-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #41 from inspec/storage-bucket-iam
Add storage bucket IAM resources
- Loading branch information
Showing
23 changed files
with
928 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_storage_bucket_acl Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_bucket\_acl | ||
|
||
Use the `google_storage_bucket_acl` InSpec audit resource to test properties of a single GCP storage bucket ACL. The 'entity' property below is as described in the [Google documentation here](https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls). | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_bucket_acl` resource block declares the tests for a single GCP storage bucket ACL by bucket name and entity. | ||
|
||
describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP storage bucket ACL exists | ||
|
||
describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage bucket ACL has the expected role (READER, WRITER or OWNER) | ||
|
||
describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
its('role') { should eq 'OWNER' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `bucket`, `email`, `entity`, `etag`, `id`, `kind`, `role` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
--- | ||
title: About the google_storage_bucket_iam_binding Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_bucket\_iam\_binding | ||
|
||
Use the `google_storage_bucket_iam_binding` InSpec audit resource to test properties of a single GCP storage bucket IAM binding. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_bucket_iam_binding` resource block declares the tests for a single GCP storage bucket IAM binding by bucket name and role. | ||
|
||
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.objectViewer') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP storage bucket IAM binding exists | ||
|
||
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage bucket IAM binding role has the desired user or service account included | ||
|
||
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do | ||
its('members') {should include 'user:[email protected]' } | ||
its('members') {should include 'serviceAccount:[email protected]' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `members` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
--- | ||
title: About the google_storage_bucket_iam_bindings Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_bucket\_iam\_bindings | ||
|
||
Use the `google_storage_bucket_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP storage bucket IAM bindings. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_bucket_iam_bindings` resource block collects GCP storage bucket IAM bindings then tests that group. | ||
|
||
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate roles then test in-depth using `google_project_iam_binding`. | ||
|
||
google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').iam_binding_roles.each do |iam_binding_role| | ||
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: iam_binding_role) do | ||
it { should exist } | ||
its('members') {should include 'user:[email protected]' } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of IAM bindings roles available for the bucket | ||
|
||
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected role is available for the bucket | ||
|
||
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do | ||
its('iam_binding_roles') { should include "roles/storage.admin" } | ||
end | ||
|
||
### Test that a particular role does not exist using filtering of the plural resource | ||
|
||
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do | ||
it { should_not exist } | ||
end | ||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `iam_binding_roles` - an array of google_storage_bucket_iam_binding role strings e.g. `["roles/storage.admin", "roles/owner"]` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: About the google_storage_bucket_object Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_bucket\_object | ||
|
||
Use the `google_storage_bucket_object` InSpec audit resource to test properties of a single GCP storage bucket object. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_bucket_object` resource block declares the tests for a single GCP storage bucket object by bucket name and object name: | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP compute zone exists | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage bucket object has non-zero size | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('size') { should be > 0 } | ||
end | ||
|
||
### Test that a GCP storage bucket object has the expected content type | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('content_type') { should eq "text/plain; charset=utf-8" } | ||
end | ||
|
||
|
||
### Test that a GCP storage bucket object was created within a certain time period | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('time_created_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
|
||
|
||
### Test that a GCP storage bucket object was last updated within a certain time period | ||
|
||
describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do | ||
its('updated_date') { should be > Time.now - 365*60*60*24*10 } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `bucket`, `content_type`, `crc32c`, `etag`, `generation`, `id`, `kind`, `md5_hash`, `media_link`, `metageneration`, `name`, `size`, `storage_class`, `time_created_date`, `time_storage_class_updated_date`, `updated_date` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_storage_default_object_acl Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_default\_object\_acl | ||
|
||
Use the `google_storage_default_object_acl` InSpec audit resource to test properties of a single GCP storage default object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_default_object_acl` resource block declares the tests for a single GCP storage default object ACL by bucket name and entity. | ||
|
||
describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP storage bucket ACL exists | ||
|
||
describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage default object ACL has the expected role (READER, WRITER or OWNER) | ||
|
||
describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do | ||
its('role') { should eq 'OWNER' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `email`, `entity`, `etag`, `kind`, `role` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
title: About the google_storage_object_acl Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_storage\_object\_acl | ||
|
||
Use the `google_storage_object_acl` InSpec audit resource to test properties of a single GCP storage object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_storage_object_acl` resource block declares the tests for a single GCP storage object ACL by bucket name, object name and entity. | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP storage bucket ACL exists | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
it { should exist } | ||
end | ||
|
||
### Test that a GCP storage object ACL has the expected role (READER, WRITER or OWNER) | ||
|
||
describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do | ||
its('role') { should eq 'OWNER' } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `bucket`, `email`, `entity`, `etag`, `generation`, `id`, `kind`, `object`, `role` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled. |
Oops, something went wrong.