From bcb63361858f8aebde1e26bb545096b1f46df224 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Fri, 4 Oct 2019 23:02:02 +0000 Subject: [PATCH 1/2] Add InSpec support for node groups, node templates and network endpoint group Signed-off-by: Modular Magician --- .../google_compute_network_endpoint_group.md | 47 ++++++++ .../google_compute_network_endpoint_groups.md | 38 +++++++ docs/resources/google_compute_node_group.md | 42 ++++++++ docs/resources/google_compute_node_groups.md | 37 +++++++ .../resources/google_compute_node_template.md | 49 +++++++++ .../google_compute_node_templates.md | 35 ++++++ docs/resources/google_compute_snapshot.md | 2 +- docs/resources/google_compute_snapshots.md | 2 +- .../nodetemplate_node_type_flexibility.rb | 40 +++++++ .../google_compute_network_endpoint_group.rb | 76 +++++++++++++ .../google_compute_network_endpoint_groups.rb | 100 ++++++++++++++++++ libraries/google_compute_node_group.rb | 70 ++++++++++++ libraries/google_compute_node_groups.rb | 94 ++++++++++++++++ libraries/google_compute_node_template.rb | 73 +++++++++++++ libraries/google_compute_node_templates.rb | 96 +++++++++++++++++ test/integration/build/gcp-mm.tf | 64 ++++++++++- .../configuration/mm-attributes.yml | 15 +++ .../google_compute_network_endpoint_group.rb | 36 +++++++ .../google_compute_network_endpoint_groups.rb | 32 ++++++ .../controls/google_compute_node_group.rb | 38 +++++++ .../controls/google_compute_node_groups.rb | 35 ++++++ .../controls/google_compute_node_template.rb | 37 +++++++ .../controls/google_compute_node_templates.rb | 32 ++++++ .../controls/google_compute_snapshot.rb | 6 +- .../controls/google_compute_snapshots.rb | 6 +- 25 files changed, 1090 insertions(+), 12 deletions(-) create mode 100644 docs/resources/google_compute_network_endpoint_group.md create mode 100644 docs/resources/google_compute_network_endpoint_groups.md create mode 100644 docs/resources/google_compute_node_group.md create mode 100644 docs/resources/google_compute_node_groups.md create mode 100644 docs/resources/google_compute_node_template.md create mode 100644 docs/resources/google_compute_node_templates.md create mode 100644 libraries/google/compute/property/nodetemplate_node_type_flexibility.rb create mode 100644 libraries/google_compute_network_endpoint_group.rb create mode 100644 libraries/google_compute_network_endpoint_groups.rb create mode 100644 libraries/google_compute_node_group.rb create mode 100644 libraries/google_compute_node_groups.rb create mode 100644 libraries/google_compute_node_template.rb create mode 100644 libraries/google_compute_node_templates.rb create mode 100644 test/integration/verify/controls/google_compute_network_endpoint_group.rb create mode 100644 test/integration/verify/controls/google_compute_network_endpoint_groups.rb create mode 100644 test/integration/verify/controls/google_compute_node_group.rb create mode 100644 test/integration/verify/controls/google_compute_node_groups.rb create mode 100644 test/integration/verify/controls/google_compute_node_template.rb create mode 100644 test/integration/verify/controls/google_compute_node_templates.rb diff --git a/docs/resources/google_compute_network_endpoint_group.md b/docs/resources/google_compute_network_endpoint_group.md new file mode 100644 index 000000000..5043b252e --- /dev/null +++ b/docs/resources/google_compute_network_endpoint_group.md @@ -0,0 +1,47 @@ +--- +title: About the google_compute_network_endpoint_group resource +platform: gcp +--- + +## Syntax +A `google_compute_network_endpoint_group` is used to test a Google NetworkEndpointGroup resource + +## Examples +``` + +describe google_compute_network_endpoint_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-gcp-endpoint-group') do + it { should exist } + its('default_port') { should cmp '90' } +end + +describe google_compute_network_endpoint_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_network_endpoint_group` resource: + + + * `id`: The unique identifier for the resource. + + * `name`: Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash. + + * `description`: An optional description of this resource. Provide this property when you create the resource. + + * `network_endpoint_type`: Type of network endpoints in this network endpoint group. Currently the only supported value is GCE_VM_IP_PORT. + + * `size`: Number of network endpoints in the network endpoint group. + + * `network`: The network to which all network endpoints in the NEG belong. Uses "default" project network if unspecified. + + * `subnetwork`: Optional subnetwork to which all network endpoints in the NEG belong. + + * `default_port`: The default port used if the port number is not specified in the network endpoint. + + * `zone`: Zone where the network endpoint group