8", + "rrdatas2": "8.8.4.4" +}) +managed_zone = attribute('managed_zone', default: { + "name": "inspec-gcp-managed-zone", + "dns_name": "my.domain.com.", + "description": "A test DNS zone", + "label_key": "key", + "label_value": "value" +}) +control 'google_dns_resource_record_sets-1.0' do + impact 1.0 + title 'google_dns_resource_record_sets resource test' + + describe google_dns_resource_record_sets(project: gcp_project_id, name: record_set['name'], managed_zone: managed_zone['name']) do + its('count') { should eq 3 } + its('types') { should include record_set['type'] } + its('ttls') { should include record_set['ttl'] } + its('targets.flatten') { should include record_set['rrdatas1'] } + its('targets.flatten') { should include record_set['rrdatas2'] } + end +end From c81375b67c399513536330f4cb096d8c7036a950 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Tue, 15 Jan 2019 23:44:40 +0000 Subject: [PATCH 5/8] Add instance group manager resource to InSpec Signed-off-by: Modular Magician --- .../google_compute_instance_group_manager.md | 74 ++++++++++++++++++ .../google_compute_instance_group_managers.md | 38 +++++++++ .../instancegroupmanager_current_actions.rb | 50 ++++++++++++ .../instancegroupmanager_named_ports.rb | 40 ++++++++++ .../google_compute_instance_group_manager.rb | 77 +++++++++++++++++++ .../google_compute_instance_group_managers.rb | 74 ++++++++++++++++++ test/integration/build/gcp-mm.tf | 18 +++++ .../configuration/mm-attributes.yml | 6 ++ .../google_compute_instance_group_manager.rb | 43 +++++++++++ .../google_compute_instance_group_managers.rb | 33 ++++++++ 10 files changed, 453 insertions(+) create mode 100644 docs/resources/google_compute_instance_group_manager.md create mode 100644 docs/resources/google_compute_instance_group_managers.md create mode 100644 libraries/google/compute/property/instancegroupmanager_current_actions.rb create mode 100644 libraries/google/compute/property/instancegroupmanager_named_ports.rb create mode 100644 libraries/google_compute_instance_group_manager.rb create mode 100644 libraries/google_compute_instance_group_managers.rb create mode 100644 test/integration/verify/controls/google_compute_instance_group_manager.rb create mode 100644 test/integration/verify/controls/google_compute_instance_group_managers.rb diff --git a/docs/resources/google_compute_instance_group_manager.md b/docs/resources/google_compute_instance_group_manager.md new file mode 100644 index 000000000..42f256204 --- /dev/null +++ b/docs/resources/google_compute_instance_group_manager.md @@ -0,0 +1,74 @@ +--- +title: About the InstanceGroupManager resource +platform: gcp +--- + + +## Syntax +A `google_compute_instance_group_manager` is used to test a Google InstanceGroupManager resource + +## Examples +``` +describe google_compute_instance_group_manager(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-gcp-igm') do + it { should exist } + + its('base_instance_name') { should eq 'igm' } + its('named_ports.count') { should cmp 1 } + its('named_ports.first.name') { should eq 'port' } + its('named_ports.first.port') { should eq '80' } + its('instance_template') { should match 'gcp-managed-group-name' } +end + +describe google_compute_instance_group_manager(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_instance_group_manager` resource: + + * `base_instance_name`: The base instance name to use for instances in this group. The value must be 1-58 characters long. Instances are named by appending a hyphen and a random four-character string to the base instance name. The base instance name must comply with RFC1035. + + * `creation_timestamp`: The creation timestamp for this managed instance group in RFC3339 text format. + + * `current_actions`: The list of instance actions and the number of instances in this managed instance group that are scheduled for each of those actions. + + * `abandoning`: The total number of instances in the managed instance group that are scheduled to be abandoned. Abandoning an instance removes it from the managed instance group without deleting it. + + * `creating`: The number of instances in the managed instance group that are scheduled to be created or are currently being created. If the group fails to create any of these instances, it tries again until it creates the instance successfully. If you have disabled creation retries, this field will not be populated; instead, the creatingWithoutRetries field will be populated. + + * `creatingWithoutRetries`: The number of instances that the managed instance group will attempt to create. The group attempts to create each instance only once. If the group fails to create any of these instances, it decreases the group's targetSize value accordingly. + + * `deleting`: The number of instances in the managed instance group that are scheduled to be deleted or are currently being deleted. + + * `none`: The number of instances in the managed instance group that are running and have no scheduled actions. + + * `recreating`: The number of instances in the managed instance group that are scheduled to be recreated or are currently being being recreated. Recreating an instance deletes the existing root persistent disk and creates a new disk from the image that is defined in the instance template. + + * `refreshing`: The number of instances in the managed instance group that are being reconfigured with properties that do not require a restart or a recreate action. For example, setting or removing target pools for the instance. + + * `restarting`: The number of instances in the managed instance group that are scheduled to be restarted or are currently being restarted. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `id`: A unique identifier for this resource + + * `instance_group`: The instance group being managed + + * `instance_template`: The instance template that is specified for this managed instance group. The group uses this template to create all new instances in the managed instance group. + + * `name`: The name of the managed instance group. The name must be 1-63 characters long, and comply with RFC1035. + + * `named_ports`: Named ports configured for the Instance Groups complementary to this Instance Group Manager. + + * `name`: The name for this named port. The name must be 1-63 characters long, and comply with RFC1035. + + * `port`: The port number, which can be a value between 1 and 65535. + + * `region`: The region this managed instance group resides (for regional resources). + + * `target_pools`: TargetPool resources to which instances in the instanceGroup field are added. The target pools automatically apply to all of the instances in the managed instance group. + + * `target_size`: The target number of running instances for this managed instance group. Deleting or abandoning instances reduces this number. Resizing the group changes this number. + + * `zone`: The zone the managed instance group resides. diff --git a/docs/resources/google_compute_instance_group_managers.md b/docs/resources/google_compute_instance_group_managers.md new file mode 100644 index 000000000..03fc20747 --- /dev/null +++ b/docs/resources/google_compute_instance_group_managers.md @@ -0,0 +1,38 @@ +--- +title: About the InstanceGroupManager resource +platform: gcp +--- + + +## Syntax +A `google_compute_instance_group_managers` is used to test a Google InstanceGroupManager resource + +## Examples +``` +describe google_compute_instance_group_managers(project: 'chef-gcp-inspec', zone: 'zone') do + its('base_instance_names') { should include 'igm' } +end + +``` + +## Properties +Properties that can be accessed from the `google_compute_instance_group_managers` resource: + +See [google_compute_instance_group_manager.md](google_compute_instance_group_manager.md) for more detailed information + * `base_instance_names`: an array of `google_compute_instance_group_manager` base_instance_name + * `creation_timestamps`: an array of `google_compute_instance_group_manager` creation_timestamp + * `current_actions`: an array of `google_compute_instance_group_manager` current_actions + * `descriptions`: an array of `google_compute_instance_group_manager` description + * `ids`: an array of `google_compute_instance_group_manager` id + * `instance_groups`: an array of `google_compute_instance_group_manager` instance_group + * `instance_templates`: an array of `google_compute_instance_group_manager` instance_template + * `names`: an array of `google_compute_instance_group_manager` name + * `named_ports`: an array of `google_compute_instance_group_manager` named_ports + * `regions`: an array of `google_compute_instance_group_manager` region + * `target_pools`: an array of `google_compute_instance_group_manager` target_pools + * `target_sizes`: an array of `google_compute_instance_group_manager` target_size + * `zones`: an array of `google_compute_instance_group_manager` zone + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. diff --git a/libraries/google/compute/property/instancegroupmanager_current_actions.rb b/libraries/google/compute/property/instancegroupmanager_current_actions.rb new file mode 100644 index 000000000..ccc007063 --- /dev/null +++ b/libraries/google/compute/property/instancegroupmanager_current_actions.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module Compute + module Property + class InstanceGroupManagerCurrentactions + attr_reader :abandoning + + attr_reader :creating + + attr_reader :creating_without_retries + + attr_reader :deleting + + attr_reader :none + + attr_reader :recreating + + attr_reader :refreshing + + attr_reader :restarting + + def initialize(args = nil) + return if args.nil? + @abandoning = args['abandoning'] + @creating = args['creating'] + @creating_without_retries = args['creatingWithoutRetries'] + @deleting = args['deleting'] + @none = args['none'] + @recreating = args['recreating'] + @refreshing = args['refreshing'] + @restarting = args['restarting'] + end + end + end + end +end diff --git a/libraries/google/compute/property/instancegroupmanager_named_ports.rb b/libraries/google/compute/property/instancegroupmanager_named_ports.rb new file mode 100644 index 000000000..a1c123548 --- /dev/null +++ b/libraries/google/compute/property/instancegroupmanager_named_ports.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module Compute + module Property + class InstanceGroupManagerNamedports + attr_reader :name + + attr_reader :port + + def initialize(args = nil) + return if args.nil? + @name = args['name'] + @port = args['port'] + end + end + + class InstanceGroupManagerNamedportsArray + def self.parse(value) + return if value.nil? + return InstanceGroupManagerNamedports.new(value) unless value.is_a?(::Array) + value.map { |v| InstanceGroupManagerNamedports.new(v) } + end + end + end + end +end diff --git a/libraries/google_compute_instance_group_manager.rb b/libraries/google_compute_instance_group_manager.rb new file mode 100644 index 000000000..96af5bdbe --- /dev/null +++ b/libraries/google_compute_instance_group_manager.rb @@ -0,0 +1,77 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +require 'google/compute/property/instancegroupmanager_current_actions' +require 'google/compute/property/instancegroupmanager_named_ports' + +# A provider to manage Google Compute Engine resources. +class InstanceGroupManager < GcpResourceBase + name 'google_compute_instance_group_manager' + desc 'InstanceGroupManager' + supports platform: 'gcp' + + attr_reader :base_instance_name + attr_reader :creation_timestamp + attr_reader :current_actions + attr_reader :description + attr_reader :id + attr_reader :instance_group + attr_reader :instance_template + attr_reader :name + attr_reader :named_ports + attr_reader :region + attr_reader :target_pools + attr_reader :target_size + attr_reader :zone + def base + 'https://www.googleapis.com/compute/v1/' + end + + def url + 'projects/{{project}}/zones/{{zone}}/instanceGroupManagers/{{name}}' + end + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @fetched = @connection.fetch(base, url, params) + parse unless @fetched.nil? + end + + def parse + @base_instance_name = @fetched['baseInstanceName'] + @creation_timestamp = parse_time_string(@fetched['creationTimestamp']) + @current_actions = GoogleInSpec::Compute::Property::InstanceGroupManagerCurrentactions.new(@fetched['currentActions']) + @description = @fetched['description'] + @id = @fetched['id'] + @instance_group = @fetched['instanceGroup'] + @instance_template = @fetched['instanceTemplate'] + @name = @fetched['name'] + @named_ports = GoogleInSpec::Compute::Property::InstanceGroupManagerNamedportsArray.parse(@fetched['namedPorts']) + @region = @fetched['region'] + @target_pools = @fetched['targetPools'] + @target_size = @fetched['targetSize'] + @zone = @fetched['zone'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end +end diff --git a/libraries/google_compute_instance_group_managers.rb b/libraries/google_compute_instance_group_managers.rb new file mode 100644 index 000000000..c2b2b7545 --- /dev/null +++ b/libraries/google_compute_instance_group_managers.rb @@ -0,0 +1,74 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class InstanceGroupManagers < GcpResourceBase + name 'google_compute_instance_group_managers' + desc 'InstanceGroupManager plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:base_instance_names, field: :baseInstanceName) + filter_table_config.add(:creation_timestamps, field: :creationTimestamp) + filter_table_config.add(:current_actions, field: :currentActions) + filter_table_config.add(:descriptions, field: :description) + filter_table_config.add(:ids, field: :id) + filter_table_config.add(:instance_groups, field: :instanceGroup) + filter_table_config.add(:instance_templates, field: :instanceTemplate) + filter_table_config.add(:names, field: :name) + filter_table_config.add(:named_ports, field: :namedPorts) + filter_table_config.add(:regions, field: :region) + filter_table_config.add(:target_pools, field: :targetPools) + filter_table_config.add(:target_sizes, field: :targetSize) + filter_table_config.add(:zones, field: :zone) + + filter_table_config.connect(self, :table) + + def base + 'https://www.googleapis.com/compute/v1/' + end + + def url + 'projects/{{project}}/zones/{{zone}}/instanceGroupManagers' + end + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('items') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(base, url, @params) + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_pair { |k, v| hash_with_symbols[k.to_sym] = v } + converted.push(hash_with_symbols) + end + end + + converted + end +end diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf index 7e7d27ec4..fc0ba35d6 100644 --- a/test/integration/build/gcp-mm.tf +++ b/test/integration/build/gcp-mm.tf @@ -18,6 +18,10 @@ variable "record_set" { type = "map" } +variable "instance_group_manager" { + type = "map" +} + resource "google_compute_ssl_policy" "custom-ssl-policy" { name = "${var.ssl_policy["name"]}" min_tls_version = "${var.ssl_policy["min_tls_version"]}" @@ -58,3 +62,17 @@ resource "google_dns_record_set" "a" { rrdatas = ["${var.record_set["rrdatas1"]}", "${var.record_set["rrdatas2"]}"] project = "${var.gcp_project_id}" } + +resource "google_compute_instance_group_manager" "gcp-inspec-igm" { + project = "${var.gcp_project_id}" + zone = "${var.gcp_zone}" + name = "${var.instance_group_manager["name"]}" + instance_template = "${google_compute_instance_template.default.self_link}" + base_instance_name = "${var.instance_group_manager["base_instance_name"]}" + target_pools = [] + target_size = 0 + named_port { + name = "${var.instance_group_manager["named_port_name"]}" + port = "${var.instance_group_manager["named_port_port"]}" + } +} diff --git a/test/integration/configuration/mm-attributes.yml b/test/integration/configuration/mm-attributes.yml index 53c2ca1ce..ec110f497 100644 --- a/test/integration/configuration/mm-attributes.yml +++ b/test/integration/configuration/mm-attributes.yml @@ -25,3 +25,9 @@ record_set: ttl: 300 rrdatas1: '8.8.8.8' rrdatas2: '8.8.4.4' + +instance_group_manager: + name: 'inspec-gcp-igm' + base_instance_name: 'igm' + named_port_name: 'port' + named_port_port: 80 diff --git a/test/integration/verify/controls/google_compute_instance_group_manager.rb b/test/integration/verify/controls/google_compute_instance_group_manager.rb new file mode 100644 index 000000000..0c12b009d --- /dev/null +++ b/test/integration/verify/controls/google_compute_instance_group_manager.rb @@ -0,0 +1,43 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_instance_group_manager resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'The GCP project zone.') +gcp_lb_mig1_name = attribute(:gcp_lb_mig1_name, default: 'gcp_lb_mig1_name', description: 'Managed instance group name.') +instance_group_manager = attribute('instance_group_manager', default: { + "name": "inspec-gcp-igm", + "base_instance_name": "igm", + "named_port_name": "port", + "named_port_port": 80 +}, description: 'Instance group manager definition') +control 'google_compute_instance_group_manager-1.0' do + impact 1.0 + title 'google_compute_instance_group_manager resource test' + + describe google_compute_instance_group_manager(project: gcp_project_id, zone: gcp_zone, name: instance_group_manager['name']) do + it { should exist } + + its('base_instance_name') { should eq instance_group_manager['base_instance_name'] } + its('named_ports.count') { should cmp 1 } + its('named_ports.first.name') { should eq instance_group_manager['named_port_name'] } + its('named_ports.first.port') { should eq instance_group_manager['named_port_port'] } + its('instance_template') { should match gcp_lb_mig1_name } + end + + describe google_compute_instance_group_manager(project: gcp_project_id, zone: gcp_zone, name: 'nonexistent') do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_compute_instance_group_managers.rb b/test/integration/verify/controls/google_compute_instance_group_managers.rb new file mode 100644 index 000000000..5d0a5d5c4 --- /dev/null +++ b/test/integration/verify/controls/google_compute_instance_group_managers.rb @@ -0,0 +1,33 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_instance_group_managers resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'The GCP project zone.') +gcp_lb_mig1_name = attribute(:gcp_lb_mig1_name, default: 'gcp_lb_mig1_name', description: 'Managed