You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a secops user I would like to check for GCS label values and perform inspection tests on this in my cicd pipeline and report on any exceptions.
Context
As secops developer need to check that GCP GCS bucket labels conform to any policies that are set by risk and control functions of an organisation to ensure lables are set on buckets and contents for the Google Cloud platform.
I believe this is possible with the current GCS bucket implementation, although it is not documented anywhere.
What the current google storage bucket resource does is surfaces everything that comes back from the API even if the functionality is not documented.
This means we can access the labels field on a storage bucket like so:
bucket = google_storage_bucket(name: 'bucket-name')
describe bucket do
it { should exist }
end
describe.one do
bucket.labels.item.each_pair do |key, value|
describe value do
it { should eq 'must-exist' }
end
end
end
This will ensure that a bucket exists and that there must be some tag for which the value equals must-exist. I believe this can be modified to fit your need.
If no labels exist on a bucket you may see a fairly unhelpful error about method "labels" does not exist for <#Scary class identifier>. This is because of the dynamic method creation on the class, which does not create the labels method if there are no labels on the object itself.
Detailed Description
As a secops user I would like to check for GCS label values and perform inspection tests on this in my cicd pipeline and report on any exceptions.
Context
As secops developer need to check that GCP GCS bucket labels conform to any policies that are set by risk and control functions of an organisation to ensure lables are set on buckets and contents for the Google Cloud platform.
Possible Implementation
Add as new property feature to the GCS resource in inspec for GCP:
https://www.inspec.io/docs/reference/resources/google_storage_bucket/
The text was updated successfully, but these errors were encountered: