Updates to controls affected by service account name change.

Signed-off-by: Stuart Paterson <[email protected]>
inspec · Sep 11, 2018 · be7af7b · be7af7b
1 parent 189d457
commit be7af7b
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 10 deletions.
diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb
@@ -83,7 +83,7 @@ def self.add_random_string(length=25)
       :gcp_logging_project_exclusion_name => "gcp-inspec-project-exclusion-#{add_random_string}",
       :gcp_network_name => "gcp-inspec-network",
       :gcp_subnetwork_name => "gcp-inspec-subnetwork",
-      :gcp_db_instance_name => "gcp-inspec-db-instance",
+      :gcp_db_instance_name => "gcp-inspec-db-#{add_random_string}",
       :gcp_db_name => "inspecgcp",
       :gcp_db_type => "MYSQL_5_7",
       :gcp_db_size => "db-f1-micro",

diff --git a/test/integration/verify/controls/google_storage_bucket_acl.rb b/test/integration/verify/controls/google_storage_bucket_acl.rb
@@ -2,6 +2,7 @@
 
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
 gcp_storage_bucket_acl = attribute(:gcp_storage_bucket_acl, default: '', description: 'The GCP bucket with ACL set.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.')
 gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
 
 control 'gcp-storage-bucket-acl-1.0' do
@@ -10,9 +11,9 @@
   impact 1.0
   title 'Ensure storage bucket ACL has the correct properties.'
 
-  describe google_storage_bucket_acl(bucket: gcp_storage_bucket_acl, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do
+  describe google_storage_bucket_acl(bucket: gcp_storage_bucket_acl, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
-    its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
     its('role') { should eq "OWNER" }
     its('bucket') { should eq gcp_storage_bucket_acl }
   end

diff --git a/test/integration/verify/controls/google_storage_bucket_iam_binding.rb b/test/integration/verify/controls/google_storage_bucket_iam_binding.rb
@@ -4,6 +4,7 @@
 gcp_storage_bucket_binding = attribute(:gcp_storage_bucket_binding, default: '', description: 'The GCP bucket with IAM binding.')
 gcp_storage_bucket_member = attribute(:gcp_storage_bucket_member, default: '', description: 'The GCP bucket with IAM member.')
 gcp_storage_bucket_policy = attribute(:gcp_storage_bucket_policy, default: '', description: 'The GCP bucket with IAM policy.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.')
 gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
 
 control 'gcp-storage-bucket-iam-binding-1.0' do
@@ -16,20 +17,20 @@
     it { should exist }
     its ('members.count'){ should eq 1 } # i.e. our service account
     # below is brittle, could extract service account email from tf in the future...
-    its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
   end
 
   describe google_storage_bucket_iam_binding(bucket: gcp_storage_bucket_member, role: 'roles/storage.objectViewer') do
     it { should exist }
     its ('members.count'){ should eq 1 } # i.e. our service account
     # below is brittle, could extract service account email from tf in the future...
-    its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
   end
 
   describe google_storage_bucket_iam_binding(bucket: gcp_storage_bucket_policy, role: 'roles/storage.admin') do
     it { should exist }
     its ('members.count'){ should eq 1 } # i.e. our service account
     # below is brittle, could extract service account email from tf in the future...
-    its('members') {should include "serviceAccount:object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('members') {should include "serviceAccount:#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
   end
 end
diff --git a/test/integration/verify/controls/google_storage_default_object_acl.rb b/test/integration/verify/controls/google_storage_default_object_acl.rb
@@ -2,6 +2,7 @@
 
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
 gcp_storage_object_default_acl = attribute(:gcp_storage_bucket_name, default: '', description: 'The GCP bucket with default ACL set.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.')
 gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
 
 control 'gcp-storage-default-object-acl-1.0' do
@@ -10,9 +11,9 @@
   impact 1.0
   title 'Ensure storage default object ACL has the correct properties.'
 
-  describe google_storage_default_object_acl(bucket: gcp_storage_object_default_acl, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do
+  describe google_storage_default_object_acl(bucket: gcp_storage_object_default_acl, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
-    its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
     its('role') { should eq "OWNER" }
   end
 

diff --git a/test/integration/verify/controls/google_storage_object_acl.rb b/test/integration/verify/controls/google_storage_object_acl.rb
@@ -3,6 +3,7 @@
 gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
 gcp_storage_bucket_object = attribute(:gcp_storage_bucket_object, default: '', description: 'The GCP bucket with objects.')
 gcp_storage_bucket_object_name = attribute(:gcp_storage_bucket_object_name, default: '', description: 'The GCP bucket object name.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default:'', description: 'Service account display name.')
 gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
 
 control 'gcp-storage-object-acl-1.0' do
@@ -11,9 +12,9 @@
   impact 1.0
   title 'Ensure storage default object ACL has the correct properties.'
 
-  describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-object-viewer@#{gcp_project_id}.iam.gserviceaccount.com") do
+  describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
-    its('email') { should include "object-viewer@#{gcp_project_id}.iam.gserviceaccount.com" }
+    its('email') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
     its('role') { should eq "OWNER" }
   end
 end