instance group name.') +instance_group_manager = attribute('instance_group_manager', default: { + "name": "inspec-gcp-igm", + "base_instance_name": "igm", + "named_port_name": "port", + "named_port_port": 80 +}, description: 'Instance group manager definition') +control 'google_compute_instance_group_managers-1.0' do + impact 1.0 + title 'google_compute_instance_group_managers resource test' + + describe google_compute_instance_group_managers(project: gcp_project_id, zone: gcp_zone) do + its('base_instance_names') { should include instance_group_manager['base_instance_name'] } + end +end From 0f1c03b080996015f30d526b965b127260d4eecd Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Wed, 16 Jan 2019 00:42:51 +0000 Subject: [PATCH 6/8] Update pubsub to pull gcp project id from correct spot Signed-off-by: Modular Magician --- docs/resources/google_pubsub_subscription.md | 4 ++-- docs/resources/google_pubsub_subscriptions.md | 6 +++--- docs/resources/google_pubsub_topic.md | 4 ++-- docs/resources/google_pubsub_topics.md | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/resources/google_pubsub_subscription.md b/docs/resources/google_pubsub_subscription.md index dec130338..28aa4514f 100644 --- a/docs/resources/google_pubsub_subscription.md +++ b/docs/resources/google_pubsub_subscription.md @@ -9,11 +9,11 @@ A `google_pubsub_subscription` is used to test a Google Subscription resource ## Examples ``` -describe google_pubsub_subscription(project: '', name: 'inspec-gcp-subscription') do +describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: 'inspec-gcp-subscription') do it { should exist } end -describe google_pubsub_subscription(project: '', name: 'nonexistent') do +describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: 'nonexistent') do it { should_not exist } end diff --git a/docs/resources/google_pubsub_subscriptions.md b/docs/resources/google_pubsub_subscriptions.md index c00553938..4203af095 100644 --- a/docs/resources/google_pubsub_subscriptions.md +++ b/docs/resources/google_pubsub_subscriptions.md @@ -9,13 +9,13 @@ A `google_pubsub_subscriptions` is used to test a Google Subscription resource ## Examples ``` -describe google_pubsub_subscriptions(project: '') do +describe google_pubsub_subscriptions(project: ''chef-gcp-inspec'') do it { should exist } its('count') { should eq 1 } end -google_pubsub_subscriptions(project: '').names.each do |subscription_name| - describe google_pubsub_subscription(project: '', name: subscription_name) do +google_pubsub_subscriptions(project: ''chef-gcp-inspec'').names.each do |subscription_name| + describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: subscription_name) do its('name') { should match /#{'inspec-gcp-subscription'}/ } end end diff --git a/docs/resources/google_pubsub_topic.md b/docs/resources/google_pubsub_topic.md index 62a7e07db..7a70efbfc 100644 --- a/docs/resources/google_pubsub_topic.md +++ b/docs/resources/google_pubsub_topic.md @@ -9,11 +9,11 @@ A `google_pubsub_topic` is used to test a Google Topic resource ## Examples ``` -describe google_pubsub_topic(project: '', name: 'inspec-gcp-topic') do +describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: 'inspec-gcp-topic') do it { should exist } end -describe google_pubsub_topic(project: '', name: 'nonexistent') do +describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: 'nonexistent') do it { should_not exist } end ``` diff --git a/docs/resources/google_pubsub_topics.md b/docs/resources/google_pubsub_topics.md index 6f49ea310..07658cf11 100644 --- a/docs/resources/google_pubsub_topics.md +++ b/docs/resources/google_pubsub_topics.md @@ -9,14 +9,14 @@ A `google_pubsub_topics` is used to test a Google Topic resource ## Examples ``` -describe google_pubsub_topics(project: '') do +describe google_pubsub_topics(project: ''chef-gcp-inspec'') do it { should exist } its('names') { should include 'inspec-gcp-topic' } its('count') { should eq 1 } end -google_pubsub_topics(project: '').names.each do |topic_name| - describe google_pubsub_topic(project: '', name: topic_name) do +google_pubsub_topics(project: ''chef-gcp-inspec'').names.each do |topic_name| + describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: topic_name) do its('name') { should eq 'inspec-gcp-topic' } end end From 60ea73f2becc61a516308553de7183002b2e2072 Mon Sep 17 00:00:00 2001 From: Chris Stephens Date: Wed, 16 Jan 2019 03:22:50 +0000 Subject: [PATCH 7/8] Make Disk KMS features GA Signed-off-by: Modular Magician --- docs/resources/google_compute_disk.md | 6 ++++++ .../google/compute/property/disk_disk_encryption_key.rb | 3 +++ .../compute/property/disk_source_image_encryption_key.rb | 3 +++ .../compute/property/disk_source_snapshot_encryption_key.rb | 3 +++ 4 files changed, 15 insertions(+) diff --git a/docs/resources/google_compute_disk.md b/docs/resources/google_compute_disk.md index 7092047a7..f1a0a8f7e 100644 --- a/docs/resources/google_compute_disk.md +++ b/docs/resources/google_compute_disk.md @@ -69,6 +69,8 @@ Properties that can be accessed from the `google_compute_disk` resource: * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + * `kmsKeyName`: The name of the encryption key that is stored in Google Cloud KMS. + * `source_image_id`: The ID value of the image used to create this disk. This value identifies the exact image that was used to create this persistent disk. For example, if you created the persistent disk from an image that was later deleted and recreated under the same name, the source image ID would identify the exact version of the image that was used. * `disk_encryption_key`: Encrypts the disk using a customer-supplied encryption key. After you encrypt a disk with a customer-supplied key, you must provide the same key if you use the disk later (e.g. to create a disk snapshot or an image, or to attach the disk to a virtual machine). Customer-supplied encryption keys do not protect access to metadata of the disk. If you do not provide an encryption key when creating the disk, then the disk will be encrypted using an automatically generated key and you do not need to provide a key to use the disk later. @@ -77,12 +79,16 @@ Properties that can be accessed from the `google_compute_disk` resource: * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. + * `kmsKeyName`: The name of the encryption key that is stored in Google Cloud KMS. + * `source_snapshot`: The source snapshot used to create this disk. You can provide this as a partial or full URL to the resource. For example, the following are valid values: * `https://www.googleapis.com/compute/v1/projects/project/global/snapshots/snapshot` * `projects/project/global/snapshots/snapshot` * `global/snapshots/snapshot` * `source_snapshot_encryption_key`: The customer-supplied encryption key of the source snapshot. Required if the source snapshot is protected by a customer-supplied encryption key. * `rawKey`: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. + * `kmsKeyName`: The name of the encryption key that is stored in Google Cloud KMS. + * `sha256`: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource. * `source_snapshot_id`: The unique ID of the snapshot used to create this disk. This value identifies the exact snapshot that was used to create this persistent disk. For example, if you created the persistent disk from a snapshot that was later deleted and recreated under the same name, the source snapshot ID would identify the exact version of the snapshot that was used. diff --git a/libraries/google/compute/property/disk_disk_encryption_key.rb b/libraries/google/compute/property/disk_disk_encryption_key.rb index f18445276..1ecbecdbd 100644 --- a/libraries/google/compute/property/disk_disk_encryption_key.rb +++ b/libraries/google/compute/property/disk_disk_encryption_key.rb @@ -21,10 +21,13 @@ class DiskDiskencryptionkey attr_reader :sha256 + attr_reader :kms_key_name + def initialize(args = nil) return if args.nil? @raw_key = args['rawKey'] @sha256 = args['sha256'] + @kms_key_name = args['kmsKeyName'] end end end diff --git a/libraries/google/compute/property/disk_source_image_encryption_key.rb b/libraries/google/compute/property/disk_source_image_encryption_key.rb index febe97235..94a627cc3 100644 --- a/libraries/google/compute/property/disk_source_image_encryption_key.rb +++ b/libraries/google/compute/property/disk_source_image_encryption_key.rb @@ -21,10 +21,13 @@ class DiskSourceimageencryptionkey attr_reader :sha256 + attr_reader :kms_key_name + def initialize(args = nil) return if args.nil? @raw_key = args['rawKey'] @sha256 = args['sha256'] + @kms_key_name = args['kmsKeyName'] end end end diff --git a/libraries/google/compute/property/disk_source_snapshot_encryption_key.rb b/libraries/google/compute/property/disk_source_snapshot_encryption_key.rb index a37e92c29..1c447719b 100644 --- a/libraries/google/compute/property/disk_source_snapshot_encryption_key.rb +++ b/libraries/google/compute/property/disk_source_snapshot_encryption_key.rb @@ -19,11 +19,14 @@ module Property class DiskSourcesnapshotencryptionkey attr_reader :raw_key + attr_reader :kms_key_name + attr_reader :sha256 def initialize(args = nil) return if args.nil? @raw_key = args['rawKey'] + @kms_key_name = args['kmsKeyName'] @sha256 = args['sha256'] end end From 5f6b1e64a8d572e38eecfa2d1b24bd2733149c81 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Wed, 16 Jan 2019 18:08:30 +0000 Subject: [PATCH 8/8] Actually use memoized variables Signed-off-by: Modular Magician --- docs/resources/google_pubsub_subscription.md | 4 ++-- docs/resources/google_pubsub_subscriptions.md | 8 ++++---- docs/resources/google_pubsub_topic.md | 4 ++-- docs/resources/google_pubsub_topics.md | 6 +++--- .../verify/controls/google_pubsub_subscriptions.rb | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/resources/google_pubsub_subscription.md b/docs/resources/google_pubsub_subscription.md index 28aa4514f..2b2b81392 100644 --- a/docs/resources/google_pubsub_subscription.md +++ b/docs/resources/google_pubsub_subscription.md @@ -9,11 +9,11 @@ A `google_pubsub_subscription` is used to test a Google Subscription resource ## Examples ``` -describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: 'inspec-gcp-subscription') do +describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: 'inspec-gcp-subscription') do it { should exist } end -describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: 'nonexistent') do +describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: 'nonexistent') do it { should_not exist } end diff --git a/docs/resources/google_pubsub_subscriptions.md b/docs/resources/google_pubsub_subscriptions.md index 4203af095..3213eb84c 100644 --- a/docs/resources/google_pubsub_subscriptions.md +++ b/docs/resources/google_pubsub_subscriptions.md @@ -9,14 +9,14 @@ A `google_pubsub_subscriptions` is used to test a Google Subscription resource ## Examples ``` -describe google_pubsub_subscriptions(project: ''chef-gcp-inspec'') do +describe google_pubsub_subscriptions(project: 'chef-gcp-inspec') do it { should exist } its('count') { should eq 1 } end -google_pubsub_subscriptions(project: ''chef-gcp-inspec'').names.each do |subscription_name| - describe google_pubsub_subscription(project: ''chef-gcp-inspec'', name: subscription_name) do - its('name') { should match /#{'inspec-gcp-subscription'}/ } +google_pubsub_subscriptions(project: 'chef-gcp-inspec').names.each do |subscription_name| + describe google_pubsub_subscription(project: 'chef-gcp-inspec', name: subscription_name) do + it { should exist } end end diff --git a/docs/resources/google_pubsub_topic.md b/docs/resources/google_pubsub_topic.md index 7a70efbfc..dcfe05efb 100644 --- a/docs/resources/google_pubsub_topic.md +++ b/docs/resources/google_pubsub_topic.md @@ -9,11 +9,11 @@ A `google_pubsub_topic` is used to test a Google Topic resource ## Examples ``` -describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: 'inspec-gcp-topic') do +describe google_pubsub_topic(project: 'chef-gcp-inspec', name: 'inspec-gcp-topic') do it { should exist } end -describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: 'nonexistent') do +describe google_pubsub_topic(project: 'chef-gcp-inspec', name: 'nonexistent') do it { should_not exist } end ``` diff --git a/docs/resources/google_pubsub_topics.md b/docs/resources/google_pubsub_topics.md index 07658cf11..888a844ae 100644 --- a/docs/resources/google_pubsub_topics.md +++ b/docs/resources/google_pubsub_topics.md @@ -9,14 +9,14 @@ A `google_pubsub_topics` is used to test a Google Topic resource ## Examples ``` -describe google_pubsub_topics(project: ''chef-gcp-inspec'') do +describe google_pubsub_topics(project: 'chef-gcp-inspec') do it { should exist } its('names') { should include 'inspec-gcp-topic' } its('count') { should eq 1 } end -google_pubsub_topics(project: ''chef-gcp-inspec'').names.each do |topic_name| - describe google_pubsub_topic(project: ''chef-gcp-inspec'', name: topic_name) do +google_pubsub_topics(project: 'chef-gcp-inspec').names.each do |topic_name| + describe google_pubsub_topic(project: 'chef-gcp-inspec', name: topic_name) do its('name') { should eq 'inspec-gcp-topic' } end end diff --git a/test/integration/verify/controls/google_pubsub_subscriptions.rb b/test/integration/verify/controls/google_pubsub_subscriptions.rb index 2f35bfcfb..73f8afa63 100644 --- a/test/integration/verify/controls/google_pubsub_subscriptions.rb +++ b/test/integration/verify/controls/google_pubsub_subscriptions.rb @@ -28,7 +28,7 @@ google_pubsub_subscriptions(project: gcp_project_id).names.each do |subscription_name| describe google_pubsub_subscription(project: gcp_project_id, name: subscription_name) do - its('name') { should match /#{subscription['name']}/ } + it { should exist } end end end