Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

For gcp inspec google_dataproc_cluster resource: Expose attributes around scheduled deletion #230

Open
sukchomb-zz opened this issue Jan 26, 2020 · 7 comments

Comments

@sukchomb-zz
Copy link

Detailed Description

At the present time we cannot perform any compliance checks in this area.
These attributes are also not exposed using the solid or beta API calls

gcloud dataproc clusters describe --region=us-central1

gcloud beta dataproc clusters describe --region=us-central1

Context

Having these attributes available to test will strengthen the security posture of the Platform.

Possible Implementation

@slevenick
Copy link
Collaborator

I can absolutely add this via Magic Modules. I have a large amount of changes in the pipeline, so this will likely need to happen after that.

@lhasadreams
Copy link
Contributor

@slevenick that is excellent news, thanks.

@sukchomb looking at this again, I see that the GCP API support is already there.
gcloud dataproc clusters list --region europe-west2 --formtat json
gets me all the info on my DataProc cluster.
Same goes for the beta version.

Are you using an out of date GCP API?

Until @slevenick has completed his magic module work, in the short term you could always create an InSpec command to call the gcloud command above - https://www.inspec.io/docs/reference/resources/command/

Cheers
Adrian

@sukchomb-zz
Copy link
Author

@lhasadreams the 'lifecycleConfig' section is exposed in the gcloud command

Screenshot 2020-02-03 at 21 15 17

And when I use the inspec command resource, I get

Resource command is not supported on platform gcp/google-api-client-v0.23.9.

component versions I have installed are:
Screenshot 2020-02-03 at 21 26 10

Please advise what further steps I need to take to get the command resource working.

Cheers,

Sukhjit

@lhasadreams
Copy link
Contributor

lhasadreams commented Feb 4, 2020

Hi Sukhjit,
What it is telling you is correct.
You are trying to use the gcp train connection to run a gcloud command, using the InSpec command resource. The gcloud command needs to run on an operating system that then calls gcloud to connect to gcp - no different than if you are running gcloud from your command prompt.

Create a new inspec.yml something like this:
name: gcp-command
title: InSpec Profile
maintainer: The Authors
copyright: The Authors
copyright_email: [email protected]
license: Apache-2.0
summary: An InSpec Compliance Profile
version: 0.1.0
supports:
platform: os

and then the control could be something like this (change to the command that you would like to run):
gcp_project_id="afdaniels"
control 'service-api-match' do
impact 1.0
title 'Ensure the services are enabled'
describe command("gcloud services list --enabled --project=#{gcp_project_id} --format=json") do
its(:exit_status) { should eq 0 }
its(:stderr) { should eq '' }
end
end

You would then execute this in a shell on your local or remote machine with the gcloud credentials set.
inspec exec .

You could then use Ruby to parse the json retuned to make the tests that you require.

Cheers,
Adrian

@sukchomb-zz
Copy link
Author

@slevenick How are you getting on with the gcp inspec resources for Dataproc?

@slevenick
Copy link
Collaborator

It's going to be blocked on this PR: #226

After those changes go through it should only take a day or two to add

@lhasadreams
Copy link
Contributor

@slevenick Any update on #226 please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants