Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ability to inspect GCS bucket labels so can assert upon them #169

Closed
djcoder100 opened this issue Aug 23, 2019 · 2 comments
Closed

Comments

@djcoder100
Copy link

Detailed Description

As a secops user I would like to check for GCS label values and perform inspection tests on this in my cicd pipeline and report on any exceptions.

Context

As secops developer need to check that GCP GCS bucket labels conform to any policies that are set by risk and control functions of an organisation to ensure lables are set on buckets and contents for the Google Cloud platform.

Possible Implementation

Add as new property feature to the GCS resource in inspec for GCP:
https://www.inspec.io/docs/reference/resources/google_storage_bucket/

skpaterson pushed a commit that referenced this issue Aug 23, 2019
backporting password length docs PR
@slevenick
Copy link
Collaborator

Hey @djcoder100,

I believe this is possible with the current GCS bucket implementation, although it is not documented anywhere.

What the current google storage bucket resource does is surfaces everything that comes back from the API even if the functionality is not documented.

This means we can access the labels field on a storage bucket like so:

  bucket = google_storage_bucket(name: 'bucket-name')
  describe bucket do
    it { should exist }
  end

  describe.one do
    bucket.labels.item.each_pair do |key, value|
      describe value do
        it { should eq 'must-exist' }
      end
    end
  end

This will ensure that a bucket exists and that there must be some tag for which the value equals must-exist. I believe this can be modified to fit your need.

If no labels exist on a bucket you may see a fairly unhelpful error about method "labels" does not exist for <#Scary class identifier>. This is because of the dynamic method creation on the class, which does not create the labels method if there are no labels on the object itself.

@slevenick
Copy link
Collaborator

Will be fixed via #244

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants