From 90678fbfef1ecaafe76c84684cc46d37d5c46616 Mon Sep 17 00:00:00 2001 From: jnahelou Date: Mon, 24 Dec 2018 12:31:49 +0100 Subject: [PATCH] Add support for google_compute_forwarding_rules and google_compute_forwarding_rule Signed-off-by: jnahelou --- .../google_compute_forwarding_rule.md | 75 +++++++++++++++++ .../google_compute_forwarding_rules.md | 80 +++++++++++++++++++ libraries/google_compute_forwarding_rule.rb | 39 +++++++++ libraries/google_compute_forwarding_rules.rb | 53 ++++++++++++ .../configuration/gcp_inspec_config.rb | 1 + .../google_compute_forwarding_rule.rb | 23 ++++++ .../google_compute_forwarding_rules.rb | 18 +++++ 7 files changed, 289 insertions(+) create mode 100644 docs/resources/google_compute_forwarding_rule.md create mode 100644 docs/resources/google_compute_forwarding_rules.md create mode 100644 libraries/google_compute_forwarding_rule.rb create mode 100644 libraries/google_compute_forwarding_rules.rb create mode 100644 test/integration/verify/controls/google_compute_forwarding_rule.rb create mode 100644 test/integration/verify/controls/google_compute_forwarding_rules.rb diff --git a/docs/resources/google_compute_forwarding_rule.md b/docs/resources/google_compute_forwarding_rule.md new file mode 100644 index 000000000..afaa2480c --- /dev/null +++ b/docs/resources/google_compute_forwarding_rule.md @@ -0,0 +1,75 @@ +--- +title: About the google_compute_forwarding_rule Resource +platform: gcp +--- + +# google\_compute\_forwarding_rule + +Use the `google_compute_forwarding_rule` InSpec audit resource to test properties of a single GCP compute forwarding_rule. + +
+ +## Syntax + +A `google_compute_forwarding_rule` resource block declares the tests for a single GCP forwarding_rule by project, region and name. + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + it { should exist } + its('name') { should eq 'gcp-inspec-forwarding_rule' } + its('region') { should match 'europe-west2' } + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that a GCP compute forwarding_rule exists + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + it { should exist } + end + +### Test when a GCP compute forwarding_rule was created + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + end + +### Test for an expected forwarding_rule identifier + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('id') { should eq 12345567789 } + end + +### Test that a forwarding_rule load_balancing_scheme is as expected + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('load_balancing_scheme') { should eq "INTERNAL" } + end + +### Test that a forwarding_rule IP address is as expected + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('ip_address') { should eq "10.0.0.1" } + end + +### Test that a forwarding_rule is associated with the expected network + + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do + its('network') { should match "gcp_network_name" } + end + +
+ +## Properties + +* `backend_service`, `creation_timestamp`, `description`, `id`, `ip_address`, `ip_protocol`, `ip_version`, `kind`, `load_balancing_scheme`, `name`, `network`, `port_range`, `ports`, `region`, `self_link`, `subnetwork`, `target` + +
+ + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located. diff --git a/docs/resources/google_compute_forwarding_rules.md b/docs/resources/google_compute_forwarding_rules.md new file mode 100644 index 000000000..dc07d551d --- /dev/null +++ b/docs/resources/google_compute_forwarding_rules.md @@ -0,0 +1,80 @@ +--- +title: About the google_compute_forwarding_rules Resource +platform: gcp +--- + +# google\_compute\_forwarding_rules + +Use the `google_compute_forwarding_rules` InSpec audit resource to test properties of all, or a filtered group of, GCP compute forwarding_rules for a project and region. + +
+ +## Syntax + +A `google_compute_forwarding_rules` resource block collects GCP forwarding_rules by project and region, then tests that group. + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + it { should exist } + end + +Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_forwarding_rule`. + + google_compute_forwarding_rules(project: 'chef-inspec-gcp', region:'europe-west2').forwarding_rule_names.each do |forwarding_rule_name| + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: forwarding_rule_name) do + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + its('network') { should match "gcp_network_name" } + its('load_balancing_scheme') { should match "INTERNAL" } + end + end + +
+ +## Examples + +The following examples show how to use this InSpec audit resource. + +### Test that there are no more than a specified number of forwarding_rules available for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('count') { should be <= 100} + end + +### Test that an expected forwarding_rule identifier is present in the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_ids') { should include 12345678975432 } + end + + +### Test that an expected forwarding_rule name is available for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_names') { should include "forwarding_rule-name" } + end + +### Test that an expected forwarding_rule network name is not present for the project and region + + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do + its('forwarding_rule_networks') { should not include "network-name" } + end + + +
+ +## Filter Criteria + +This resource supports the following filter criteria: `forwarding_rule_id`; `forwarding_rule_name`; `forwarding_rule_load_balancing_scheme` and `forwarding_rule_network`. Any of these may be used with `where`, as a block or as a method. + +## Properties + +* `forwarding_rule_ids` - an array of google_compute_forwarding_rule identifier integers +* `forwarding_rule_names` - an array of google_compute_forwarding_rule name strings +* `forwarding_rule_networks` - an array of google_compute_network name strings +* `forwarding_rule_load_balancing_schemes` - an array of load_balancing_scheme strings + +
+ + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located. diff --git a/libraries/google_compute_forwarding_rule.rb b/libraries/google_compute_forwarding_rule.rb new file mode 100644 index 000000000..08d432f81 --- /dev/null +++ b/libraries/google_compute_forwarding_rule.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'gcp_backend' + +module Inspec::Resources + class GoogleComputeForwardingRule < GcpResourceBase + name 'google_compute_forwarding_rule' + desc 'Verifies settings for a compute forwarding_rule' + + example " + describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding-rule') do + it { should exist } + end + " + + def initialize(opts = {}) + # Call the parent class constructor + super(opts) + @display_name = opts[:name] + catch_gcp_errors do + @forwarding_rule = @gcp.gcp_compute_client.get_forwarding_rule(opts[:project], opts[:region], opts[:name]) + create_resource_methods(@forwarding_rule) + end + end + + def creation_timestamp_date + return false if !defined?(creation_timestamp) || creation_timestamp.nil? + Time.parse(creation_timestamp.to_s) + end + + def exists? + !@forwarding_rule.nil? + end + + def to_s + "ForwardingRule #{@display_name}" + end + end +end diff --git a/libraries/google_compute_forwarding_rules.rb b/libraries/google_compute_forwarding_rules.rb new file mode 100644 index 000000000..b12b2beed --- /dev/null +++ b/libraries/google_compute_forwarding_rules.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +require 'gcp_backend' + +module Inspec::Resources + class GoogleComputeForwardingRules < GcpResourceBase + name 'google_compute_forwarding_rules' + desc 'Verifies settings for GCP compute forwarding_rules in bulk' + + example " + describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west1') do + it { should exist } + ... + end + " + + def initialize(opts = {}) + # Call the parent class constructor + super(opts) + @display_name = opts[:name] + @project = opts[:project] + @region = opts[:region] + end + + # FilterTable setup + filter_table_config = FilterTable.create + filter_table_config.add(:forwarding_rule_ids, field: :forwarding_rule_id) + filter_table_config.add(:forwarding_rule_names, field: :forwarding_rule_name) + filter_table_config.add(:forwarding_rule_networks, field: :forwarding_rule_network) + filter_table_config.add(:forwarding_rule_load_balancing_schemes, field: :forwarding_rule_load_balancing_scheme) + filter_table_config.connect(self, :fetch_data) + + def fetch_data + forwarding_rule_rows = [] + next_page = nil + loop do + catch_gcp_errors do + @forwarding_rules = @gcp.gcp_compute_client.list_forwarding_rules(@project, @region, page_token: next_page) + end + return [] if !@forwarding_rules || !@forwarding_rules.items + @forwarding_rules.items.map do |forwarding_rule| + forwarding_rule_rows+=[{ forwarding_rule_id: forwarding_rule.id, + forwarding_rule_name: forwarding_rule.name, + forwarding_rule_network: forwarding_rule.network.split('/').last, + forwarding_rule_load_balancing_scheme: forwarding_rule.load_balancing_scheme }] + end + next_page = @forwarding_rules.next_page_token + break unless next_page + end + @table = forwarding_rule_rows + end + end +end diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb index bd622b9a1..5660981e0 100644 --- a/test/integration/configuration/gcp_inspec_config.rb +++ b/test/integration/configuration/gcp_inspec_config.rb @@ -55,6 +55,7 @@ def self.add_random_string(length=25) :gcp_storage_bucket_object => "gcp-inspec-storage-bucket-object-#{add_random_string}", :gcp_storage_bucket_object_name => "bucket-object-#{add_random_string}", # Google Load Balanced App example parameters + :gcp_lb_network => "default", :gcp_lb_region => "europe-west2", :gcp_lb_zone => "europe-west2-a", :gcp_lb_zone_mig2 => "europe-west2-b", diff --git a/test/integration/verify/controls/google_compute_forwarding_rule.rb b/test/integration/verify/controls/google_compute_forwarding_rule.rb new file mode 100644 index 000000000..2832ba9af --- /dev/null +++ b/test/integration/verify/controls/google_compute_forwarding_rule.rb @@ -0,0 +1,23 @@ +title 'Test single GCP compute forwarding_rule' + +gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_network_name = attribute(:gcp_lb_network, default: '', description: 'The GCP network name.') +gcp_region = attribute(:gcp_lb_region, default: '', description: 'The GCP region being used.') +gcp_forwarding_rule_name = attribute(:gcp_lb_fr_name, default: '', description: 'The GCP forwarding_rule name.') + + +control 'gcp-compute-forwarding_rule-1.0' do + + impact 1.0 + title 'Ensure GCP compute forwarding_rule has the correct properties.' + + describe google_compute_forwarding_rule(project: gcp_project_id, region: gcp_region, name: gcp_forwarding_rule_name) do + it { should exist } + its('name') { should eq gcp_forwarding_rule_name } + its('region') { should match gcp_region } + its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 } + its('load_balancing_scheme') { should match 'EXTERNAL' } + its('port_range') { should match "80" } + its('ip_protocol') { should match "TCP" } + end +end diff --git a/test/integration/verify/controls/google_compute_forwarding_rules.rb b/test/integration/verify/controls/google_compute_forwarding_rules.rb new file mode 100644 index 000000000..cdc9132c8 --- /dev/null +++ b/test/integration/verify/controls/google_compute_forwarding_rules.rb @@ -0,0 +1,18 @@ +title 'ForwardingRules Properties' + +gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.') +gcp_region = attribute(:gcp_lb_region, default: '', description: 'The GCP region being used.') +gcp_forwarding_rule_name = attribute(:gcp_lb_fr_name, default: '', description: 'The GCP forwarding_rule name.') + +control 'gcp-forwarding_rules-1.0' do + + impact 1.0 + title 'Ensure forwarding_rules have the correct properties in bulk' + + describe google_compute_forwarding_rules(project: gcp_project_id, region: gcp_region) do + it { should exist } + its('count') { should be <= 100} + its('forwarding_rule_names') { should include gcp_forwarding_rule_name } + end + +end