is located. + + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_network_endpoint_groups.md b/docs/resources/google_compute_network_endpoint_groups.md new file mode 100644 index 000000000..fe7c287a4 --- /dev/null +++ b/docs/resources/google_compute_network_endpoint_groups.md @@ -0,0 +1,38 @@ +--- +title: About the google_compute_network_endpoint_groups resource +platform: gcp +--- + +## Syntax +A `google_compute_network_endpoint_groups` is used to test a Google NetworkEndpointGroup resource + +## Examples +``` + +describe google_compute_network_endpoint_groups(project: 'chef-gcp-inspec', zone: 'zone') do + its('default_ports') { should include '90' } + its('names') { should include 'inspec-gcp-endpoint-group' } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_network_endpoint_groups` resource: + +See [google_compute_network_endpoint_group.md](google_compute_network_endpoint_group.md) for more detailed information + * `ids`: an array of `google_compute_network_endpoint_group` id + * `names`: an array of `google_compute_network_endpoint_group` name + * `descriptions`: an array of `google_compute_network_endpoint_group` description + * `network_endpoint_types`: an array of `google_compute_network_endpoint_group` network_endpoint_type + * `sizes`: an array of `google_compute_network_endpoint_group` size + * `networks`: an array of `google_compute_network_endpoint_group` network + * `subnetworks`: an array of `google_compute_network_endpoint_group` subnetwork + * `default_ports`: an array of `google_compute_network_endpoint_group` default_port + * `zones`: an array of `google_compute_network_endpoint_group` zone + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_node_group.md b/docs/resources/google_compute_node_group.md new file mode 100644 index 000000000..61f95aa18 --- /dev/null +++ b/docs/resources/google_compute_node_group.md @@ -0,0 +1,42 @@ +--- +title: About the google_compute_node_group resource +platform: gcp +--- + +## Syntax +A `google_compute_node_group` is used to test a Google NodeGroup resource + +## Examples +``` + +describe google_compute_node_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'inspec-node-group') do + it { should exist } + its('description') { should cmp 'A description of the node group' } + its('size') { should cmp '0' } +end + +describe google_compute_node_group(project: 'chef-gcp-inspec', zone: 'zone', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_node_group` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource. + + * `name`: Name of the resource. + + * `node_template`: The URL of the node template to which this node group belongs. + + * `size`: The total number of nodes in the node group. + + * `zone`: Zone where this node group is located + + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_node_groups.md b/docs/resources/google_compute_node_groups.md new file mode 100644 index 000000000..41067010e --- /dev/null +++ b/docs/resources/google_compute_node_groups.md @@ -0,0 +1,37 @@ +--- +title: About the google_compute_node_groups resource +platform: gcp +--- + +## Syntax +A `google_compute_node_groups` is used to test a Google NodeGroup resource + +## Examples +``` + +describe google_compute_node_groups(project: 'chef-gcp-inspec', zone: 'zone') do + it { should exist } + its('descriptions') { should include 'A description of the node group' } + its('sizes') { should include '0' } + its('names') { should include 'inspec-node-group' } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_node_groups` resource: + +See [google_compute_node_group.md](google_compute_node_group.md) for more detailed information + * `creation_timestamps`: an array of `google_compute_node_group` creation_timestamp + * `descriptions`: an array of `google_compute_node_group` description + * `names`: an array of `google_compute_node_group` name + * `node_templates`: an array of `google_compute_node_group` node_template + * `sizes`: an array of `google_compute_node_group` size + * `zones`: an array of `google_compute_node_group` zone + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_node_template.md b/docs/resources/google_compute_node_template.md new file mode 100644 index 000000000..42d8c2340 --- /dev/null +++ b/docs/resources/google_compute_node_template.md @@ -0,0 +1,49 @@ +--- +title: About the google_compute_node_template resource +platform: gcp +--- + +## Syntax +A `google_compute_node_template` is used to test a Google NodeTemplate resource + +## Examples +``` + +describe google_compute_node_template(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'inspec-node-template') do + it { should exist } + its('node_affinity_labels') { should include('key' => 'value') } +end + +describe google_compute_node_template(project: 'chef-gcp-inspec', region: 'europe-west2', name: 'nonexistent') do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_node_template` resource: + + + * `creation_timestamp`: Creation timestamp in RFC3339 text format. + + * `description`: An optional textual description of the resource. + + * `name`: Name of the resource. + + * `node_affinity_labels`: Labels to use for node affinity, which will be used in instance scheduling. + + * `node_type`: Node type to use for nodes group that are created from this template. Only one of nodeTypeFlexibility and nodeType can be specified. + + * `node_type_flexibility`: Flexible properties for the desired node type. Node groups that use this node template will create nodes of a type that matches these properties. Only one of nodeTypeFlexibility and nodeType can be specified. + + * `cpus`: Number of virtual CPUs to use. + + * `memory`: Physical memory available to the node, defined in MB. + + * `local_ssd`: Use local SSD + + * `region`: Region where nodes using the node template will be created + + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_node_templates.md b/docs/resources/google_compute_node_templates.md new file mode 100644 index 000000000..e3cbb1363 --- /dev/null +++ b/docs/resources/google_compute_node_templates.md @@ -0,0 +1,35 @@ +--- +title: About the google_compute_node_templates resource +platform: gcp +--- + +## Syntax +A `google_compute_node_templates` is used to test a Google NodeTemplate resource + +## Examples +``` + +describe google_compute_node_templates(project: 'chef-gcp-inspec', region: 'europe-west2') do + its('names') { should include 'inspec-node-template' } +end +``` + +## Properties +Properties that can be accessed from the `google_compute_node_templates` resource: + +See [google_compute_node_template.md](google_compute_node_template.md) for more detailed information + * `creation_timestamps`: an array of `google_compute_node_template` creation_timestamp + * `descriptions`: an array of `google_compute_node_template` description + * `names`: an array of `google_compute_node_template` name + * `node_affinity_labels`: an array of `google_compute_node_template` node_affinity_labels + * `node_types`: an array of `google_compute_node_template` node_type + * `node_type_flexibilities`: an array of `google_compute_node_template` node_type_flexibility + * `regions`: an array of `google_compute_node_template` region + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP Permissions + +Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project. diff --git a/docs/resources/google_compute_snapshot.md b/docs/resources/google_compute_snapshot.md index 1bee65f2f..bcf011471 100644 --- a/docs/resources/google_compute_snapshot.md +++ b/docs/resources/google_compute_snapshot.md @@ -11,7 +11,7 @@ A `google_compute_snapshot` is used to test a Google Snapshot resource describe google_compute_snapshot(project: 'chef-gcp-inspec', name: 'inspec-gcp-disk-snapshot') do it { should exist } - its('source_disk') { should match 'my_disk' } + its('source_disk') { should match 'inspec-snapshot-disk' } end describe google_compute_snapshot(project: 'chef-gcp-inspec', name: 'nonexistent') do diff --git a/docs/resources/google_compute_snapshots.md b/docs/resources/google_compute_snapshots.md index b05dfd20b..55f391fb7 100644 --- a/docs/resources/google_compute_snapshots.md +++ b/docs/resources/google_compute_snapshots.md @@ -16,7 +16,7 @@ end describe.one do google_compute_snapshots(project: 'chef-gcp-inspec').names do |snapshot_name| describe google_compute_snapshot(project: 'chef-gcp-inspec', name: snapshot_name) do - its('source_disk') { should match 'my_disk' } + its('source_disk') { should match 'inspec-snapshot-disk' } end end end diff --git a/libraries/google/compute/property/nodetemplate_node_type_flexibility.rb b/libraries/google/compute/property/nodetemplate_node_type_flexibility.rb new file mode 100644 index 000000000..2f5947a25 --- /dev/null +++ b/libraries/google/compute/property/nodetemplate_node_type_flexibility.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module Compute + module Property + class NodeTemplateNodeTypeFlexibility + attr_reader :cpus + + attr_reader :memory + + attr_reader :local_ssd + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @cpus = args['cpus'] + @memory = args['memory'] + @local_ssd = args['localSsd'] + end + + def to_s + "#{@parent_identifier} NodeTemplateNodeTypeFlexibility" + end + end + end + end +end diff --git a/libraries/google_compute_network_endpoint_group.rb b/libraries/google_compute_network_endpoint_group.rb new file mode 100644 index 000000000..b57859c16 --- /dev/null +++ b/libraries/google_compute_network_endpoint_group.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' + +# A provider to manage Compute Engine resources. +class ComputeNetworkEndpointGroup < GcpResourceBase + name 'google_compute_network_endpoint_group' + desc 'NetworkEndpointGroup' + supports platform: 'gcp' + + attr_reader :params + attr_reader :id + attr_reader :name + attr_reader :description + attr_reader :network_endpoint_type + attr_reader :size + attr_reader :network + attr_reader :subnetwork + attr_reader :default_port + attr_reader :zone + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @params = params + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse + @id = @fetched['id'] + @name = @fetched['name'] + @description = @fetched['description'] + @network_endpoint_type = @fetched['networkEndpointType'] + @size = @fetched['size'] + @network = @fetched['network'] + @subnetwork = @fetched['subnetwork'] + @default_port = @fetched['defaultPort'] + @zone = @fetched['zone'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end + + def to_s + "NetworkEndpointGroup #{@params[:name]}" + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/zones/{{zone}}/networkEndpointGroups/{{name}}' + end +end diff --git a/libraries/google_compute_network_endpoint_groups.rb b/libraries/google_compute_network_endpoint_groups.rb new file mode 100644 index 000000000..52afb78b9 --- /dev/null +++ b/libraries/google_compute_network_endpoint_groups.rb @@ -0,0 +1,100 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class ComputeNetworkEndpointGroups < GcpResourceBase + name 'google_compute_network_endpoint_groups' + desc 'NetworkEndpointGroup plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:ids, field: :id) + filter_table_config.add(:names, field: :name) + filter_table_config.add(:descriptions, field: :description) + filter_table_config.add(:network_endpoint_types, field: :network_endpoint_type) + filter_table_config.add(:sizes, field: :size) + filter_table_config.add(:networks, field: :network) + filter_table_config.add(:subnetworks, field: :subnetwork) + filter_table_config.add(:default_ports, field: :default_port) + filter_table_config.add(:zones, field: :zone) + + filter_table_config.connect(self, :table) + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('items') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get') + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_key do |key| + name, value = transform(key, hash) + hash_with_symbols[name] = value + end + converted.push(hash_with_symbols) + end + end + + converted + end + + def transform(key, value) + return transformers[key].call(value) if transformers.key?(key) + + [key.to_sym, value] + end + + def transformers + { + 'id' => ->(obj) { return :id, obj['id'] }, + 'name' => ->(obj) { return :name, obj['name'] }, + 'description' => ->(obj) { return :description, obj['description'] }, + 'networkEndpointType' => ->(obj) { return :network_endpoint_type, obj['networkEndpointType'] }, + 'size' => ->(obj) { return :size, obj['size'] }, + 'network' => ->(obj) { return :network, obj['network'] }, + 'subnetwork' => ->(obj) { return :subnetwork, obj['subnetwork'] }, + 'defaultPort' => ->(obj) { return :default_port, obj['defaultPort'] }, + 'zone' => ->(obj) { return :zone, obj['zone'] }, + } + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/zones/{{zone}}/networkEndpointGroups' + end +end diff --git a/libraries/google_compute_node_group.rb b/libraries/google_compute_node_group.rb new file mode 100644 index 000000000..2249ae76f --- /dev/null +++ b/libraries/google_compute_node_group.rb @@ -0,0 +1,70 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' + +# A provider to manage Compute Engine resources. +class ComputeNodeGroup < GcpResourceBase + name 'google_compute_node_group' + desc 'NodeGroup' + supports platform: 'gcp' + + attr_reader :params + attr_reader :creation_timestamp + attr_reader :description + attr_reader :name + attr_reader :node_template + attr_reader :size + attr_reader :zone + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @params = params + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse + @creation_timestamp = parse_time_string(@fetched['creationTimestamp']) + @description = @fetched['description'] + @name = @fetched['name'] + @node_template = @fetched['nodeTemplate'] + @size = @fetched['size'] + @zone = @fetched['zone'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end + + def to_s + "NodeGroup #{@params[:name]}" + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/zones/{{zone}}/nodeGroups/{{name}}' + end +end diff --git a/libraries/google_compute_node_groups.rb b/libraries/google_compute_node_groups.rb new file mode 100644 index 000000000..46bdd4be2 --- /dev/null +++ b/libraries/google_compute_node_groups.rb @@ -0,0 +1,94 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class ComputeNodeGroups < GcpResourceBase + name 'google_compute_node_groups' + desc 'NodeGroup plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:creation_timestamps, field: :creation_timestamp) + filter_table_config.add(:descriptions, field: :description) + filter_table_config.add(:names, field: :name) + filter_table_config.add(:node_templates, field: :node_template) + filter_table_config.add(:sizes, field: :size) + filter_table_config.add(:zones, field: :zone) + + filter_table_config.connect(self, :table) + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('items') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get') + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_key do |key| + name, value = transform(key, hash) + hash_with_symbols[name] = value + end + converted.push(hash_with_symbols) + end + end + + converted + end + + def transform(key, value) + return transformers[key].call(value) if transformers.key?(key) + + [key.to_sym, value] + end + + def transformers + { + 'creationTimestamp' => ->(obj) { return :creation_timestamp, parse_time_string(obj['creationTimestamp']) }, + 'description' => ->(obj) { return :description, obj['description'] }, + 'name' => ->(obj) { return :name, obj['name'] }, + 'nodeTemplate' => ->(obj) { return :node_template, obj['nodeTemplate'] }, + 'size' => ->(obj) { return :size, obj['size'] }, + 'zone' => ->(obj) { return :zone, obj['zone'] }, + } + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/zones/{{zone}}/nodeGroups' + end +end diff --git a/libraries/google_compute_node_template.rb b/libraries/google_compute_node_template.rb new file mode 100644 index 000000000..10c341bab --- /dev/null +++ b/libraries/google_compute_node_template.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +require 'google/compute/property/nodetemplate_node_type_flexibility' + +# A provider to manage Compute Engine resources. +class ComputeNodeTemplate < GcpResourceBase + name 'google_compute_node_template' + desc 'NodeTemplate' + supports platform: 'gcp' + + attr_reader :params + attr_reader :creation_timestamp + attr_reader :description + attr_reader :name + attr_reader :node_affinity_labels + attr_reader :node_type + attr_reader :node_type_flexibility + attr_reader :region + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @params = params + @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse + @creation_timestamp = parse_time_string(@fetched['creationTimestamp']) + @description = @fetched['description'] + @name = @fetched['name'] + @node_affinity_labels = @fetched['nodeAffinityLabels'] + @node_type = @fetched['nodeType'] + @node_type_flexibility = GoogleInSpec::Compute::Property::NodeTemplateNodeTypeFlexibility.new(@fetched['nodeTypeFlexibility'], to_s) + @region = @fetched['region'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end + + def to_s + "NodeTemplate #{@params[:name]}" + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/regions/{{region}}/nodeTemplates/{{name}}' + end +end diff --git a/libraries/google_compute_node_templates.rb b/libraries/google_compute_node_templates.rb new file mode 100644 index 000000000..daa4a6e28 --- /dev/null +++ b/libraries/google_compute_node_templates.rb @@ -0,0 +1,96 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class ComputeNodeTemplates < GcpResourceBase + name 'google_compute_node_templates' + desc 'NodeTemplate plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:creation_timestamps, field: :creation_timestamp) + filter_table_config.add(:descriptions, field: :description) + filter_table_config.add(:names, field: :name) + filter_table_config.add(:node_affinity_labels, field: :node_affinity_labels) + filter_table_config.add(:node_types, field: :node_type) + filter_table_config.add(:node_type_flexibilities, field: :node_type_flexibility) + filter_table_config.add(:regions, field: :region) + + filter_table_config.connect(self, :table) + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('items') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get') + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_key do |key| + name, value = transform(key, hash) + hash_with_symbols[name] = value + end + converted.push(hash_with_symbols) + end + end + + converted + end + + def transform(key, value) + return transformers[key].call(value) if transformers.key?(key) + + [key.to_sym, value] + end + + def transformers + { + 'creationTimestamp' => ->(obj) { return :creation_timestamp, parse_time_string(obj['creationTimestamp']) }, + 'description' => ->(obj) { return :description, obj['description'] }, + 'name' => ->(obj) { return :name, obj['name'] }, + 'nodeAffinityLabels' => ->(obj) { return :node_affinity_labels, obj['nodeAffinityLabels'] }, + 'nodeType' => ->(obj) { return :node_type, obj['nodeType'] }, + 'nodeTypeFlexibility' => ->(obj) { return :node_type_flexibility, GoogleInSpec::Compute::Property::NodeTemplateNodeTypeFlexibility.new(obj['nodeTypeFlexibility'], to_s) }, + 'region' => ->(obj) { return :region, obj['region'] }, + } + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + private + + def product_url + 'https://www.googleapis.com/compute/v1/' + end + + def resource_base_url + 'projects/{{project}}/regions/{{region}}/nodeTemplates' + end +end diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf index 90cf45e0f..b25f9bd71 100644 --- a/test/integration/build/gcp-mm.tf +++ b/test/integration/build/gcp-mm.tf @@ -181,6 +181,18 @@ variable "redis" { type = "map" } +variable "network_endpoint_group" { + type = "map" +} + +variable "node_template" { + type = "map" +} + +variable "node_group" { + type = "map" +} + resource "google_compute_ssl_policy" "custom-ssl-policy" { name = "${var.ssl_policy["name"]}" min_tls_version = "${var.ssl_policy["min_tls_version"]}" @@ -485,14 +497,22 @@ resource "google_compute_router" "gcp-inspec-router" { } } +resource "google_compute_disk" "snapshot-disk" { + project = "${var.gcp_project_id}" + name = var.snapshot["disk_name"] + type = "${var.gcp_compute_disk_type}" + zone = "${var.gcp_zone}" + image = "${var.gcp_compute_disk_image}" + labels = { + environment = "generic_compute_disk_label" + } +} + resource "google_compute_snapshot" "gcp-inspec-snapshot" { project = "${var.gcp_project_id}" name = "${var.snapshot["name"]}" - source_disk = "${google_compute_disk.generic_compute_disk.name}" + source_disk = "${google_compute_disk.snapshot-disk.name}" zone = "${var.gcp_zone}" - # Depends on the instance of the disk we are using. Allow instance to spin up - # Before snapshotting the disk to avoid resourceInUse errors - depends_on = ["google_compute_instance.generic_external_vm_instance_data_disk"] } resource "google_compute_ssl_certificate" "gcp-inspec-ssl-certificate" { @@ -756,3 +776,39 @@ resource "google_redis_instance" "inspec-redis" { "${var.redis["label_key"]}" = var.redis["label_value"] } } + +resource "google_compute_network_endpoint_group" "inspec-endpoint-group" { + project = var.gcp_project_id + name = var.network_endpoint_group["name"] + network = google_compute_subnetwork.inspec-gcp-subnetwork.network + subnetwork = google_compute_subnetwork.inspec-gcp-subnetwork.self_link + default_port = var.network_endpoint_group["default_port"] + zone = var.gcp_zone +} + +data "google_compute_node_types" "zone-node-type" { + project = var.gcp_project_id + zone = var.gcp_zone +} + +resource "google_compute_node_template" "inspec-template" { + project = var.gcp_project_id + region = var.gcp_location + + name = var.node_template["name"] + node_type = "${data.google_compute_node_types.zone-node-type.names[0]}" + + node_affinity_labels = { + "${var.node_template["label_key"]}" = "${var.node_template["label_value"]}" + } +} + +resource "google_compute_node_group" "inspec-node-group" { + project = var.gcp_project_id + name = var.node_group["name"] + zone = var.gcp_zone + description = var.node_group["description"] + + size = var.node_group["size"] + node_template = "${google_compute_node_template.inspec-template.self_link}" +} diff --git a/test/integration/configuration/mm-attributes.yml b/test/integration/configuration/mm-attributes.yml index 1dfff21c5..92b6cfdcb 100644 --- a/test/integration/configuration/mm-attributes.yml +++ b/test/integration/configuration/mm-attributes.yml @@ -148,6 +148,7 @@ router: snapshot: name: inspec-gcp-disk-snapshot + disk_name: inspec-snapshot-disk https_proxy: name: inspec-gcp-https-proxy @@ -301,3 +302,17 @@ redis: reserved_ip_range: "192.168.0.0/29" label_key: key label_value: value + +network_endpoint_group: + name: inspec-gcp-endpoint-group + default_port: 90 + +node_template: + name: inspec-node-template + label_key: key + label_value: value + +node_group: + name: inspec-node-group + description: A description of the node group + size: 0 \ No newline at end of file diff --git a/test/integration/verify/controls/google_compute_network_endpoint_group.rb b/test/integration/verify/controls/google_compute_network_endpoint_group.rb new file mode 100644 index 000000000..7eb2602e1 --- /dev/null +++ b/test/integration/verify/controls/google_compute_network_endpoint_group.rb @@ -0,0 +1,36 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_network_endpoint_group resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +network_endpoint_group = attribute('network_endpoint_group', default: { + "name": "inspec-gcp-endpoint-group", + "default_port": 90 +}, description: 'Network endpoint group description') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name') +control 'google_compute_network_endpoint_group-1.0' do + impact 1.0 + title 'google_compute_network_endpoint_group resource test' + + + describe google_compute_network_endpoint_group(project: gcp_project_id, zone: gcp_zone, name: network_endpoint_group['name']) do + it { should exist } + its('default_port') { should cmp network_endpoint_group['default_port'] } + end + + describe google_compute_network_endpoint_group(project: gcp_project_id, zone: gcp_zone, name: 'nonexistent') do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_compute_network_endpoint_groups.rb b/test/integration/verify/controls/google_compute_network_endpoint_groups.rb new file mode 100644 index 000000000..78f615273 --- /dev/null +++ b/test/integration/verify/controls/google_compute_network_endpoint_groups.rb @@ -0,0 +1,32 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_network_endpoint_groups resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +network_endpoint_group = attribute('network_endpoint_group', default: { + "name": "inspec-gcp-endpoint-group", + "default_port": 90 +}, description: 'Network endpoint group description') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name') +control 'google_compute_network_endpoint_groups-1.0' do + impact 1.0 + title 'google_compute_network_endpoint_groups resource test' + + + describe google_compute_network_endpoint_groups(project: gcp_project_id, zone: gcp_zone) do + its('default_ports') { should include network_endpoint_group['default_port'] } + its('names') { should include network_endpoint_group['name'] } + end +end diff --git a/test/integration/verify/controls/google_compute_node_group.rb b/test/integration/verify/controls/google_compute_node_group.rb new file mode 100644 index 000000000..d464cb564 --- /dev/null +++ b/test/integration/verify/controls/google_compute_node_group.rb @@ -0,0 +1,38 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_node_group resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +node_group = attribute('node_group', default: { + "name": "inspec-node-group", + "description": "A description of the node group", + "size": 0 +}, description: 'Node group description') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name') +control 'google_compute_node_group-1.0' do + impact 1.0 + title 'google_compute_node_group resource test' + + + describe google_compute_node_group(project: gcp_project_id, zone: gcp_zone, name: node_group['name']) do + it { should exist } + its('description') { should cmp node_group['description'] } + its('size') { should cmp node_group['size'] } + end + + describe google_compute_node_group(project: gcp_project_id, zone: gcp_zone, name: 'nonexistent') do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_compute_node_groups.rb b/test/integration/verify/controls/google_compute_node_groups.rb new file mode 100644 index 000000000..9a8c596e3 --- /dev/null +++ b/test/integration/verify/controls/google_compute_node_groups.rb @@ -0,0 +1,35 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_node_groups resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +node_group = attribute('node_group', default: { + "name": "inspec-node-group", + "description": "A description of the node group", + "size": 0 +}, description: 'Node group description') +gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name') +control 'google_compute_node_groups-1.0' do + impact 1.0 + title 'google_compute_node_groups resource test' + + + describe google_compute_node_groups(project: gcp_project_id, zone: gcp_zone) do + it { should exist } + its('descriptions') { should include node_group['description'] } + its('sizes') { should include node_group['size'] } + its('names') { should include node_group['name'] } + end +end diff --git a/test/integration/verify/controls/google_compute_node_template.rb b/test/integration/verify/controls/google_compute_node_template.rb new file mode 100644 index 000000000..c44376914 --- /dev/null +++ b/test/integration/verify/controls/google_compute_node_template.rb @@ -0,0 +1,37 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_node_template resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_location = attribute(:gcp_location, default: 'gcp_location', description: 'The GCP project region.') +node_template = attribute('node_template', default: { + "name": "inspec-node-template", + "label_key": "key", + "label_value": "value" +}, description: 'Node template description') +control 'google_compute_node_template-1.0' do + impact 1.0 + title 'google_compute_node_template resource test' + + + describe google_compute_node_template(project: gcp_project_id, region: gcp_location, name: node_template['name']) do + it { should exist } + its('node_affinity_labels') { should include(node_template['label_key'] => node_template['label_value']) } + end + + describe google_compute_node_template(project: