Skip to content

Commit

Permalink
Merge pull request #41 from inspec/storage-bucket-iam
Browse files Browse the repository at this point in the history
Add storage bucket IAM resources
  • Loading branch information
davymcaleer authored Aug 17, 2018
2 parents edc4b2d + f401f09 commit ca77ca5
Show file tree
Hide file tree
Showing 23 changed files with 928 additions and 30 deletions.
18 changes: 17 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,20 @@ Since this is an InSpec resource pack, it only defines InSpec resources. It incl

```bash
$ inspec init profile my-profile
Create new profile at /Users/skpaterson/my-profile
* Create directory libraries
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create file libraries/.gitkeep
```

Now update the default `inspec.yml` file to point to the InSpec GCP resource pack:

```yaml
name: my-profile
title: My own Oneview profile
title: My GCP InSpec Profile
version: 0.1.0
inspec_version: '>= 2.2.10'
depends:
Expand Down Expand Up @@ -87,7 +96,14 @@ The following resources are available in the InSpec GCP Profile
- [google_projects](docs/resources/google_projects.md)
- [google_service_account](docs/resources/google_service_account.md)
- [google_storage_bucket](docs/resources/google_storage_bucket.md)
- [google_storage_bucket_acl](docs/resources/google_storage_bucket_acl.md)
- [google_storage_bucket_iam_binding](docs/resources/google_storage_bucket_iam_binding.md)
- [google_storage_bucket_iam_bindings](docs/resources/google_storage_bucket_iam_bindings.md)
- [google_storage_bucket_object](docs/resources/google_storage_bucket_object.md)
- [google_storage_buckets](docs/resources/google_storage_buckets.md)
- [google_storage_default_object_acl](docs/resources/google_storage_default_object_acl.md)
- [google_storage_object_acl](docs/resources/google_storage_object_acl.md)
## Examples
Expand Down
49 changes: 49 additions & 0 deletions docs/resources/google_storage_bucket_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_bucket_acl Resource
platform: gcp
---

# google\_storage\_bucket\_acl

Use the `google_storage_bucket_acl` InSpec audit resource to test properties of a single GCP storage bucket ACL. The 'entity' property below is as described in the [Google documentation here](https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls).

<br>

## Syntax

A `google_storage_bucket_acl` resource block declares the tests for a single GCP storage bucket ACL by bucket name and entity.

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage bucket ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `bucket`, `email`, `entity`, `etag`, `id`, `kind`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
50 changes: 50 additions & 0 deletions docs/resources/google_storage_bucket_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_storage_bucket_iam_binding Resource
platform: gcp
---

# google\_storage\_bucket\_iam\_binding

Use the `google_storage_bucket_iam_binding` InSpec audit resource to test properties of a single GCP storage bucket IAM binding.

<br>

## Syntax

A `google_storage_bucket_iam_binding` resource block declares the tests for a single GCP storage bucket IAM binding by bucket name and role.

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.objectViewer') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket IAM binding exists

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do
it { should exist }
end

### Test that a GCP storage bucket IAM binding role has the desired user or service account included

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do
its('members') {should include 'user:[email protected]' }
its('members') {should include 'serviceAccount:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
68 changes: 68 additions & 0 deletions docs/resources/google_storage_bucket_iam_bindings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: About the google_storage_bucket_iam_bindings Resource
platform: gcp
---

# google\_storage\_bucket\_iam\_bindings

Use the `google_storage_bucket_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP storage bucket IAM bindings.

<br>

## Syntax

A `google_storage_bucket_iam_bindings` resource block collects GCP storage bucket IAM bindings then tests that group.

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
it { should exist }
end

Use this InSpec resource to enumerate roles then test in-depth using `google_project_iam_binding`.

google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').iam_binding_roles.each do |iam_binding_role|
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: iam_binding_role) do
it { should exist }
its('members') {should include 'user:[email protected]' }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of IAM bindings roles available for the bucket

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('count') { should be <= 100}
end

### Test that an expected role is available for the bucket

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end

### Test that a particular role does not exist using filtering of the plural resource

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method.

## Properties

* `iam_binding_roles` - an array of google_storage_bucket_iam_binding role strings e.g. `["roles/storage.admin", "roles/owner"]`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
70 changes: 70 additions & 0 deletions docs/resources/google_storage_bucket_object.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: About the google_storage_bucket_object Resource
platform: gcp
---

# google\_storage\_bucket\_object

Use the `google_storage_bucket_object` InSpec audit resource to test properties of a single GCP storage bucket object.

<br>

## Syntax

A `google_storage_bucket_object` resource block declares the tests for a single GCP storage bucket object by bucket name and object name:

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP compute zone exists

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
it { should exist }
end

### Test that a GCP storage bucket object has non-zero size

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('size') { should be > 0 }
end

### Test that a GCP storage bucket object has the expected content type

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('content_type') { should eq "text/plain; charset=utf-8" }
end


### Test that a GCP storage bucket object was created within a certain time period

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('time_created_date') { should be > Time.now - 365*60*60*24*10 }
end


### Test that a GCP storage bucket object was last updated within a certain time period

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('updated_date') { should be > Time.now - 365*60*60*24*10 }
end

<br>

## Properties

* `bucket`, `content_type`, `crc32c`, `etag`, `generation`, `id`, `kind`, `md5_hash`, `media_link`, `metageneration`, `name`, `size`, `storage_class`, `time_created_date`, `time_storage_class_updated_date`, `updated_date`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
49 changes: 49 additions & 0 deletions docs/resources/google_storage_default_object_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_default_object_acl Resource
platform: gcp
---

# google\_storage\_default\_object\_acl

Use the `google_storage_default_object_acl` InSpec audit resource to test properties of a single GCP storage default object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below.

<br>

## Syntax

A `google_storage_default_object_acl` resource block declares the tests for a single GCP storage default object ACL by bucket name and entity.

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage default object ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `email`, `entity`, `etag`, `kind`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
49 changes: 49 additions & 0 deletions docs/resources/google_storage_object_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_object_acl Resource
platform: gcp
---

# google\_storage\_object\_acl

Use the `google_storage_object_acl` InSpec audit resource to test properties of a single GCP storage object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below.

<br>

## Syntax

A `google_storage_object_acl` resource block declares the tests for a single GCP storage object ACL by bucket name, object name and entity.

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage object ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `bucket`, `email`, `entity`, `etag`, `generation`, `id`, `kind`, `object`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
Loading

0 comments on commit ca77ca5

Please sign in to comment.