Add support for testing virtual private cloud service controls

[sukchomb-zz]

Detailed Description

I want to test all the projects delivered by consumers onto the GCP platform which use specific compute resource(s) of interest to me.

For each resource, I want to ensure that the project name and the Service(s) APIs is/are captured within a Perimeter definition.

Context

Running these tests will confirm projects using these services are protected by a Perimeter.

Possible Implementation

Example reference of Service API's which are of interest to me and which I wish to protect
PE_Protected_Services_of_interest = [“pubsub.googleapis.com”, “storage-api.googleapis.com” ]

I would check which APIs are enabled in each project against the above list. If they match go onto cross reference
this with the perimeter definition.

I have been investigating how I can do this first using the command line via gcloud and secondly via gcp inspec resources.

I have found that I can perform all the steps via gcloud but not all via inspec. h

I have listed the steps below on how I did this manually.

For example, given this gcp_project_id (eplus-act-bld-01-74fc) carry out the following steps:

Step 1: Determine the internal numerical project number for this gcp_project_id
gcloud Ref: https://cloud.google.com/sdk/gcloud/reference/projects/describe
gcloud projects describe eplus-act-bld-01-74fc

+Available via inspec?: Yes
Inspec Ref: https://www.inspec.io/docs/reference/resources/google_projects/
Pick out project number using 'where' clause
project_number = google_projects.where(project_id: gcp_project_id).project_numbers

Step 2: For this project determine which Service API’s are enabled.
Determined using:
gcloud Ref: https://cloud.google.com/sdk/gcloud/reference/services/list
gcloud services list --project eplus-act-bld-01-74fc

+Available via inspec?: Yes
https://www.inspec.io/docs/reference/resources/google_project_services/
Inspec resource: google_project_services()
enabled_service_apis = google_project_services(project: gcp_project_id ).names
You get an array e.g ["projects/469595947133/services/clouddebugger.googleapis.com"...]

Step 3: Determine the organisation id
Using: https://cloud.google.com/sdk/gcloud/reference/organizations/list
gcloud organizations list

+ Available via inspec ?: Please advise how to get this info via 'gcp inspec' as I could not this attribute in these resources
google_organization
google_organization_policy
google_organizations

Step 4: Get the Organisation policy name in use from the Organisation org id
gcloud access-context-manager policies list --organization 233526418605

+Available via inspec ?: Please advise how to get this info via 'gcp inspec'

Step 5: Get a list of titles allocated to perimeters in this organisation
Ref: https://cloud.google.com/sdk/gcloud/reference/beta/access-context-manager/perimeters/list
gcloud beta access-context-manager perimeters list --policy=656908083570

+Available via inspec?: Please advise how to get this info via 'gcp inspec'

For each perimeter, get the perimeter definition with this title within the organisation
gcloud Ref: https://cloud.google.com/vpc-service-controls/docs/manage-service-perimeters
e.g using 'eplus' as the title
gcloud access-context-manager perimeters describe eplus --policy=656908083570

+Available via inspec?: Please advise how to get this info via 'gcp inspec'

• NOTE: I could not find a gcp inspec resource that can perform tests around perimeters/perimeter
• (will need a plural and singular resource)

---

[slevenick]

We don't support any access context manager resources via InSpec currently. I could add them in the future, but it would be helpful to have the list of resources that you want to use via InSpec. Is it only the perimeter(s) resources?

As for getting the organization ID (Step 3), are you trying to get the id of the organization that the project resides in? One possibility is the parent field on the google_project resource.

I believe this would look something like:

org_id = google_project(project: 'your-id').parent.id

This may be in the form of "organizations/123456", I'm not sure

[sukchomb-zz]

Hi Sam,

I can get the org id using:

my_org_id = google_organizations.names[0].split('/').last

I would want to use the following resources via InSpec:

Will need an access-context-manager resource, equivalent of:

gcloud access-context-manager policies list --organization 233526418605

NAME ORGANIZATION TITLE
656908083570 233526418605 service-control-1

Just to expand on the Perimeter(s) resources:

The singular Permiter resource should expose tests for all these attributes returned from a describe
gcloud access-context-manager perimeters describe eplus --policy=656908083570

description: perimeter created by perimeter manager
name: accessPolicies/656908083570/servicePerimeters/eplus
status:
accessLevels:

• accessPolicies/656908083570/accessLevels/eplusLevel
  resources:
• projects/447339566785
• projects/752206044289
• projects/333735939505
• projects/940490816776
• projects/464535182256
• projects/635284055870
• projects/645200872241
• projects/963271948321
• projects/75560962470
• projects/841550118265
  restrictedServices:
• containerregistry.googleapis.com
  title: eplus

The plural Perimeter resource should expose tests for titles:
gcloud beta access-context-manager perimeters list --policy=656908083570

NAME TITLE
eplus eplus

[slevenick]

I fixed this via #218 and forgot to comment here!