gcp_project_id, region: gcp_location, name: 'nonexistent') do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_compute_node_templates.rb b/test/integration/verify/controls/google_compute_node_templates.rb new file mode 100644 index 000000000..349514c47 --- /dev/null +++ b/test/integration/verify/controls/google_compute_node_templates.rb @@ -0,0 +1,32 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_compute_node_templates resource.' + +gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_location = attribute(:gcp_location, default: 'gcp_location', description: 'The GCP project region.') +node_template = attribute('node_template', default: { + "name": "inspec-node-template", + "label_key": "key", + "label_value": "value" +}, description: 'Node template description') +control 'google_compute_node_templates-1.0' do + impact 1.0 + title 'google_compute_node_templates resource test' + + + describe google_compute_node_templates(project: gcp_project_id, region: gcp_location) do + its('names') { should include node_template['name'] } + end +end diff --git a/test/integration/verify/controls/google_compute_snapshot.rb b/test/integration/verify/controls/google_compute_snapshot.rb index 50432a357..4d42717fd 100644 --- a/test/integration/verify/controls/google_compute_snapshot.rb +++ b/test/integration/verify/controls/google_compute_snapshot.rb @@ -16,9 +16,9 @@ gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name of the compute disk') -gcp_compute_disk_name = attribute(:gcp_compute_disk_name, default: 'gcp_compute_disk_name', description: 'The name of the GCP compute disk to snapshot') snapshot = attribute('snapshot', default: { - "name": "inspec-gcp-disk-snapshot" + "name": "inspec-gcp-disk-snapshot", + "disk_name": "inspec-snapshot-disk" }, description: 'Compute disk snapshot description') control 'google_compute_snapshot-1.0' do impact 1.0 @@ -27,7 +27,7 @@ describe google_compute_snapshot(project: gcp_project_id, name: snapshot['name']) do it { should exist } - its('source_disk') { should match gcp_compute_disk_name } + its('source_disk') { should match snapshot['disk_name'] } end describe google_compute_snapshot(project: gcp_project_id, name: 'nonexistent') do diff --git a/test/integration/verify/controls/google_compute_snapshots.rb b/test/integration/verify/controls/google_compute_snapshots.rb index 692820543..97d2a32a0 100644 --- a/test/integration/verify/controls/google_compute_snapshots.rb +++ b/test/integration/verify/controls/google_compute_snapshots.rb @@ -16,9 +16,9 @@ gcp_project_id = attribute(:gcp_project_id, default: 'gcp_project_id', description: 'The GCP project identifier.') gcp_zone = attribute(:gcp_zone, default: 'gcp_zone', description: 'GCP zone name of the compute disk') -gcp_compute_disk_name = attribute(:gcp_compute_disk_name, default: 'gcp_compute_disk_name', description: 'The name of the GCP compute disk to snapshot') snapshot = attribute('snapshot', default: { - "name": "inspec-gcp-disk-snapshot" + "name": "inspec-gcp-disk-snapshot", + "disk_name": "inspec-snapshot-disk" }, description: 'Compute disk snapshot description') control 'google_compute_snapshots-1.0' do impact 1.0 @@ -32,7 +32,7 @@ describe.one do google_compute_snapshots(project: gcp_project_id).names do |snapshot_name| describe google_compute_snapshot(project: gcp_project_id, name: snapshot_name) do - its('source_disk') { should match gcp_compute_disk_name } + its('source_disk') { should match snapshot['disk_name'] } end end end From c656964b81f87aecd62e3e632fe8ef372c35271d Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Wed, 9 Oct 2019 20:11:55 +0000 Subject: [PATCH 2/2] Inspec dataproc firewalls IT fix Signed-off-by: Modular Magician --- test/integration/build/gcp-mm.tf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf index b25f9bd71..73c6e6791 100644 --- a/test/integration/build/gcp-mm.tf +++ b/test/integration/build/gcp-mm.tf @@ -668,6 +668,29 @@ resource "google_ml_engine_model" "inspec-gcp-model" { online_prediction_console_logging = var.ml_model["online_prediction_console_logging"] } +resource "google_compute_firewall" "dataproc" { + name = "dataproc-firewall" + network = "${google_compute_network.dataproc.name}" + + source_ranges = ["10.128.0.0/9"] + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["0-65535"] + } + allow { + protocol = "udp" + ports = ["0-65535"] + } +} + +resource "google_compute_network" "dataproc" { + name = "dataproc-network" +} + resource "google_dataproc_cluster" "mycluster" { project = var.gcp_project_id region = var.gcp_location @@ -704,6 +727,7 @@ resource "google_dataproc_cluster" "mycluster" { } gce_cluster_config { + network = google_compute_network.dataproc.self_link tags = [var.dataproc_cluster["config"]["gce_cluster_config"]["tag"]] } }