-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ability to test individual as well as multiple organisations
Signed-Off-By: [email protected]
- Loading branch information
1 parent
38c94a4
commit eae3ad3
Showing
4 changed files
with
230 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
title: About the google_organization Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_organization | ||
|
||
Use the `google_organization` InSpec audit resource to test properties of a GCP organization. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
Google organization have a name, display name (or domain) and lifecycle state. For more info, please see [here](https://cloud.google.com/resource-manager/docs/creating-managing-organization). | ||
|
||
A `google_organization` resource block declares the tests for a single GCP organization identified by `display_name` or `name`: | ||
|
||
describe google_organization(display_name: 'google.com') do | ||
it { should exist } | ||
its('name') { should eq 'organizations/1234' } | ||
its('display_name') { should eq 'google.com' } | ||
end | ||
|
||
describe google_organization(name: 'organizations/1234') do | ||
it { should exist } | ||
its('name') { should eq 'google.com' } | ||
its('lifecycle_state') { should eq 'ACTIVE' } | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that a GCP organization has the expected name | ||
|
||
describe google_organization(name: 'organizations/1234') do | ||
its('name') { should eq 'organizations/1234' } | ||
end | ||
|
||
### Test that a GCP organization has the expected lifecycle state e.g. "ACTIVE" | ||
|
||
describe google_organization(display_name: 'google.com') do | ||
its('lifecycle_state') { should eq "ACTIVE" } | ||
end | ||
|
||
<br> | ||
|
||
## Properties | ||
|
||
* `name`, `display_name`, `lifecycle_state` | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
--- | ||
title: About the google_organizations Resource | ||
platform: gcp | ||
--- | ||
|
||
# google\_organizations | ||
|
||
Use the `google_organizations` InSpec audit resource to test properties of all, or a filtered group of, GCP | ||
organizations. | ||
|
||
<br> | ||
|
||
## Syntax | ||
|
||
A `google_organizations` resource block collects GCP organizations then tests that group. | ||
|
||
describe google_organizations do | ||
it { should exist } | ||
end | ||
|
||
Use this InSpec resource to enumerate IDs then test in-depth using `google_organization`. | ||
|
||
google_organizations.names.each do |name| | ||
describe google_organization(name: name) do | ||
it { should exist } | ||
its('lifecycle_state') { should eq "ACTIVE" } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Examples | ||
|
||
The following examples show how to use this InSpec audit resource. | ||
|
||
### Test that there are no more than a specified number of organizations available | ||
|
||
describe google_organizations do | ||
its('count') { should be <= 100} | ||
end | ||
|
||
### Test that an expected organization name is available | ||
|
||
describe google_organizations do | ||
its('names') { should include "organization/1234" } | ||
end | ||
|
||
### Test that an expected organization display name is available | ||
|
||
describe google_organizations do | ||
its('display_names') { should include "google.com" } | ||
end | ||
|
||
### Test that all organizations are ACTIVE | ||
|
||
describe google_organizations do | ||
its('lifecycle_state'){ should eq 'ACTIVE' } | ||
end | ||
|
||
### Test that a particular subset of ACTIVE organizations with display name 'goog*' exist | ||
|
||
google_organizations.where(display_name: /^goog/, lifecycle_state: 'ACTIVE').names.each do |name| | ||
describe google_organization(name: name) do | ||
it { should exist } | ||
end | ||
end | ||
|
||
<br> | ||
|
||
## Filter Criteria | ||
|
||
This resource supports the following filter criteria: `name`; `display_name` and `lifecycle_state`. Any of these may be used with `where`, as a block or as a method. | ||
|
||
## Properties | ||
|
||
* `names` - an array of google_organization identifier strings | ||
* `display_names` - an array of google_organization display name strings | ||
* `lifecycle_state`- an array of google_organization lifecycle state strings | ||
|
||
<br> | ||
|
||
|
||
## GCP Permissions | ||
|
||
Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'gcp_backend' | ||
|
||
module Inspec::Resources | ||
class GoogleOrganization < GcpResourceBase | ||
name 'google_organization' | ||
desc 'Verifies settings for an organization' | ||
|
||
example " | ||
describe google_organization(name: 'google.com') do | ||
it { should exist } | ||
its('name') { should eq 'organizations/1234' } | ||
its('display_name') { should eq 'google.com' } | ||
its('lifecycle_state') { should eq 'ACTIVE' } | ||
end | ||
" | ||
def initialize(opts = {}) | ||
super(opts) | ||
@display_name = opts[:name] || opts[:display_name] | ||
catch_gcp_errors do | ||
@organization = @gcp.gcp_project_client.get_organization(opts[:name]) | ||
create_resource_methods(@organization) | ||
end | ||
end | ||
|
||
def label_value_by_key(label_key) | ||
return [] if !defined?(labels) || labels.nil? | ||
labels.item[label_key] | ||
end | ||
|
||
def exists? | ||
!@organization.nil? | ||
end | ||
|
||
def to_s | ||
"Organization #{@display_name}" | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'gcp_backend' | ||
|
||
module Inspec::Resources | ||
class GoogleComputeOrganizations < GcpResourceBase | ||
name 'google_organizations' | ||
desc 'Verifies settings for GCP organizations in bulk' | ||
|
||
example " | ||
describe google_organizations do | ||
it { should exist } | ||
... | ||
end | ||
" | ||
|
||
def initialize(opts = {}) | ||
super(opts) | ||
end | ||
|
||
filter_table_config = FilterTable.create | ||
filter_table_config.add(:names, field: :name) | ||
filter_table_config.add(:display_names, field: :display_name) | ||
filter_table_config.add(:lifecycle_state, field: :lifecycle_state) | ||
filter_table_config.connect(self, :fetch_data) | ||
|
||
def fetch_data | ||
organizations_rows = [] | ||
loop do | ||
catch_gcp_errors do | ||
@organizations = @gcp.gcp_project_client.search_organizations({}) | ||
end | ||
return [] if !@organizations || !@organizations.organizations | ||
@organizations.organizations.map do |organization| | ||
organizations_rows += [{ name: organization.name, | ||
display_name: organization.display_name, | ||
lifecycle_state: organization.lifecycle_state, | ||
}] | ||
end | ||
next_page = @organizations.next_page_token | ||
break unless next_page | ||
end | ||
@table = organizations_rows | ||
end | ||
end | ||
end |