Add support for google_compute_forwarding_rules and google_compute_fo…

…rwarding_rule Signed-off-by: jnahelou <[email protected]>
inspec · Jan 4, 2019 · cfeddbc · cfeddbc
1 parent c3e8840
commit cfeddbc
Show file tree

Hide file tree

Showing 7 changed files with 289 additions and 0 deletions.
diff --git a/docs/resources/google_compute_forwarding_rule.md b/docs/resources/google_compute_forwarding_rule.md
@@ -0,0 +1,75 @@
+---
+title: About the google_compute_forwarding_rule Resource
+platform: gcp
+---
+
+# google\_compute\_forwarding_rule
+
+Use the `google_compute_forwarding_rule` InSpec audit resource to test properties of a single GCP compute forwarding_rule.
+
+<br>
+
+## Syntax
+
+A `google_compute_forwarding_rule` resource block declares the tests for a single GCP forwarding_rule by project, region and name.
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      it { should exist }
+      its('name') { should eq 'gcp-inspec-forwarding_rule' }
+      its('region') { should match 'europe-west2' }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP compute forwarding_rule exists
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      it { should exist }
+    end
+
+### Test when a GCP compute forwarding_rule was created
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+    end
+
+### Test for an expected forwarding_rule identifier 
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      its('id') { should eq 12345567789 }
+    end    
+
+### Test that a forwarding_rule load_balancing_scheme is as expected
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      its('load_balancing_scheme') { should eq "INTERNAL" }
+    end  
+
+### Test that a forwarding_rule IP address is as expected
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      its('ip_address') { should eq "10.0.0.1" }
+    end  
+
+### Test that a forwarding_rule is associated with the expected network
+
+    describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding_rule') do
+      its('network') { should match "gcp_network_name" }
+    end  
+
+<br>
+
+## Properties
+
+*  `backend_service`, `creation_timestamp`, `description`, `id`, `ip_address`, `ip_protocol`, `ip_version`, `kind`, `load_balancing_scheme`, `name`, `network`, `port_range`, `ports`, `region`, `self_link`, `subnetwork`, `target`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/docs/resources/google_compute_forwarding_rules.md b/docs/resources/google_compute_forwarding_rules.md
@@ -0,0 +1,80 @@
+---
+title: About the google_compute_forwarding_rules Resource
+platform: gcp
+---
+
+# google\_compute\_forwarding_rules
+
+Use the `google_compute_forwarding_rules` InSpec audit resource to test properties of all, or a filtered group of, GCP compute forwarding_rules for a project and region.
+
+<br>
+
+## Syntax
+
+A `google_compute_forwarding_rules` resource block collects GCP forwarding_rules by project and region, then tests that group.
+
+    describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_forwarding_rule`.
+
+    google_compute_forwarding_rules(project: 'chef-inspec-gcp', region:'europe-west2').forwarding_rule_names.each do |forwarding_rule_name|
+      describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: forwarding_rule_name) do
+        its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+        its('network') { should match "gcp_network_name" }
+        its('load_balancing_scheme') { should match "INTERNAL" }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of forwarding_rules available for the project and region
+
+    describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected forwarding_rule identifier is present in the project and region
+
+    describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('forwarding_rule_ids') { should include 12345678975432 }
+    end
+
+
+### Test that an expected forwarding_rule name is available for the project and region
+
+    describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('forwarding_rule_names') { should include "forwarding_rule-name" }
+    end
+
+### Test that an expected forwarding_rule network name is not present for the project and region
+
+    describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('forwarding_rule_networks') { should not include "network-name" }
+    end
+
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `forwarding_rule_id`; `forwarding_rule_name`; `forwarding_rule_load_balancing_scheme`  and `forwarding_rule_network`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `forwarding_rule_ids` - an array of google_compute_forwarding_rule identifier integers
+*  `forwarding_rule_names` - an array of google_compute_forwarding_rule name strings
+*  `forwarding_rule_networks` - an array of google_compute_network name strings
+*  `forwarding_rule_load_balancing_schemes` - an array of load_balancing_scheme strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/libraries/google_compute_forwarding_rule.rb b/libraries/google_compute_forwarding_rule.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeForwardingRule < GcpResourceBase
+    name 'google_compute_forwarding_rule'
+    desc 'Verifies settings for a compute forwarding_rule'
+
+    example "
+      describe google_compute_forwarding_rule(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-forwarding-rule') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:name]
+      catch_gcp_errors do
+        @forwarding_rule = @gcp.gcp_compute_client.get_forwarding_rule(opts[:project], opts[:region], opts[:name])
+        create_resource_methods(@forwarding_rule)
+      end
+    end
+
+    def creation_timestamp_date
+      return false if !defined?(creation_timestamp) || creation_timestamp.nil?
+      Time.parse(creation_timestamp.to_s)
+    end
+
+    def exists?
+      !@forwarding_rule.nil?
+    end
+
+    def to_s
+      "ForwardingRule #{@display_name}"
+    end
+  end
+end
diff --git a/libraries/google_compute_forwarding_rules.rb b/libraries/google_compute_forwarding_rules.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeForwardingRules < GcpResourceBase
+    name 'google_compute_forwarding_rules'
+    desc 'Verifies settings for GCP compute forwarding_rules in bulk'
+
+    example "
+      describe google_compute_forwarding_rules(project: 'chef-inspec-gcp', region: 'europe-west1') do
+        it { should exist }
+        ...
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:name]
+      @project = opts[:project]
+      @region = opts[:region]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:forwarding_rule_ids, field: :forwarding_rule_id)
+    filter_table_config.add(:forwarding_rule_names, field: :forwarding_rule_name)
+    filter_table_config.add(:forwarding_rule_networks, field: :forwarding_rule_network)
+    filter_table_config.add(:forwarding_rule_load_balancing_schemes, field: :forwarding_rule_load_balancing_scheme)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      forwarding_rule_rows = []
+      next_page = nil
+      loop do
+        catch_gcp_errors do
+          @forwarding_rules = @gcp.gcp_compute_client.list_forwarding_rules(@project, @region, page_token: next_page)
+        end
+        return [] if !@forwarding_rules || !@forwarding_rules.items
+        @forwarding_rules.items.map do |forwarding_rule|
+          forwarding_rule_rows+=[{ forwarding_rule_id: forwarding_rule.id,
+                        forwarding_rule_name: forwarding_rule.name,
+                        forwarding_rule_network: forwarding_rule.network.split('/').last,
+                        forwarding_rule_load_balancing_scheme: forwarding_rule.load_balancing_scheme }]
+        end
+        next_page = @forwarding_rules.next_page_token
+        break unless next_page
+      end
+      @table = forwarding_rule_rows
+    end
+  end
+end
diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb
@@ -56,6 +56,7 @@ def self.add_random_string(length=25)
       :gcp_storage_bucket_object => "gcp-inspec-storage-bucket-object-#{add_random_string}",
       :gcp_storage_bucket_object_name => "bucket-object-#{add_random_string}",
       # Google Load Balanced App example parameters
+      :gcp_lb_network => "default",
       :gcp_lb_region => "europe-west2",
       :gcp_lb_zone => "europe-west2-a",
       :gcp_lb_zone_mig2 => "europe-west2-b",

diff --git a/test/integration/verify/controls/google_compute_forwarding_rule.rb b/test/integration/verify/controls/google_compute_forwarding_rule.rb
@@ -0,0 +1,23 @@
+title 'Test single GCP compute forwarding_rule'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_lb_network, default: '', description: 'The GCP network name.')
+gcp_region = attribute(:gcp_lb_region, default: '', description: 'The GCP region being used.')
+gcp_forwarding_rule_name = attribute(:gcp_lb_fr_name, default: '', description: 'The GCP forwarding_rule name.')
+
+
+control 'gcp-compute-forwarding_rule-1.0' do
+
+  impact 1.0
+  title 'Ensure GCP compute forwarding_rule has the correct properties.'
+
+  describe google_compute_forwarding_rule(project: gcp_project_id, region: gcp_region, name: gcp_forwarding_rule_name) do
+    it { should exist }
+    its('name') { should eq gcp_forwarding_rule_name }
+    its('region') { should match gcp_region }
+    its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+    its('load_balancing_scheme') { should match 'EXTERNAL' }
+    its('port_range') { should match "80" }
+    its('ip_protocol') { should match "TCP" }
+  end
+end
diff --git a/test/integration/verify/controls/google_compute_forwarding_rules.rb b/test/integration/verify/controls/google_compute_forwarding_rules.rb
@@ -0,0 +1,18 @@
+title 'ForwardingRules Properties'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_region = attribute(:gcp_lb_region, default: '', description: 'The GCP region being used.')
+gcp_forwarding_rule_name = attribute(:gcp_lb_fr_name, default: '', description: 'The GCP forwarding_rule name.')
+
+control 'gcp-forwarding_rules-1.0' do
+
+  impact 1.0
+  title 'Ensure forwarding_rules have the correct properties in bulk'
+
+  describe google_compute_forwarding_rules(project: gcp_project_id, region: gcp_region) do
+    it { should exist }
+    its('count') { should be <= 100}
+    its('forwarding_rule_names') { should include gcp_forwarding_rule_name }
+  end
+
+end